Researcher James Forshaw has been awarded a whopping $100,000 bounty for developing an attack that circumvents security precautions in Microsoft’s latest version of it’s Windows operating system.
“We’re thrilled to receive this qualifying Mitigation Bypass Bounty submission within the first three months of our bounty offering. James’ entry will help us improve our platform-wide defenses and ultimately improve security for customers, as it allows us to identify and protect against an entire class of issues,” Katie Moussouris, a security strategist for Microsoft, told ThreatPost.
Microsoft, which had already identified elements of the attack technique, declined to provide any details of the exploit until their engineers have had time to analyze the attack and implement changes that would mitigate it.
“Coincidentally, one of our brilliant engineers at Microsoft, Thomas Garnier, had also found a variant of this class of attack technique. Microsoft engineers like Thomas are constantly evaluating ways to improve security, but James’ submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty,” Moussouris said.
News of the bounty payout come on a monumental Patch Tuesday which included a fix for a zero-day exploit in Internet Explorer that is currently being used in targeted attacks.
In this month’s Patch Tuesday releases, Microsoft corrected four vulnerabilities rated as being critical, and four more rated as important for products including the .NET Framework, Windows, Microsoft Office, and the already mentioned Internet Explorer zero-day.
Complete analysis of all of the Patch Tuesday mitigations, see the October Patch Tuesday VERT Alert here.