Microsoft awards HP researchers $125,000 bug bounty

Microsoft has granted HP security researchers a hefty bug bounty for demonstrating Internet Explorer flaws -- days after a vicious XSS vulnerability was disclosed online.
Written by Charlie Osborne, Contributing Writer

Hewlett-Packard security researchers have been awarded a bug bounty of $125,000 from Microsoft as part of the Microsoft Mitigation Bypass Bounty and BlueHat Bonus for Defense program.

Three members of HP's Zero Day Initiative (ZDI) team, Brian Gorenc, AbdulAziz Hariri and Simon Zuckerbraun, scooped up the main $100,000 prize after submitting techniques and steps to attack the Isolated Heap and MemoryProtection functions in the latest version of Microsoft Internet Explorer. The submission, made to the Redmond giant's Mitigation Bypass Bounty and Blue Hat Bonus for Defense scheme, also outlined how an attacker could use MemoryProtection as an oracle to completely bypass ASLR.

MemoryProtection functions, as well as ASLR, are designed to prevent successful exploits of certain use-after-free (UAF) vulnerabilities.

Microsoft's Mitigation Bypass Bounty and BlueHat Bonus for Defense Program, which began in 2013, allows security researchers to submit mitigation bypasses against the Windows platform. Under the program, entrants can win up to $100,000 in addition to up to $50,000 for defense ideas.

After explaining and demonstrating the theoretical attack on Internet Explorer, HP's researchers also offered a way to defend systems against the technique they discovered, which gave them an additional $25,000 in awards, bringing the total count to $125,000.

HP's Zero Day Initiative focuses on bug bounties and investigations into security. The researchers have chased Internet Explorer's use-after-free problems for some time, although the inclusion of two new mitigations -- Isolated Heap and MemoryProtection (MemProtect) -- added by Microsoft into IE during June and July 2014 patches "really started to up [Microsoft's] game in hardening Internet Explorer against memory corruption vulnerabilities," according to Zuckerbraun.

The team sticks to a 120-day disclosure policy if vulnerabilities are discovered. Microsoft was informed of the mentioned IE flaws, and since the discovery met the requirements of the tech firm's Mitigation Bypass Bounty, the submission included a proof-of-concept case study.

At the time of writing, HP says the security issue has not been patched.

As employees of HP, the security researchers will not get to keep the cash prize. Instead, they are donating the funds to three educational establishments with emphasis on STEM research -- Texas A&M University, Concordia University, and Khan Academy.

This week, a severe security flaw was discovered in fully patched versions of Internet Explorer which allows attackers to steal user credentials on both Windows 7 and 8.1. The vulnerability, a universal cross-site scripting (XSS) flaw, allows a hacker to inject script into a website, potentially steal authentication cookies and hoodwink a victim into visiting malicious websites.

Read on: In the world of security

Read on: Fixes and Flaws

Editorial standards