Exploits, difficulty, and zero day market value.

“If it is so easy, why is there is more money in developing zero day exploits for Windows than OSX?”

A common claim made by security researchers and commentators is that Windows exploits are more prevalent because the operating system has a higher installed user base. A claim made by other commentators, usually the sort that lurk at the bottom of comment threads, is that Windows exploits are more common because they are simple to create due to the Windows security model (usually expressed with an expletive and multiple exclamation marks).

We know that there is a thriving underground market for exploits – which lead me to wonder if perhaps the value of an exploit on the black market might provide some sort of measure of the difficulty of creating the exploit and the desirability of the exploit. The supposition being that an undesirable exploit would be cheap and a desirable exploit more valuable.

A few tweets exchanged on this issue with Charlie Miller ( http://twitter.com/0xcharlie ) and Ed Bott ( http://twitter.com/edbott ) lead me to this Forbes article (http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/ ). This article that provides approximate pricing for different types of exploits. It’s worth checking out in its entirety.

Without an insane level of security knowledge about the Windows and OSX operating systems, it’s very difficult to determine which platform is more resistant to the development of exploit code. However, you can take a few guesses if you accept the following assumptions:

  • Assumption 1: If developing exploits for a specific operating system was a straight forward simple affair – that is that it required relatively little skill – the value of those exploits would be low. Why? Because the market would be flooded. A corollary of this is that if the knowledge required developing an exploit for a specific operating system high, the market value of those exploits would be high. The harder it is, the fewer exploits that are available. In general, the rarer something is, the more valuable it is (there are exceptions to this, but here we’re trying to compare Oranges to Oranges)
  • Assumption 2: That an exploit’s value is related to how widespread its impact is. An exploit that can impact a million systems is worth more than an exploit that can impact one hundred systems.
  • Assumption 3: That an exploit’s value is also related to what the exploit does. Remote elevation of privilege is obviously worth more than an exploit that must be run locally that might lead to data disclosure.
  • If you accept those assumptions, you can create a basic equation that suggests that:

Value of Exploit = (Difficulty to create exploit) * (Impact of exploit) * (Severity of exploit)

According to the Forbes article, iOS exploits are the most valuable. This is interesting because Android is more widely deployed than iOS. If you accept the above assumptions, you can conclude that developing exploits for Android is less difficult than developing exploits for iOS and that the difference in value is because one is substantially harder than the other, even though the other has a wider impact.

At present it appears that the reward for developing exploits for OSX is substantially lower than that of developing exploits for Windows. Although the Forbes table doesn’t tell us directly whether developing exploits for OSX is more or less difficult than developing exploits for Windows, we can perhaps conclude the following: If developing exploits for OSX was insanely difficult, one would assume that the asking price for those exploits would be substantially higher, even when you take into account the differences in market share. This would be for the same reason that iOS exploits command more money, even though iOS trails Android in market share.

Now that one particular strain of OSX malware has achieved infamy, it will be interesting to see what happens to the value of OSX zero day exploits. Will it increase or decrease? Only time will tell (another way of saying “stuffed if I know”).

Follow me on twitter: @orinthomas

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.