HP Awarded $125,000 Bug Bounty By Microsoft

Hewlett-Packard’s Zero Day Initiative (ZDI) researchers have been awarded a $125,000 prize for a submission to the Microsoft Mitigation Bypass Bounty and Blue Hat Bonus for Defense Program. The money, awarded to HP ZDI researchers Brian Gorenc, AbdulAziz Hariri and Simon Zuckerbraun, will be donated to charity.

The HP ZDI researchers focused on Microsoft’s Internet Explorer browser and use-after-free (UAF) vulnerabilities. UAF vulnerabilities are a form of memory corruption that can potentially enable attackers to exploit vulnerable systems. In any given IE update, UAF vulnerabilities are typically the vulnerability class that is most often patched.

Brian Gorenc, manager of vulnerability research for HP Security Research, explained that the ZDI research looked at the isolated heap and memory protection security features in Internet Explorer to see if there were any potential weaknesses.

“We did two months of research and discovered several weaknesses,” Gorenc told eWEEK.

The HP ZDI researchers submitted a paper to Microsoft outlining techniques to bypass the isolated heap and memory protection security features. The team was also able to bypass address space layout randomisation (ASLR) by way of the memory protection mitigation feature, Gorenc said.

$125,000 Microsoft prize

The $125,000 Microsoft prize is made up of two parts: The first $100,000 was for the research into the weaknesses in the isolated heap and memory protection security features, and an additional $25,000 was awarded to the ZDI researchers because they also explained to Microsoft, techniques that could be implemented to fix the weaknesses.

Gorenc and HP’s ZDI team are no strangers to UAF vulnerabilities across multiple applications and vendors. HP ZDI buys security research from researchers and is always interested in purchasing UAF vulnerabilities, he said, adding that the team has disclosed hundreds of UAF issues over the years.

“Hackers are using UAF vulnerabilities quite frequently to get into systems, so the more of them that we can get off the market, the better,” Gorenc said.

The UAF protection techniques HP ZDI has provided to Microsoft are specific to the Internet Explorer browser though they might be applicable to help other browser vendors in the future. “Other vendors that have issues with UAF might be able to use some of the techniques that we document and possibly harden their own applications against attack,” he said.

HP’s ZDI plans to publish a whitepaper on the Microsoft weaknesses and the potential mitigations, Gorenc said. The complete whitepaper will not be released until later this year to make sure Microsoft has time to resolve the security issues the research has outlined, Gorenc said, adding that the initial whitepaper was provided to Microsoft in October 2014. HP ZDI typically has a 120-day policy for the disclosure of flaws.

“We’re trying to give [Microsoft] time to resolve the issues, but as of Feb. 5, they still haven’t resolved the issues yet,” Gorenc said.

The $125,000 award that the HP ZDI researchers received will be divided up and given to Texas A&M University, Concordia University and Khan Academy.

HP ZDI has donated bug-bounty awards to charity in the past. In March 2013, HP ZDI donated $82,500 to the Canadian Red Cross for security research awards during the Pwn4fun contest. At that event, HP and Google researchers competed to find browser vulnerabilities.

Take our hacking quiz here!

Originally published on eWeek.

Sean Michael Kerner

Sean Michael Kerner is a senior editor at eWeek and contributor to TechWeek

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago