Microsoft Pays Out $100,000 for Windows 8.1 Flaw

Cast your mind back to June and you might remember that Microsoft put out a bounty for flaws in Windows 8.1 and Internet Explorer 11. The company promised direct cash payments for those who could provide truly novel exploitation techniques built into Windows 8.1 Preview. Redmond promised up to $100,000.

Six months down the line, the company is paying the piper. The company updated its BlueHat blog, congratulating James Forshaw for coming up with a new exploitation technique. Forshaw is a security vulnerability researcher with Context Information Security and had already found design-level bugs in IE11 (in other words, this may be the biggest payment he's gotten from Microsoft, but it's not his first).

"The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defenses against entire classes of attack," Microsoft said today. "This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications."

Unfortunately, Microsoft won't go into the details of Forshaw's exploit (it has to address the issue first), but the company did say that one of its own engineers also found a variant of this class of attack technique. Microsoft says it's already paid out over $128,000 thanks to its bounty programs. You can check out the guidelines for taking part here.

Follow Jane McEntegart @JaneMcEntegart. Follow us @tomshardware, on Facebook and on Google+.

  • wiinippongamer
    Metro. Where do I claim my 100k?
    Reply
  • JackFrost860
    I hope his employer did not claim the money off him for work done on company time ;)
    Reply
  • DjEaZy
    ... Microsoft Pays Out $100,000 for Windows 8.1 Flaw... the OS is a flaw... showmethemoney ...
    Reply
  • x2ruff4u
    Microsoft is flawed to begin with.
    Reply
  • rantoc
    Having by far the hugest OS market share also makes for the biggest target as its less of a benefit to hack a small market share OS. It have sadly been proven over and over that many don't care as much about it since its so infrequent (security through low market share isn't security!). Good to see that MS places security high on the priority list.
    Reply
  • edwd2
    what is microsoft doing these days. seems like there's no positive news wherever I look
    Reply
  • yannigr
    On other news Facebook doesn't pay just $500 to a security researcher from Palestine for finding a security bug that let's him post in Zuckerberg's wall.
    Reply
  • rokit
    Only Windows 8.1 ? Owww =(
    Agree with the first comment, also:
    - no rounded corners for windows
    - no tabs for file browser, its 2013 mind you
    - using windows updates it downloads and updates only crippled(no OpenGL) versions of proprietary video drivers
    - majority of net cards, wifi dongles, printers, video cards(vesa is your friend right?) etc don't work without installing drivers from disks, so crap out of the box experiance after install
    - need an antivirus to work unless you will tolerate switching from user account to administrative for installing programs and run some of them. And don't forget to switch off all services that might be used to brich your system, noone wants to be part of botnet(at the very least)
    - windows market is useless for real software because of license issues, so you still have to use internet browser to search and install most of the software
    - permissions on maximum user amount that can connect to non server version
    - console is outdated, you can't do anything with it, you don't even have utilits for the basic stuff
    - no way to setup and manage ram disk
    - file names aren't case sensetive
    - doesn't support other file systems

    I am sure there're more but i am fine with $1 100 000.
    Yes, i know most of this can be fixed(legally and not) with 3rd party $oftware but other OSes have that for free out of the box. And even though MS copied alot out there there is still a huge room to grow(copy).
    Reply
  • bourgeoisdude
    11690373 said:
    what is microsoft doing these days. seems like there's no positive news wherever I look

    Fixing major security flaws before general release is a bad thing? Or were you referring to the comments section?

    Reply
  • S Brideau
    @rokit
    Most of the stuff you write there doesn't have anything to do with M$ or is a security flaw.
    - No rounded corners -> The change the style as they please. It's not because XP/Vista/7 had rounded corners that it still needs them.
    - No tabs -> Depends on what you mean by tabs
    - cripled versions of video drivers -> Why would you use windows update for drivers? To get the latest drivers you always go to the manufacturers' site.
    - Majority of net cards -> Same as above, the manufacturer's site is the best source for drivers
    - Need antivirus to work -> Apparently you never used a good antivirus? A good antivirus does work. Also it is better to use a restricted account instead of an admin account for most things and no one should be admin. When using those 'regular' accounts instead of admin accounts, M$ allows you to enter the admin password with the UAC when the admin permission is needed for a program or something.
    - Windows market being useless -> Real software such as Adobe or other stuff have a license for a reason. Open-source programs are never as good as the real but I agree that they are as functionnal.
    - Permission on maximum user amount -> I don't understand that one
    - Console is outdated -> I agree. There is however the PowerShell that replaces the basic console.
    - No way to setup ram disk -> True
    - File names aren't case sensitive -> I agree that they should be.
    - Doesn't support other file systems -> Not sure I agree with that one as I haven't tested it but it would suprise me.
    Reply