Sign in with
Sign up | Sign in

Microsoft Pays Out $100,000 for Windows 8.1 Flaw

By - Source: Microsoft | B 17 comments

That's a lot of moolah.

Cast your mind back to June and you might remember that Microsoft put out a bounty for flaws in Windows 8.1 and Internet Explorer 11. The company promised direct cash payments for those who could provide truly novel exploitation techniques built into Windows 8.1 Preview. Redmond promised up to $100,000.

Six months down the line, the company is paying the piper. The company updated its BlueHat blog, congratulating James Forshaw for coming up with a new exploitation technique. Forshaw is a security vulnerability researcher with Context Information Security and had already found design-level bugs in IE11 (in other words, this may be the biggest payment he's gotten from Microsoft, but it's not his first).

"The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defenses against entire classes of attack," Microsoft said today. "This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications."

Unfortunately, Microsoft won't go into the details of Forshaw's exploit (it has to address the issue first), but the company did say that one of its own engineers also found a variant of this class of attack technique. Microsoft says it's already paid out over $128,000 thanks to its bounty programs. You can check out the guidelines for taking part here.

Follow Jane McEntegart @JaneMcEntegart. Follow us @tomshardware, on Facebook and on Google+.

Discuss
Display all 17 comments.
This thread is closed for comments
Top Comments
  • 10 Hide
    rantoc , October 10, 2013 1:41 AM
    Having by far the hugest OS market share also makes for the biggest target as its less of a benefit to hack a small market share OS. It have sadly been proven over and over that many don't care as much about it since its so infrequent (security through low market share isn't security!). Good to see that MS places security high on the priority list.
Other Comments
  • 8 Hide
    wiinippongamer , October 10, 2013 12:25 AM
    Metro. Where do I claim my 100k?
  • 7 Hide
    JackFrost860 , October 10, 2013 12:56 AM
    I hope his employer did not claim the money off him for work done on company time ;) 
  • -9 Hide
    DjEaZy , October 10, 2013 1:32 AM
    ... Microsoft Pays Out $100,000 for Windows 8.1 Flaw... the OS is a flaw... showmethemoney [starcraft cheat]...
  • 0 Hide
    x2ruff4u , October 10, 2013 1:41 AM
    Microsoft is flawed to begin with.
  • 10 Hide
    rantoc , October 10, 2013 1:41 AM
    Having by far the hugest OS market share also makes for the biggest target as its less of a benefit to hack a small market share OS. It have sadly been proven over and over that many don't care as much about it since its so infrequent (security through low market share isn't security!). Good to see that MS places security high on the priority list.
  • -7 Hide
    edwd2 , October 10, 2013 1:58 AM
    what is microsoft doing these days. seems like there's no positive news wherever I look
  • 4 Hide
    yannigr , October 10, 2013 2:12 AM
    On other news Facebook doesn't pay just $500 to a security researcher from Palestine for finding a security bug that let's him post in Zuckerberg's wall.
  • -4 Hide
    rokit , October 10, 2013 3:34 AM
    Only Windows 8.1 ? Owww =(
    Agree with the first comment, also:
    - no rounded corners for windows
    - no tabs for file browser, its 2013 mind you
    - using windows updates it downloads and updates only crippled(no OpenGL) versions of proprietary video drivers
    - majority of net cards, wifi dongles, printers, video cards(vesa is your friend right?) etc don't work without installing drivers from disks, so crap out of the box experiance after install
    - need an antivirus to work unless you will tolerate switching from user account to administrative for installing programs and run some of them. And don't forget to switch off all services that might be used to brich your system, noone wants to be part of botnet(at the very least)
    - windows market is useless for real software because of license issues, so you still have to use internet browser to search and install most of the software
    - permissions on maximum user amount that can connect to non server version
    - console is outdated, you can't do anything with it, you don't even have utilits for the basic stuff
    - no way to setup and manage ram disk
    - file names aren't case sensetive
    - doesn't support other file systems

    I am sure there're more but i am fine with $1 100 000.
    Yes, i know most of this can be fixed(legally and not) with 3rd party $oftware but other OSes have that for free out of the box. And even though MS copied alot out there there is still a huge room to grow(copy).
  • 4 Hide
    bourgeoisdude , October 10, 2013 6:45 AM
    Quote:
    what is microsoft doing these days. seems like there's no positive news wherever I look


    Fixing major security flaws before general release is a bad thing? Or were you referring to the comments section?

  • 0 Hide
    S Brideau , October 10, 2013 9:32 AM
    @rokit
    Most of the stuff you write there doesn't have anything to do with M$ or is a security flaw.
    - No rounded corners -> The change the style as they please. It's not because XP/Vista/7 had rounded corners that it still needs them.
    - No tabs -> Depends on what you mean by tabs
    - cripled versions of video drivers -> Why would you use windows update for drivers? To get the latest drivers you always go to the manufacturers' site.
    - Majority of net cards [...] -> Same as above, the manufacturer's site is the best source for drivers
    - Need antivirus to work -> Apparently you never used a good antivirus? A good antivirus does work. Also it is better to use a restricted account instead of an admin account for most things and no one should be admin. When using those 'regular' accounts instead of admin accounts, M$ allows you to enter the admin password with the UAC when the admin permission is needed for a program or something.
    - Windows market being useless -> Real software such as Adobe or other stuff have a license for a reason. Open-source programs are never as good as the real but I agree that they are as functionnal.
    - Permission on maximum user amount -> I don't understand that one
    - Console is outdated -> I agree. There is however the PowerShell that replaces the basic console.
    - No way to setup ram disk -> True
    - File names aren't case sensitive -> I agree that they should be.
    - Doesn't support other file systems -> Not sure I agree with that one as I haven't tested it but it would suprise me.
  • 1 Hide
    smeghead4269 , October 10, 2013 10:37 AM
    $100K for a security flaw. That's much better than $12.50 in store credit.

