New attack technique lands researcher $100k Microsoft bug bounty

A security researcher with a Melbourne-based security firm has discovered and reported to Microsoft a new attack technique earning him Redmond's first and largest bug bounty of $100,000.

Details of James Forshaw's attack were kept under wraps until Microsoft could develop and implement defensive security measures to mitigate the bypass technique.

Forshaw, London-based head of vulnerability research at Melbourne's Context Information Security, said he had focused on complex logic bugs in the past. 

"I’m keenly interested in the intellectual puzzle of finding novel exploitation techniques and the creativity it requires," Forshaw said.

"To find my winning entry I studied the mitigations available today and after brainstorming I identified a few potential angles. Not all were viable but after some persistence I was finally successful."

Forshaw earnt Microsoft's new Bounty for New Mitigation Bypass Techniques served under its Blue Hat initiative which paid researchers for developing and quietly reporting new attack techniques to help build defensive measures.

The program, one of three launched in June, was different from ordinary bug bounties in that to earn the large rewards researchers had to invest more time to develop attack techniques rather than just reporting individual vulnerabilities.

The bounties issued cash rewards to researchers who privately disclosed bypasses for built-in operating system mitigations and protections, for defences to stop those attacks, and for vulnerabilities in Internet Explorer 11 Preview.

Forshaw also earnt $9400 under the latter bounty for reporting flaws in the new version of Microsoft's flagship browser.

Microsoft senior security strategist lead Katie Moussouris said Forshaw's attack disclosure would help Microsoft protect against an entire class of bugs.

Copyright © SC Magazine, Australia