Home Business IT Security Microsoft pays out $100K for new exploit technique

British hacker James Forshaw British hacker James Forshaw Featured

Subscribe now and get the news that matters to your industry.

* Your Email Address:
* First Name:
* Last Name:
Job Function:
Australian State:
Email marketing by Interspire
weebly statistics

One plucky hacker has earned  a massive payday courtesy of a bug in Microsoft's Windows OS, pocketing a $100,000 reward for discovering a critical vulnerability.

British-based white-hat hacker James Forshaw from Context Information Security came up with a way of exploiting Windows applications that, according to various sources, overcomes systemic protections such as Address Space Layout Randomization and Data Execution Prevention in Windows 8.1 Preview. Microsoft has ponied up $100,000 for the information.

The tech giant announced back in June that it would join other like-minded companies like Google and Mozilla in paying external hackers to research vulnerabilities, offering up to $11,000 for critical vulnerabilities discovered in the Internet Explorer 11 beta  and up to $100,000 for any technique that bypassed Windows' built-in exploit mitigation schemes.

Forshaw jumped at the chance and had already discovered design level bugs during the IE11 Preview Bug Bounty, bringing his total earnings to $109,400.

"James already came in hot with design level bugs he found during the IE11 Preview Bug Bounty, and we're thrilled to give him even more money for helping us improve our platform-wide security by leaps," said Katie Moussouris, senior security strategist at the Microsoft Security Response Center in a blog post.

"While we can't go into the details of this new mitigation bypass technique until we address it, we are excited that we will be better able to protect customers by creating new defenses for future versions of our products because we learned about this technique and its variants."

Microsoft said that unlike Mozilla for example, it is not paying for individual bugs but was instead offering the $100,000 scheme for entire classes of exploits.

"The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defenses against entire classes of attack," the company said.

"This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications."

As we reported yesterday Danish-based startup CrowdCurity is also offering bounties for hackers, and is actively looking for small-to-medium sized businesses who want their security tested.


Don't let traffic bottlenecks slow your network or business-critical apps to a grinding halt. With SolarWinds Bandwidth Analyzer Pack (BAP) you can gain unified network availability, performance, bandwidth, and traffic monitoring together in a single pane of glass.

With SolarWinds BAP, you'll be able to:

• Detect, diagnose, and resolve network performance issues

• Track response time, availability, and uptime of routers, switches, and other SNMP-enabled devices

• Monitor and analyze network bandwidth performance and traffic patterns.

• Identify bandwidth hogs and see which applications are using the most bandwidth

• Graphically display performance metrics in real time via dynamic interactive maps

Download FREE 30 Day Trial!



Where are your clients backing up to right now?

Is your DR strategy as advanced as the rest of your service portfolio?

What areas of your business could be improved if you outsourced your backups to a trusted source?

Read the industry whitepaper and discover where to turn to for managed backup


David Swan

David Swan is a tech journalist from Melbourne and is iTWire's Associate Editor. Having started off as a games reviewer at the age of 14, he now has a degree in Journalism from RMIT (with Honours) and owns basically every gadget under the sun. He also writes for Junkee and Fasterlouder. You can email him at david.swan@itwire.com or follow him at twitter.com/mrdavidswan