Hewlett-Packard’s Zero Day Initiative (ZDI) researchers have been awarded a $125,000 prize for a submission to the Microsoft Mitigation Bypass Bounty and Blue Hat Bonus for Defense Program. The money, awarded to HP ZDI researchers Brian Gorenc, AbdulAziz Hariri and Simon Zuckerbraun, will be donated to charity.
The HP ZDI researchers focused on Microsoft’s Internet Explorer browser and use-after-free (UAF) vulnerabilities. UAF vulnerabilities are a form of memory corruption that can potentially enable attackers to exploit vulnerable systems. In any given IE update, UAF vulnerabilities are typically the vulnerability class that is most often patched.
Brian Gorenc, manager of vulnerability research for HP Security Research, explained that the ZDI research looked at the isolated heap and memory protection security features in Internet Explorer to see if there were any potential weaknesses.
“We did two months of research and discovered several weaknesses,” Gorenc told eWEEK.
The HP ZDI researchers submitted a paper to Microsoft outlining techniques to bypass the isolated heap and memory protection security features. The team was also able to bypass address space layout randomization (ASLR) by way of the memory protection mitigation feature, Gorenc said.
The $125,000 Microsoft prize is made up of two parts: The first $100,000 was for the research into the weaknesses in the isolated heap and memory protection security features, and an additional $25,000 was awarded to the ZDI researchers because they also explained to Microsoft, techniques that could be implemented to fix the weaknesses.
Gorenc and HP’s ZDI team are no strangers to UAF vulnerabilities across multiple applications and vendors. HP ZDI buys security research from researchers and is always interested in purchasing UAF vulnerabilities, he said, adding that the team has disclosed hundreds of UAF issues over the years.
“Hackers are using UAF vulnerabilities quite frequently to get into systems, so the more of them that we can get off the market, the better,” Gorenc said.
The UAF protection techniques HP ZDI has provided to Microsoft are specific to the Internet Explorer browser though they might be applicable to help other browser vendors in the future. “Other vendors that have issues with UAF might be able to use some of the techniques that we document and possibly harden their own applications against attack,” he said.
HP’s ZDI plans to publish a whitepaper on the Microsoft weaknesses and the potential mitigations, Gorenc said. The complete whitepaper will not be released until later this year to make sure Microsoft has time to resolve the security issues the research has outlined, Gorenc said, adding that the initial whitepaper was provided to Microsoft in October 2014. HP ZDI typically has a 120-day policy for the disclosure of flaws.
“We’re trying to give [Microsoft] time to resolve the issues, but as of Feb. 5, they still haven’t resolved the issues yet,” Gorenc said.
The $125,000 award that the HP ZDI researchers received will be divided up and given to Texas A&M University, Concordia University and Khan Academy.
HP ZDI has donated bug-bounty awards to charity in the past. In March 2013, HP ZDI donated $82,500 to the Canadian Red Cross for security research awards during the Pwn4fun contest. At that event, HP and Google researchers competed to find browser vulnerabilities.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
