Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Microsoft ponies up $100K to researcher who figured out new Windows hack in 2 weeks

Gregg Keizer | Oct. 10, 2013
U.K.-based James Forshaw demonstrates how to bypass Windows 8.1's defenses, wins first bonus payment in June program

EMET, designed for enterprise IT workers and advanced users, lets them manually switch on Windows anti-exploit defenses, such as DEP (data execution prevention) and ASLR (address space layout randomization) for specific applications.

Fratric's work -- which earned him second prize in the 2012 BlueHat contest and its $50,000 cash award -- was on "return-oriented programming" (ROP), an exploit-building technique often used to sidestep DEP in Windows.

Microsoft kicked off a pair of new bounty programs, including the Mitigation Bypass Bounty -- the one Forshaw submitted to -- in June. That program has the highest rewards -- up to the $100,000 Forshaw won -- for novel exploitation techniques able to circumvent Windows 8.1's defenses.

As in 2012, when it ran the BlueHat Prize, Microsoft justified the large payments this year by arguing that winning submissions would let it block large swaths of attacks. Rather than stymie each exploit individually, a practice Microsoft is not much interested in rewarding, it wants to defeat whole classes of exploits.

"When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications," said Moussouris yesterday.

The Mitigation Bypass Bounty, and the associated BlueHat Bonus for Defense, which pays a maximum of $50,000, are open-ended, contrary to the BlueHat Prize or even the Internet Explorer 11 (IE11) bug bounty program, which ran for just 30 days this summer.

As per mitigation bounty program's rules, Forshaw's exploit tactic had to be successful against Windows 8.1, the update Microsoft will launch next week. But it would also work if pitched at Windows 7, Vista, or even older editions.

Forshaw said he had not yet received the big check from Microsoft, but that it "was in progress."

"Most of it, because I worked on this on work time, will go into the company pot, so to speak," said Forshaw when asked his plans for the award. "Ultimately, I'm a full-time researcher, and research doesn't normally pay [direct revenue], so this makes me look good in the company."

Microsoft's $100,000 bounty wasn't the only prize Forshaw has collected this year. In March, he received $20,000 for hacking Java at the 2013 edition of Pwn2Own. He also submitted four IE11 flaws to Microsoft in July, earning $4,400 for the vulnerability quartet and a $5,000 bonus for pointing out some design vulnerabilities in the new browser.

"It's not been too bad a year," said Forshaw.


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.