Microsoft ponies up $100K to researcher who figured out new Windows hack in 2 weeks
U.K.-based James Forshaw demonstrates how to bypass Windows 8.1's defenses, wins first bonus payment in June program
Computerworld - The security researcher who yesterday was awarded $100,000 by Microsoft spent about two weeks pondering, then demonstrating a new way to circumvent Windows' defensive technologies.
In an interview today, James Forshaw, the head of vulnerability research at U.K.-based Context Information Security, described in the most general terms the work that resulted in the big bounty.
"When Microsoft announced the initial bounties, I first thought about the mitigations I wanted to go over." said Forshaw. "Windows has a lot of mitigating in place, so I started to brainstorm. I asked myself, 'How would I do it [if I was a cyber criminal]?'"
From start to finish -- from those brainstorming sessions to an exploit that proved his mitigation bypass approach worked -- Forshaw said he spent about half a month on the project. "From my initial thought to a full working proof of concept was about two weeks," he said.
Forshaw stressed that the two weeks of solid work were atop the years he's spent in information security, hammering home the point that winning submissions, whether for a bonus program like Microsoft's or those that browser makers and other vendors run to collect details on specific vulnerabilities, almost always goes to very experienced, long-time researchers.
"This is not something that anyone's done before, but then again, nothing is completely revolutionary," said Forshaw.
Microsoft echoed that yesterday. In a Tuesday blog post, Katie Moussouris, a senior security strategist with the Microsoft Security Response Center (MSRC), and the manager of the bounty programs, said that a Microsoft engineer had independently found a variant of the attack technique class that Forshaw reported.
"But James' submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty," wrote Moussouris.
Forshaw wasn't able to go into detail about his Windows exploitation approach because of Microsoft's bounty reward rules. For its part, Microsoft hinted it may be a long time before it steps out from inside the cone of silence.
"We can't go into the details of this new mitigation bypass technique until we address it," said Moussouris.
"I'm not party to those discussions," said Forshaw when asked whether he had any idea when or how Microsoft would integrate his submission into Windows' defenses. "I don't know what their plans are, but I don't think it's going to be immediate. It's not something they can switch off and it goes away. It's something more fundamental in Windows."
Last year, after running a different security research contest -- dubbed BlueHat Prize -- Microsoft integrated new defenses into its Enhanced Mitigation Experience Toolkit (EMET) that were inspired by BlueHat finalist Ivan Fratric -- then a researcher at the University of Zagreb in Croatia, now a security engineer with rival Google.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts