Categories: SecurityWorkspace

Microsoft Hands Out $100k For Windows Security Bypass

Microsoft has paid a researcher $100,000 (£62k)  for his method of bypassing the security of the Windows operating system.

James Forshaw, of Context Information Security, was the recipient, although Microsoft said it couldn’t go into detail on the bypass techniques he used until it has addressed them.

That means, despite a slew of fixes being issued in yesterday’s Patch Tuesday package, the flaws used by Forshaw remain exploitable.

Internet Explorer hack

Forshaw’s reward is part of the recently-launched Mitigation Bypass Bounty programme, which rewards proof of serious exploits rather than just bugs. That operates alongside Microsoft’s traditional bug bounty.

“The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defenses against entire classes of attack,” said Katie Moussouris, senior security strategist lead at Microsoft Trustworthy Computing, in a blog post.

“This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications.”

Microsoft had only just announced more than $28,000 of rewards as part of its first bug bounty programme.

Peter Vreugdenhil, of Exodus Intelligence, which formed out of HP’s Zero Day Initiative, received the most from that lot with a $10,000 prize. Forshaw had already won $9,400 for his bug finds.

Internet companies have been ramping up their bug bounty efforts in recent months. Yahoo announced its own version recently, which will award prizes of up to $15,000, after it was slammed for handing out vouchers for company merchandise when bug reports came in.

Sorry, there’s no cash reward, but still Try our security quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

4 days ago