Microsoft baits trap with $100K in hunt for new exploit techniques
Puts money where its mouth is, say security experts, to make Windows ecosystem more secure
Computerworld - Microsoft took a two-year-old contest and turned it on its head to come up with a new reward program that will pay security researchers up to $100,000 for demonstrating novel attack tactics against Windows 8.1.
In a broad announcement Wednesday that also revealed its first-ever bug bounty program, Microsoft spelled out two new projects that will hand cash to security researchers.
One, dubbed "BlueHat Bonus for Defense," a spin-off from a 2011 contest named "BlueHat Prize," will pay researchers as much as $50,000 for fresh defensive security solutions.
The other, called "Mitigation Bypass Bounty," offers up to double that -- top dollar is $100,000 -- for any novel exploitation technique able to circumvent Windows 8.1's many defenses, or as Microsoft pegs them, "mitigations." Windows 8.1, the first major update for Windows 8, will launch as a public preview June 26 -- the same day both new reward programs kick off -- and release in a polished form this fall.
Neither the BlueHat Bonus or the Mitigation Bypass Bounty are true bug bounty programs: They don't pay for previously-unknown bugs in Microsoft's code. Instead, they aim at collecting more sweeping research that Microsoft can use to stymie entire classes of vulnerability exploits.
The keystone Mitigation Bypass Bounty pays only for new, reliable exploit techniques designed to circumvent Windows' built-in defenses, like DEP (Data Execution Prevention), ASLR (Address Space Layout Randomization) and SEHOP (Structured Exception Handling Overwrite Protection).
"Eligible bypass submissions will include an exploit that demonstrates a novel method of exploiting a real Remote Code Execution (RCE) vulnerability and a white paper explaining the exploitation method," Microsoft said in its submission guidelines.
A single -- and previously unknown -- exploit technique that meets Microsoft's criteria could conceivably be used to exploit dozens, even scores, of zero-day vulnerabilities. Exploit techniques from the past, were they not known today, that would be eligible for the $100,000 payout include Return Oriented Programming (ROP) and JIT (Just-in-Time) heap spraying.
ROP was first described in a 2007 paper by Hovav Shacham, now a computer science professor at the University of California, San Diego; the JIT heap spraying technique was publicly revealed by Dionysus Blazakis of security firm FireEye in 2010.
In other words, novel exploitation tactics don't grow on trees.
Calling Windows' defensive mitigations the operating system's "shield," Katie Moussouris, a senior security strategist lead with the company, explained why Microsoft thought it was better to pay for broad-stroke bypasses than for bugs. "If we can get the knowledge [of such exploit techniques] earlier, we can try to block them," she said.
Experts generally applauded the two programs -- in part because of the dollar size of the awards -- but were uncertain how many submissions Microsoft would collect.
"They'll get people doing really cheap labor," said Andrew Storms, the former director of security operations at TripWire's nCircle. "But we don't know how many [submissions] they'll get."
Chris Wysopal, co-founder and CTO of Veracode, a Burlington, Mass. company that develops application security testing and risk management software, predicted that, like 2011's BlueHat Prize, many of the Mitigation Bypass submissions will come from academics.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Mobile Applications Case Study: 8 Billion Transactions a Day The story documents how the online brokerage company tradeMONSTER created a custom mobile app and the success gleaned from this initiative. Also covered...
- Mobile Apps and Devices Slash Customer Cycle Time Consolidated Engineering Laboratories' field employees used to collect data on triplicate forms that were sometimes hard to read and difficult to manage. After...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources... All Malware and Vulnerabilities White Papers | Webcasts