$100k bounty for finding Windows-wide flaw

News by Tim Ring

British security researcher James Forshaw has won the first ever $100,000 (£63,000) bounty awarded by Microsoft, for discovering a major vulnerability in its Windows operating system which is used by around 1.25 billion people worldwide.

Forshaw, head of vulnerability research at London-based Context Information Security, discovered the bug as part of his day job so the reward goes to Context. It will be used to keep funding his research though Forshaw said “Context will be generous enough” to give him around $20,000 (£12,500) of the money personally.

Microsoft and Forshaw are staying quiet about the nature of the flaw because it is too serious to fix immediately and may have to wait for a future version of Windows, which could take several months.

But Forshaw told SCMagazineUK.com: “It's something which is wide-ranging across the entire Windows platform – potentially any application could in theory be vulnerable to this same mitigation bypass, there's no limiting factor on where it can be used.”

He said the bug would in fact “work across different operating systems” but added that “It's very much focused specifically on certain properties in the way Windows works and the way Windows is implemented. It's primarily Windows-centric.”

Katie Moussouris, senior security strategist lead at Microsoft Trustworthy Computing, added: “James' entry will help us improve our platform-wide defences and ultimately improve security for customers, as it allows us to identify and protect against an entire class of issues.”

Microsoft launched its bounty programme in June, the first time it has made direct cash payments to bug hunters who discover vulnerabilities and exploitation techniques. It has paid out around £80,000 so far, making Forshaw's by far the biggest award.

Six researchers have benefited, all of them for finding bugs in Internet Explorer 11 - including Forshaw himself, who won £5,900 previously for identifying IE problems.

Patch Tuesday

Forshaw's latest award comes in the same week as Microsoft fixed several Internet Explorer problems in its 10th anniversary ‘Patch Tuesday' bug fix.

Microsoft remedied a total of 28 problems in eight patches, including the widely publicised ‘zero-day' IE Explorer vulnerability known as CVE-2013-3893, which experts say potentially allows attackers to secretly install malware on the user's computer and network.

Microsoft issued a temporary workaround for CVE-2013-3893 last month. But security specialist Sophos advises immediately installing the new permanent patch - which is available only on 32-bit, not 64-bit Windows platforms - as CVE-2013-3893 “must be considered a clear and present danger”.

As reported in SCMagazineUS.com, Microsoft also patched another IE zero-day flaw called CVE-2013-3897, three remote code execution flaws in Windows and Microsoft .NET Framework, and other problems in SharePoint Server, Excel, Word and Silverlight.

According to Microsoft, the privately reported vulnerability in Silverlight could allow attackers to disclose users' data if exploited. Silverlight is a free web browser plug-in used to create interactive web and mobile applications. 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews