Microsoft ponies up $100K to researcher who figured out new Windows hack in 2 weeks
U.K.-based James Forshaw demonstrates how to bypass Windows 8.1's defenses, wins first bonus payment in June program
Computerworld - The security researcher who yesterday was awarded $100,000 by Microsoft spent about two weeks pondering, then demonstrating a new way to circumvent Windows' defensive technologies.
In an interview today, James Forshaw, the head of vulnerability research at U.K.-based Context Information Security, described in the most general terms the work that resulted in the big bounty.
"When Microsoft announced the initial bounties, I first thought about the mitigations I wanted to go over." said Forshaw. "Windows has a lot of mitigating in place, so I started to brainstorm. I asked myself, 'How would I do it [if I was a cyber criminal]?'"
From start to finish -- from those brainstorming sessions to an exploit that proved his mitigation bypass approach worked -- Forshaw said he spent about half a month on the project. "From my initial thought to a full working proof of concept was about two weeks," he said.
Forshaw stressed that the two weeks of solid work were atop the years he's spent in information security, hammering home the point that winning submissions, whether for a bonus program like Microsoft's or those that browser makers and other vendors run to collect details on specific vulnerabilities, almost always goes to very experienced, long-time researchers.
"This is not something that anyone's done before, but then again, nothing is completely revolutionary," said Forshaw.
Microsoft echoed that yesterday. In a Tuesday blog post, Katie Moussouris, a senior security strategist with the Microsoft Security Response Center (MSRC), and the manager of the bounty programs, said that a Microsoft engineer had independently found a variant of the attack technique class that Forshaw reported.
"But James' submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty," wrote Moussouris.
Forshaw wasn't able to go into detail about his Windows exploitation approach because of Microsoft's bounty reward rules. For its part, Microsoft hinted it may be a long time before it steps out from inside the cone of silence.
"We can't go into the details of this new mitigation bypass technique until we address it," said Moussouris.
"I'm not party to those discussions," said Forshaw when asked whether he had any idea when or how Microsoft would integrate his submission into Windows' defenses. "I don't know what their plans are, but I don't think it's going to be immediate. It's not something they can switch off and it goes away. It's something more fundamental in Windows."
Last year, after running a different security research contest -- dubbed BlueHat Prize -- Microsoft integrated new defenses into its Enhanced Mitigation Experience Toolkit (EMET) that were inspired by BlueHat finalist Ivan Fratric -- then a researcher at the University of Zagreb in Croatia, now a security engineer with rival Google.
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- DDoS Infographic: How Are Attacks Evolving? For the third consecutive year, Neustar surveyed businesses across major industries to track the evolution of DDoS attacks. Are they more frequent? Larger?...
- How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Malware and Vulnerabilities White Papers | Webcasts