Market for software exploits is often focused on Microsoft flaws, years-old technology

Holes in popular software can yield major profits for criminals.
Nearly half of the software exploits requested on forums were for vulnerabilities that were at least three years old, Trend Micro found. (Getty Images)

Every month Microsoft releases software updates to fix vulnerabilities across the company’s vast line of technology products.

The ritual, known as Patch Tuesday, often involves security experts urging users to update their software, and researchers gaining some public recognition after months of quietly working to mitigate the flaws.

A new study from antivirus vendor Trend Micro found that cybercriminal forums continue to advertise exploits for a vulnerability years after a patch has been released, though, with sellers adjusting prices to market demand and bundling multiple old exploits together to maximize profits.

The study, which spanned nearly two years and numerous illicit marketplaces, found that nearly half of the software exploits requested on forums were for vulnerabilities that were at least three years old. The demand for exploits is also catered to the popularity of software: Microsoft products accounted for 47% of the exploits that forum users requested, according to Trend Micro.


The data shows that holes in popular software act as cash cows for criminals in instances when corporate, personal or government users don’t update their software. The findings also come amid an apparent shakeup in cybercriminal forums after the ransomware attack that prompted the shutdown of Colonial Pipeline, the main artery for delivering fuel to the East Coast. XSS, one of the more popular Russian-language forums, claimed it would ban ransomware sales after the incident.

While zero-day software flaws, or those unknown to the vendor, can fetch tens of thousands of dollars on the forums, other hacking tools are cheap or even free. On an English-language forum, Trend Micro found JavaScript exploits for $40 and Microsoft Word exploits for $100.

“Patching yesterday’s popular vulnerability can be more important than today’s critical one,” Mayra Rosario Fuentes, senior threat researcher at Trend Micro argued Monday at a presentation at the RSA Conference. She was previewing the research, which Trend Micro will release in July.

While it is unclear if XSS’s supposed ban on ransomware will stick, Trend Micro reported on other market forces that are shaping underground forums. Some vendors rely on their reputation for delivering high-end exploits and only make a handful of sales per year, with the price of an exploit reaching half a million dollars, according to the research. Other exploit sellers count on bargain hunters only willing to cough up $100 here or there.

“Cybercriminals will use the cheapest tool to get the job done,” Rosario Fuentes said.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts