Home Business IT Security Microsoft pays out $100K for new exploit technique
British hacker James Forshaw British hacker James Forshaw Featured

One plucky hacker has earned  a massive payday courtesy of a bug in Microsoft's Windows OS, pocketing a $100,000 reward for discovering a critical vulnerability.

British-based white-hat hacker James Forshaw from Context Information Security came up with a way of exploiting Windows applications that, according to various sources, overcomes systemic protections such as Address Space Layout Randomization and Data Execution Prevention in Windows 8.1 Preview. Microsoft has ponied up $100,000 for the information.

The tech giant announced back in June that it would join other like-minded companies like Google and Mozilla in paying external hackers to research vulnerabilities, offering up to $11,000 for critical vulnerabilities discovered in the Internet Explorer 11 beta  and up to $100,000 for any technique that bypassed Windows' built-in exploit mitigation schemes.

Forshaw jumped at the chance and had already discovered design level bugs during the IE11 Preview Bug Bounty, bringing his total earnings to $109,400.

"James already came in hot with design level bugs he found during the IE11 Preview Bug Bounty, and we're thrilled to give him even more money for helping us improve our platform-wide security by leaps," said Katie Moussouris, senior security strategist at the Microsoft Security Response Center in a blog post.

"While we can't go into the details of this new mitigation bypass technique until we address it, we are excited that we will be better able to protect customers by creating new defenses for future versions of our products because we learned about this technique and its variants."

Microsoft said that unlike Mozilla for example, it is not paying for individual bugs but was instead offering the $100,000 scheme for entire classes of exploits.

"The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defenses against entire classes of attack," the company said.

"This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications."

As we reported yesterday Danish-based startup CrowdCurity is also offering bounties for hackers, and is actively looking for small-to-medium sized businesses who want their security tested.

FREE REPORT - IT MONITORING TOOLS COMPARISON

Are you looking to find the most efficient IT Monitoring tool available?

IT Monitoring is an essential part of the operations of any organisation with a significant network architecture.

Multiple IT monitoring platforms are available on the market today, supporting the various needs of small, medium-sized, and large enterprises, as well as managed service providers (MSPs).

This new report studies and compares eight different IT monitoring products in terms of functionality, operations, and usability on the same server platform with 100 end devices.

Which product is easiest to deploy, has the best maintenance mode capabilities, the best mobile access and custom reporting, dynamic thresholds setting, and enhanced discovery capabilities?

Download your free report to find out.

DOWNLOAD!

David Swan

David Swan is a tech journalist from Melbourne and is iTWire's Associate Editor. Having started off as a games reviewer at the age of 14, he now has a degree in Journalism from RMIT (with Honours) and owns basically every gadget under the sun. He also writes for Junkee and Fasterlouder. You can email him at david.swan@itwire.com or follow him at twitter.com/swan_legend

Connect