Report: Profiting From Patch Tuesday

It’s Microsoft’s Patch Tuesday, and according to new research, someone out there is actually profiting from it in the stock market.

Making money in the stock market sounds like an oxymoron today given the global financial crisis, but new research published in the fall issue of the McAfee Security Journal demonstrates how Microsoft’s stock dips on Patch Tuesday, but then rebounds the following day. It's likely some people capitalize on this in their stock transactions, the article says.

“At the very least, it appears that there is a correlation between Microsoft stock price fluctuations and the Patch Tuesday release cycle,” writes Anthony Bettini, a member of the McAfee Avert Labs senior management team.

Another “financial engineering” scam could allow attackers to use zero-day threats as a way to make money in the equities and derivatives markets, he says. “It is possible people are already using zero-day threats for financial gain, not simply for embedding them within password-stealing Trojans but for taking short or options positions in equities and derivatives,” he writes.

Dave Marcus, director of security research and communications for McAfee Avert Labs, says Bettini’s research on hackers making money off of Patch Tuesday woes was eye-opening. “It surprised every single of one of us,” Marcus says. “This is breakout research.”

Fake vulnerability disclosures could also be used to manipulate the market, according to Bettini: “It’s possible that events could be orchestrated via social engineering to manipulate the market and its participants. This scenario would clearly be illegal; but where there is profit, there are often people willing to break laws. Similarly… not all attacks would involve social engineering. Some may even be legal.”

— Kelly Jackson Higgins, Senior Editor, Dark Reading