Skip the navigation

Microsoft ponies up $100K to researcher who figured out new Windows hack in 2 weeks

U.K.-based James Forshaw demonstrates how to bypass Windows 8.1's defenses, wins first bonus payment in June program

October 9, 2013 04:01 PM ET

Computerworld - The security researcher who yesterday was awarded $100,000 by Microsoft spent about two weeks pondering, then demonstrating a new way to circumvent Windows' defensive technologies.

In an interview today, James Forshaw, the head of vulnerability research at U.K.-based Context Information Security, described in the most general terms the work that resulted in the big bounty.

"When Microsoft announced the initial bounties, I first thought about the mitigations I wanted to go over." said Forshaw. "Windows has a lot of mitigating in place, so I started to brainstorm. I asked myself, 'How would I do it [if I was a cyber criminal]?'"

From start to finish -- from those brainstorming sessions to an exploit that proved his mitigation bypass approach worked -- Forshaw said he spent about half a month on the project. "From my initial thought to a full working proof of concept was about two weeks," he said.

Forshaw stressed that the two weeks of solid work were atop the years he's spent in information security, hammering home the point that winning submissions, whether for a bonus program like Microsoft's or those that browser makers and other vendors run to collect details on specific vulnerabilities, almost always goes to very experienced, long-time researchers.

"This is not something that anyone's done before, but then again, nothing is completely revolutionary," said Forshaw.

Microsoft echoed that yesterday. In a Tuesday blog post, Katie Moussouris, a senior security strategist with the Microsoft Security Response Center (MSRC), and the manager of the bounty programs, said that a Microsoft engineer had independently found a variant of the attack technique class that Forshaw reported.

"But James' submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty," wrote Moussouris.

Forshaw wasn't able to go into detail about his Windows exploitation approach because of Microsoft's bounty reward rules. For its part, Microsoft hinted it may be a long time before it steps out from inside the cone of silence.

"We can't go into the details of this new mitigation bypass technique until we address it," said Moussouris.

"I'm not party to those discussions," said Forshaw when asked whether he had any idea when or how Microsoft would integrate his submission into Windows' defenses. "I don't know what their plans are, but I don't think it's going to be immediate. It's not something they can switch off and it goes away. It's something more fundamental in Windows."

Last year, after running a different security research contest -- dubbed BlueHat Prize -- Microsoft integrated new defenses into its Enhanced Mitigation Experience Toolkit (EMET) that were inspired by BlueHat finalist Ivan Fratric -- then a researcher at the University of Zagreb in Croatia, now a security engineer with rival Google.



Our Commenting Policies