the linchpin in the attack was one of the worst kinds of security holes

the linchpin in the attack was one of the worst kinds of security holes

The attackers waltzed into victims' computers, like burglars with a key to the back door, by exploiting such a zero-day vulnerability in Microsoft Corp.'s Internet Explorer browser of ThinkPad T61 Battery . Microsoft rushed out a fix after learning of the attack.The Internet Explorer flaw used in the attack on Google Inc . required tricking people into visiting a malicious Web site that installed harmful software on victims' computers.

How did the perpetrators learn about the flaw? Likely, they merely had to tap a thriving underground market, where a hole "wide enough to drive a truck through" can command hundreds of thousands of dollars, said Ken Silva, chief technology officer of VeriSign Inc . Such flaws can take months of full-time hacking to find for Fujitsu lifebook t5010 battery , Fujitsu lifebook t4020 battery ." Zero days are the safest for attackers to use, but they're also the hardest to find," Silva said. "If it's not a zero day, it's not valuable at all."

The attack, along with a discovery that computer hackers had tricked human-rights activists into exposing their Google e-mail accounts to outsiders, infuriated Google and provoked a larger fight over China's censorship of the Internet content for FRU 92P1141 battery . Google has threatened to shut down its censored, Chinese-language search engine and possibly close its offices in China.

Pedram Amini, manager of the Zero Day Initiative at the security firm TippingPoint, estimated that the IE flaw could have fetched as much as $40,000. He said even more valuable zero-day flaws are ones that can infect computers without any action on the users' part of IBM ThinkPad T61 Battery .Zero days refer to security vulnerabilities caused by programming errors that haven't been "patched," or fixed, by the products' developers. Often those companies don't know the weaknesses exist and have had zero days to work on closing the holes.

In this case, Microsoft actually knew about the flaw since September but hadn't planned to fix it until February, as companies sometimes prioritize fixing other problems and wait on the ones they haven't seen it used in attacks of Fujitsu lifebook t5010 battery .Microsoft often fixes multiple vulnerabilities at once because testing patches individually is time-consuming and costly, said Chris Wysopal, co-founder of security company Veracode Inc.

But criminals know how the patch cycle works, and Wysopal said the Google attackers may have realized their zero-day flaw was getting old — and thus struck in December just before they thought Microsoft was going to fix Fujitsu lifebook t4020 battery ."They likely thought the bug would be fixed in January or February," he said. "They were right."

Microsoft certainly could have fixed the bug earlier and prevented it from being used on Google, but security experts caution that an adversary that is well-funded or determined could have easily found another bug to use for IBM FRU 92P1141 .TippingPoint's Amini said he has heard of governments offering as high as $1 million for a single vulnerability — a price tag that private industry currently doesn't match.

"Zero days aren't difficult to find," said Steve Santorelli, a former Microsoft security research who now works with Team Cymru, a nonprofit research group of IBM ThinkPad T61 Battery . "You don't have to have a Ph.D. in computer science to find a zero-day exploit. It really is a factor of the amount of energy and effort you're willing to put in."Whether to pay — and seek payment — is hotly debated among researchers.

In fact, such exploits are widely available for the right price. VeriSign's iDefense Labs and 3Com Corp.'s TippingPoint division run programs that buy zero-day vulnerabilities from researchers in the so-called "white market of vgp bps2c battery ." They alert the affected companies without publicly disclosing the flaw and use the information to get a jump on rivals on building protections into their security products.

There's also another, highly secretive market for zero days: U.S. and other government agencies, which vie with criminals to offer the most money for the best vulnerabilities to improve their military and intelligence capabilities and shore up their defenses of Fujitsu lifebook t4010 battery .Little is publicly known about such efforts, and the U.S. government typically makes deals through contractors, Amini said. Several U.S. government agencies contacted by The Associated Press did not respond to requests for comment.

One researcher who has been open about his experience is Charlie Miller, a former National Security Agency analyst who now works in the private sector with Independent Security Evaluators. Miller netted $50,000 from an unspecified U.S. government contractor for a bug he found in a version of the Linux operating system of vgp bps2c , vgp bpl8 ."I basically had to make a choice between doing something that would protect everybody and remodeling my kitchen — as terrible as that is, I made that choice, and it's hard," Miller said. "It's a lot of money for someone to turn down."

Companies whose products are vulnerable generally won't pay outside researchers for bugs they've found. Microsoft said offering payment "does not foster a community-based approach to protecting customers from cybercrime to sony vgp bpl8 ." The company declined further comment on its practices and the timing of the fix for the flaw used in the Google attack.