Microsoft has awarded $100,000 to researcher James Forshaw for a new attack technique which bypasses an attack mitigation in Windows 8.1.
The reward $100,000 is the maximum payout in Microsoft's Mitigation Bypass Bounty program.
Mitigation Bypass is one of three bounty programs announced in June by Microsoft's Katie Moussouris. Another was a special program for critical vulnerabilities in the Internet Explorer 11 Preview.
Last Friday, Moussouris announced six winners in that program, collecting over $28,000.
The third bounty program is the Blue Hat Bonus for Defense, with as much as $50,000 for a defensive technique which would counter an attack technique that can bypass current attack mitigations. No announcements of winners in this program have yet been made. Examples of established attack mitigations are Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP), and Structured Exception Handler Overwrite Protection (SEHOP).
According to Microsoft, he has produced numerous design-level attack techniques and is very good at it.
Moussouris told me that Microsoft will not be disclosing the nature of the attack(s) for which Forshaw won until they have implemented defenses against them. I asked if Microsoft would wait until then to disclose the attack technique to other vendors who might be affected by it. She said that these techniques are not likely to affect other vendors.
Forshaw provided a statement:
Over the past decade working in secure development and research, I have discovered many interesting security vulnerabilities with a heavy focus of complex logic bugs. I’m keenly interested in the intellectual puzzle of finding novel exploitation techniques and the creativity it requires.
Microsoft’s Mitigation Bypass Bounty is very important to help shift the focus of bounty programs from offence to defence. It incentivises researchers like me to commit time and effort to security in depth rather than just striving for the total vulnerability count.
To find my winning entry I studied the mitigations available today and after brainstorming I identified a few potential angles. Not all were viable but after some persistence I was finally successful. Receiving the recognition for my entry is exciting to me and my employer Context. It also gives me the satisfaction that I am contributing to improving the security of both Microsoft’s and Context’s customers.”