Microsoft shells out $100,000 for Windows bug-finder bounty
The security researcher who yesterday was awarded $100,000 by Microsoft spent about two weeks pondering, then demonstrating a new way to circumvent Windows' defensive technologies.
In an interview, James Forshaw, the head of vulnerability research at U.K.-based Context Information Security, described in the most general terms the work that resulted in the big bounty.
"When Microsoft announced the initial bounties, I first thought about the mitigations I wanted to go over." said Forshaw. "Windows has a lot of mitigating in place, so I started to brainstorm. I asked myself, 'How would I do it [if I was a cyber criminal]?'"
From start to finish—from those brainstorming sessions to an exploit that proved his mitigation bypass approach worked—Forshaw said he spent about half a month on the project. "From my initial thought to a full working proof of concept was about two weeks," he said.
Forshaw stressed that the two weeks of solid work were atop the years he's spent in information security, hammering home the point that winning submissions, whether for a bonus program like Microsoft's or those that browser makers and other vendors run to collect details on specific vulnerabilities, almost always goes to very experienced, longtime researchers.
"This is not something that anyone's done before, but then again, nothing is completely revolutionary," Forshaw said.
Microsoft echoed that last week. In a Tuesday blog post, Katie Moussouris, a senior security strategist with the Microsoft Security Response Center (MSRC), and the manager of the bounty programs, said that a Microsoft engineer had independently found a variant of the attack technique class that Forshaw reported.
"But James' submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty," Moussouris wrote.
No details, please
Forshaw wasn't able to go into detail about his Windows exploitation approach because of Microsoft's bounty reward rules. For its part, Microsoft hinted it may be a long time before it steps out from inside the cone of silence.
"We can't go into the details of this new mitigation bypass technique until we address it," said Moussouris.
"I'm not party to those discussions," said Forshaw when asked whether he had any idea when or how Microsoft would integrate his submission into Windows' defenses. "I don't know what their plans are, but I don't think it's going to be immediate. It's not something they can switch off and it goes away. It's something more fundamental in Windows."
Last year, after running a different security research contest—dubbed BlueHat Prize—Microsoft integrated new defenses into its Enhanced Mitigation Experience Toolkit (EMET) that were inspired by BlueHat finalist Ivan Fratric—then a researcher at the University of Zagreb in Croatia, now a security engineer with rival Google.
EMET, designed for enterprise IT workers and advanced users, lets them manually switch on Windows anti-exploit defenses, such as DEP (data execution prevention) and ASLR (address space layout randomization) for specific applications.
Fratric's work—which earned him second prize in the 2012 BlueHat contest and its $50,000 cash award—was on "return-oriented programming" (ROP), an exploit-building technique often used to sidestep DEP in Windows.
Microsoft kicked off a pair of new bounty programs, including the Mitigation Bypass Bounty—the one Forshaw submitted to—in June. That program has the highest rewards—up to the $100,000 Forshaw won—for novel exploitation techniques able to circumvent Windows 8.1's defenses.
As in 2012, when it ran the BlueHat Prize, Microsoft justified the large payments this year by arguing that winning submissions would let it block large swaths of attacks. Rather than stymie each exploit individually, a practice Microsoft is not much interested in rewarding, it wants to defeat whole classes of exploits.
"When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications," said Moussouris yesterday.
The Mitigation Bypass Bounty, and the associated BlueHat Bonus for Defense, which pays a maximum of $50,000, are open-ended, contrary to the BlueHat Prize or even the Internet Explorer 11 (IE11) bug bounty program, which ran for just 30 days this summer.
Applies to several versions
As per mitigation bounty program's rules, Forshaw's exploit tactic had to be successful against Windows 8.1, the update Microsoft will launch next week. But it would also work if pitched at Windows 7, Vista, or even older editions.
Forshaw said he had not yet received the big check from Microsoft, but that it "was in progress."
"Most of it, because I worked on this on work time, will go into the company pot, so to speak," said Forshaw when asked his plans for the award. "Ultimately, I'm a full-time researcher, and research doesn't normally pay [direct revenue], so this makes me look good in the company."
Microsoft's $100,000 bounty wasn't the only prize Forshaw has collected this year. In March, he received $20,000 for hacking Java at the 2013 edition of Pwn2Own. He also submitted four IE11 flaws to Microsoft in July, earning $4400 for the vulnerability quartet and a $5,000 bonus for pointing out some design vulnerabilities in the new browser.
"It's not been too bad a year," Forshaw said.