    Yahoo, I'm looking at you.
  • 1 Hide
    Durandul , October 10, 2013 3:32 PM
    It's good to know they aren't yahoos. See what I did there? :p 
  • 1 Hide
    Rhinofart , October 10, 2013 4:40 PM
    @rokit
    With the speed of SSD these days, who needs a RAMdrive? Yes, I used them a lot in the Dos 6.33 days, and into windows 3.11 For Workgroups.
    Filename case sensitivity? ROFLMAO. Do you know how much of a frustration that would be for general / casual computer users?
    Windows market being useless? Not sure I understand what you are getting at there. The windows market is the largest market around, and most of the software written out in the world is written for the windows market. I'm fairly hard pressed to find software for my Mac / *nix systems that compares to the offerings in the windows market.
  • -1 Hide
    Rhinofart , October 10, 2013 4:43 PM
    @rokit
    With the speed of SSD these days, who needs a RAMdrive? Yes, I used them a lot in the Dos 6.33 days, and into windows 3.11 For Workgroups.
    Filename case sensitivity? ROFLMAO. Do you know how much of a frustration that would be for general / casual computer users?
    Windows market being useless? Not sure I understand what you are getting at there. The windows market is the largest market around, and most of the software written out in the world is written for the windows market. I'm fairly hard pressed to find software for my Mac / *nix systems that compares to the offerings in the windows market.
  • 0 Hide
    Rhinofart , October 10, 2013 4:44 PM
    Stupid double posting bug.
  • -1 Hide
    yay , October 10, 2013 7:05 PM
    I'm sick of people saying things like "when you have the biggest market share" or "windows is attacked the most because of its market share". That not an excuse anymore, Linux does just fine on supercomputers, web servers, mobile phones, media centers point of sales machines etc etc etc every single day, and exploiting an entire server is far more benifical than one machine.
  • -1 Hide
    rokit , October 10, 2013 10:45 PM
    @S Brideau
    I know, the hate flow. I am not using Windows for years already excluding the times when my friends want me to help them. But i never dig too much as i am not interested though even for a little time some things are annoying!
    - Round corners look more pleasant - less disturbing, that why it was good decission for previous MS OS but now they throw it away and you notice this crap. Airo changed and doesn't have nice effect anymore. I'll ask if its easily changable but for now it means that default looks ugly.
    - No its not, tabs in file browser can only mean one thing - tabs. Its really annoying that explorer doesn't have such feature in 2013. All good filebrowsers have those for years already.
    - Why would MS do it in the first place? Companies tend to do it for preinstall OS and this is default feature MS pushes to you. Most of my friends are in 3D stuff and when Windows gladly installed drivers for videocard they get happy but when they opened their programs they became sad. It was 7 but i am sure 8 is no better in this department.
    - Uh, no. Why do some OSes already have drivers for huge spectre of hardware parts and peripherals? They already have those drivers. I can understand closed source but almost all drivers excluding videocards and some wifi chips have them opened. Windows weights so much yet propose so little.
    - No, if user is under admin and have antivirus and firewall enabled he can still install bad software and help some botnet doing things. I was solving such issues, they do exist because user knows that there're some programs(or some parts of them) that will interfere with defence program but are needed. So if Windows asks for permission and defence program(no matter how good) asks what do with it they say "pass it, i need this program". Noone is crippling your files, those days are gone, right now your pc is either helping so crack some passwords, used for DDoS attack or bitcoin mining.
    "When using those 'regular' accounts instead of admin accounts, M$ allows you to enter the admin password with the UAC when the admin permission is needed for a program or something." Including installing programs?
    Yes, people should use user account for doing things and not install some crap. And i believed some long time ago that all humans are smart PC users, they're not, even in 2013 they do those stupid mistakes.
    - Opensource is majority, and almost all small but useful programs are both opened and free. The letter doesn't matter for the market but the first one should be enough to include it. Not much is included though. They try babysteps in repository direction in 2013 *facepalm*
    - It means only set count of users can simultaniously connect to your pc. They also have different numbers for printers and everything else. Thats how they sell their Server editions to people who is not using Windows infrastracture and need it just for a few Windows-only programs on virtual machine. If you 'hack' Windows you can surely have those features but it is as illegal as pirating, there is no difference by the law.
    - Console. thats why i said that most of those features can be installed later but such thing is too useful not include it, even though it can't hold a candle to simplicity of other OSes applied to it it should be there by default because otherwise it tends to complicate some things.
    - No other FS aside from FAT and NTFS is supported. You can use ext3 through very crap means to the point its unusable and thats all i can remember.

    @Rhinofart
    I am not talking about RAMDrive, those things were always expensive. I am talking about using your RAM as a drive, its useful on many occasions including usage with SSD.
    There is no frustration, this feature is natural. Just because Microsoft taught that its not doesn't mean they stand true.
    I am not sure what software are you talking about but *nix systems have alot of only *nix software, obviously finding the same one for Windows would be nigh to impossible. But some simple software that was tested by enterprise companies is in *nix and free while Windows have "who knows?" who wrote the software, made it closed source(possible trojan?) and charged some money even though it has alot of bugs that *nix conterpart doesn't have. Using RAM as file system is a good example.