New attack technique lands researcher $100k Microsoft bug bounty

By

Redmond quiet on details.

A security researcher with a Melbourne-based security firm has discovered and reported to Microsoft a new attack technique earning him Redmond's first and largest bug bounty of $100,000.

New attack technique lands researcher $100k Microsoft bug bounty

Details of James Forshaw's attack were kept under wraps until Microsoft could develop and implement defensive security measures to mitigate the bypass technique.

Forshaw, London-based head of vulnerability research at Melbourne's Context Information Security, said he had focused on complex logic bugs in the past. 

James Forshaw

 

"I’m keenly interested in the intellectual puzzle of finding novel exploitation techniques and the creativity it requires," Forshaw said.

"To find my winning entry I studied the mitigations available today and after brainstorming I identified a few potential angles. Not all were viable but after some persistence I was finally successful."

Forshaw earnt Microsoft's new Bounty for New Mitigation Bypass Techniques served under its Blue Hat initiative which paid researchers for developing and quietly reporting new attack techniques to help build defensive measures.

The program, one of three launched in June, was different from ordinary bug bounties in that to earn the large rewards researchers had to invest more time to develop attack techniques rather than just reporting individual vulnerabilities.

The bounties issued cash rewards to researchers who privately disclosed bypasses for built-in operating system mitigations and protections, for defences to stop those attacks, and for vulnerabilities in Internet Explorer 11 Preview.

Forshaw also earnt $9400 under the latter bounty for reporting flaws in the new version of Microsoft's flagship browser.

Microsoft senior security strategist lead Katie Moussouris said Forshaw's attack disclosure would help Microsoft protect against an entire class of bugs.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:

Most Read Articles

Phishing attack nets enormous npm supply chain compromise

Phishing attack nets enormous npm supply chain compromise

VicRoads to phase out passwords in favour of passkeys

VicRoads to phase out passwords in favour of passkeys

Service NSW centralises security, networking in mammoth CloudOps overhaul

Service NSW centralises security, networking in mammoth CloudOps overhaul

Apple adds "mercenary spyware" protection to new A19 chip

Apple adds "mercenary spyware" protection to new A19 chip

Log In

  |  Forgot your password?