According to ComputerWorld:
An online criminal has offered to sell software that exploits an unpatched bug in Microsoft Corp.’s Windows Vista operating system, according to security vendor Trend Micro Inc.
The code was offered for sale in an underground hacker discussion forum last month, said Raimund Genes, Trend Micro’s chief technology officer. The asking price? $50,000.
Because Vista is not as widely adopted as Microsoft’s XP or Windows Server 2003 operating systems, criminals would have fewer potential victims to attack with the code.
“To be honest [the price for a Vista zero day] should probably be lower,” said Joe Telafici, vice president of Avert operations with McAfee Inc. “There’s nobody to infect with it.”
There have been far fewer vulnerability disclosures in the weeks up to Vista’s commercial release than there were when XP was introduced, Telafici said. That’s partially due to the expansion of the underground marketplace for software bugs, he said. While most hackers were motivated by the fame and glory just a few years ago, they growth of cybercrime has introduced a new breed of more stealthy professionals, security experts say.
Criminals who plan to use Vista vulnerabilities “are going to be holding them close to their chest until they are ready to release them,” Telafici said. “I wouldn’t be amazed if we saw vulnerabilities popping up over the next year that were found now.”