Bounty for Windows mitigation bypass earns researcher $100k

Share this article:

Just a few months after announcing its own vulnerability rewards program, software company Microsoft has made bug bounty history by issuing one researcher a $100,000 prize for reporting a critical mitigation bypass flaw in Windows 8.1.

The bounty is still listed as ongoing on the Microsoft Security Bounty Programs website, but the discovery by James Forshaw, a security vulnerability researcher with U.K.-based security consulting company Context Information Security, has been validated.

Forshaw told SCMagazine.com on Wednesday that Microsoft would not allow him to reveal details of the bug until it is addressed properly, but he did explain that while his finding does exploit protections built into Windows 8.1, it is not actually a security vulnerability.

“It's a way of taking existing vulnerabilities that might be considered unexploitable because you have mitigations in place, and gaining code execution to do nasty things to targets,” Forshaw said. “In and of itself, it doesn't do anything.”

Having spent the past five years conducting research predominantly on the Windows platform, Forshaw said it was because of his close relationship with Microsoft's security personnel that the mitigation bypass bounty came on his radar.

It was a tedious process, Forshaw said, especially after spending about 10 days brainstorming ideas and getting shut down every time.

“My first few ideas completely failed,” he said, explaining that he is better known for seeking out logic bugs, such as in Microsoft's .NET Framework, as opposed to corruptions. In recent time, he earned $20,000 in the 2013 Pwn2Own contest for discovering exploits in Oracle's Java, and earned nearly $10,000 for discovering bugs in Internet Explorer 11 Preview.

Despite being out of his comfort zone, one of Forshaw's bypass ideas began gaining traction courtesy of a wealth of knowledge with regard to the inner workings of Windows. In the end, establishing a proof of concept and writing up a report took the researcher two full weeks.

“I felt it was an interesting technique, but I was concerned it wouldn't meet all the criteria,” Forshaw said. As per the bounty instructions, eligible submissions must be generic, reliable, reasonable, impactful, applicable to user mode applications, current and distinct. “I thought maybe I wouldn't match them all, but [Microsoft] considered it valid.”

As an active seeker of bugs, and a well-remunerated one at that, Forshaw had no problem admitting he is in favor of bug bounty programs – particularly because researchers can earn a few bucks and companies get the opportunity to ameliorate vulnerabilities before the flaws are sold on the black market for malicious exploitation.

“The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defenses against entire classes of attack,” Katie Moussouris, Microsoft Security Response Center senior security strategist, said in a statement.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.