Bounty for Windows mitigation bypass earns researcher $100k
Just a few months after announcing its own vulnerability rewards program, software company Microsoft has made bug bounty history by issuing one researcher a $100,000 prize for reporting a critical mitigation bypass flaw in Windows 8.1.
The bounty is still listed as ongoing on the Microsoft Security Bounty Programs website, but the discovery by James Forshaw, a security vulnerability researcher with U.K.-based security consulting company Context Information Security, has been validated.
Forshaw told SCMagazine.com on Wednesday that Microsoft would not allow him to reveal details of the bug until it is addressed properly, but he did explain that while his finding does exploit protections built into Windows 8.1, it is not actually a security vulnerability.
“It's a way of taking existing vulnerabilities that might be considered unexploitable because you have mitigations in place, and gaining code execution to do nasty things to targets,” Forshaw said. “In and of itself, it doesn't do anything.”
Having spent the past five years conducting research predominantly on the Windows platform, Forshaw said it was because of his close relationship with Microsoft's security personnel that the mitigation bypass bounty came on his radar.
It was a tedious process, Forshaw said, especially after spending about 10 days brainstorming ideas and getting shut down every time.
“My first few ideas completely failed,” he said, explaining that he is better known for seeking out logic bugs, such as in Microsoft's .NET Framework, as opposed to corruptions. In recent time, he earned $20,000 in the 2013 Pwn2Own contest for discovering exploits in Oracle's Java, and earned nearly $10,000 for discovering bugs in Internet Explorer 11 Preview.
Despite being out of his comfort zone, one of Forshaw's bypass ideas began gaining traction courtesy of a wealth of knowledge with regard to the inner workings of Windows. In the end, establishing a proof of concept and writing up a report took the researcher two full weeks.
“I felt it was an interesting technique, but I was concerned it wouldn't meet all the criteria,” Forshaw said. As per the bounty instructions, eligible submissions must be generic, reliable, reasonable, impactful, applicable to user mode applications, current and distinct. “I thought maybe I wouldn't match them all, but [Microsoft] considered it valid.”
As an active seeker of bugs, and a well-remunerated one at that, Forshaw had no problem admitting he is in favor of bug bounty programs – particularly because researchers can earn a few bucks and companies get the opportunity to ameliorate vulnerabilities before the flaws are sold on the black market for malicious exploitation.
“The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defenses against entire classes of attack,” Katie Moussouris, Microsoft Security Response Center senior security strategist, said in a statement.