Hacker Gets $100K from Microsoft for Breaking Windows 8.1 Security
Microsoft just paid $100,000 to a hacker who successfully breached Windows 8.1 security. The hacker is James Forshaw, head of vulnerability research at Context Information Security.
He used a new mitigation bypass technique to go around the security defences built into Windows 8.1 Preview, the latest version of Redmond's OS.
In June, Redmond released three bounty programs that rewarded researchers for techniques that bypass built-in OS mitigations and protections, defences that prevent the bypasses and discovery of vulnerabilities in Internet Explorer 11 Preview.
It is Mr Forshaw's second award from Microsoft after he had earlier been given $9,400 for discovering design level bugs under the IE11 Preview Bug Bounty programme of the tech giant.
The previous amount he received is part of the $28,000 payouts made by Microsoft to six security researches who collectively reported 15 different bugs in the IE11 preview release.
Mr Forshaw got a significantly higher award for the Windows 8.1 hack than the awards given to IE11 hackers since he provided information on new mitigation bypass techniques that helps Redmond develop defences against entire classes of attack.
Microsoft, however, would not provide details of Mr Forshaw's technique until the company has a security fix for it. But it praised Mr Forshaw's work through a post on the Blue Hat blog.
"We're thrilled to receive this qualifying Mitigation Bypass Bounty submission within the first three months of our bounty offering. James [Forshaw's] entry will help us improve our platform-wide defences and ultimately improve security for customers, as it allows us to identify and protect against an entire class of issues," The Register quoted Microsoft Trustworthy Computing Senior Security Strategist Lead Kati Moussouris.
Mr Forshaw said the intellectual challenge in finding bugs is his motivation, not the prize money.
"Over the past decade working in secure development and research, I have discovered many interesting security vulnerabilities with a heavy focus of complex logic bugs," Mr Forshaw said in a statement. "I'm keenly interested in the intellectual puzzle of finding novel exploitation techniques and the creativity it requires.
"To find my winning entry I studied the mitigations available today and after brainstorming I identified a few potential angles. Not all were viable but after some persistence I was finally successful," he added.
Mr Forshaw, whom The Register said is a Briton, while the Sydney Morning Herald said is an Australian, will speak at the Hack in the Box conference in Kuala Lumpur, Malaysia in the later part of October.
In claiming Mr Forshaw to be an Australian, the Sydney Morning Herald said his consulting firm Context Information Security is based in Melbourne.