Microsoft awarded more than $128,000 in bounties to researchers for finding vulnerabilities in its products, including a whopping $100,000 reward to one researcher for finding a way to get around all of Windows 8's defenses.
The bounties, part of a reward-for-bugs program kicked off by Microsoft in June, were announced this week on Microsoft's regularly scheduled Patch Tuesday, when the company releases updates to fix security holes in its products. Security consultant James Forshaw claimed the $100,000 bounty for finding an attack vector that bypassed all of Microsoft's current mitigations, the company said.
"Our strategy is working," Katie Moussouris, senior security strategist lead for Microsoft's Trustworthy Computing group, wrote in response to an email query from eWEEK. "We are getting vulnerability and new attack techniques reported to us earlier; we are engaging with more security researchers that we might not otherwise hear from, as well as encouraging continuing engagement with some of the bright minds we’ve worked closely with in the past."
Six researchers, including Forshaw have also submitted vulnerabilities for a second program focused on finding flaws in Internet Explorer 11 before the browser is released to the masses. Microsoft has awarded more than $28,000 in that program to date.
In the past, security researchers have often called for Microsoft to offer money to reward those researchers who find bugs and responsibly disclose the vulnerabilities to the company. While other companies—such as Google, Mozilla, Facebook, HP and iDefense—have offered bounties to the finders of security flaws, Microsoft continued to shy away from paying for research.
The mindset at the company slowly changed, however, and in June, the software giant announced its own bounty program, offering $100,000 for any attack technique that fully bypasses all the current defenses on Windows 8 and up to $11,000 for any attacks against Internet Explorer 11 Preview. Current defensive technologies included in Windows 8 are data execution protection (DEP) and address space layout randomization (ASLR), which limit an attacker's ability to exploit vulnerabilities in the operating system.
While Microsoft declined to provide details of Forshaw's research, the company did say that it planned to include a defense against the attacks in the Windows 8.1 update now in development.
Forshaw's research "will help us strengthen platform-wide mitigations ... that serve as a part of 'the shield' that is built into the latest version of our operating system, Windows 8.1 Preview, and increases costs to attackers by making it difficult to reliably exploit individual vulnerabilities," Microsoft's Moussouris said.
Context Information Security is making a name for itself in the research community. Another CIS researcher, Paul Stone, found and exploited timing issues in how major browsers implemented HTML 5, allowing attackers to gather data on a target's browser history.
The other researchers awarded for finding vulnerabilities in the IE 11 Preview, include Peter Vreugdenhil of Exodus Intelligence, Fermin J. Serna and Ivan Fratric of Google, Jose Antonio Vazquez Gonzalez of Yenteasy Security Research, and Masato Kinugawa, Microsoft stated in a blog post.