

Microsoft pays $100K bounty to hacker - Maven911
http://business.financialpost.com/2013/10/10/microsoft-corp-hacking-bounty/?__lsa=d344-d1e8

======
maxjus
Here's a story you guys might appreciate.

I found a cross site scripting vulnerability in Bing.com that was kind of
hilarious. Searching for:

    
    
      </script><script>arbitrary js</script>
    

in the main search box would execute the code on the results page. I mean,
holy shit. I could not believe it. I emailed their whitehat service and they
fixed it but I never received a bounty.

------
tptacek
That is not actually the origin of the term "zero day"; "zero day" is a
tongue-in-cheek #hack expropriation of #warez jargon, where "zero days" refers
to the number of days from the official release date of a piece of pirated
software.

~~~
jonchang
The article isn't trying to explain the origin of "zero day". The article is
defining it in the context that it's used for the benefit of their readers.

> That vulnerability in Internet Explorer was known as a “zero-day” because
> Microsoft, the targeted software maker, had zero days notice to fix the hole
> when the initial attacks exploiting the bug were discovered.

~~~
tptacek
That's not why the vulnerability was known as "zero-day".

~~~
jonchang
So is that the point you were originally trying to make instead of discussing
etymology? While we're quibbling prescriptively about terminology, I'd argue
that the IE exploit patched earlier this week was in fact a zero day since it
was not public knowledge.

> The vulnerability underlying CVE-2013-3897 was found internally at Microsoft
> and would have been fixed in MS13-080. However, in the last two weeks,
> attacks against the same vulnerability became public, but since the fix was
> in the code already, it enabled Microsoft to address the vulnerability,
> CVE-2013-3897, in record time.

[https://community.qualys.com/blogs/laws-of-
vulnerabilities/2...](https://community.qualys.com/blogs/laws-of-
vulnerabilities/2013/10/08/patch-tuesday-october-2013) (unnecessary text
omitted)

------
Moral_
This is a huge payout. It's my assumption for such a big payout this security
researcher was able to develop or extend upon some of the advanced
exploitation techniques we see today.

I think, for such a huge payout, and for what they said they would pay this
amount for is a _new_ tactic to defeat Microsoft's DEP[0] ASLR[1] and ROP[2].
All of these defence mechanisms have been broken before, but as I mentioned
Mr. Forshaw has probably developed a novel new technique to defeat these
checks.

Lastly, and probably least likely, I know academia and MS Research have been
working on ways to sandbox applications. It's possible he has developed a way
to break out of the sandboxes.

All of this is speculation, I hope soon we will have access to what he was
able to accomplish.

[0] [http://en.wikipedia.org/wiki/W%5EX](http://en.wikipedia.org/wiki/W%5EX)
[1] [http://en.wikipedia.org/wiki/ASLR](http://en.wikipedia.org/wiki/ASLR) [2]
[http://krebsonsecurity.com/tag/enhanced-mitigation-
experienc...](http://krebsonsecurity.com/tag/enhanced-mitigation-experience-
toolkit/)

~~~
j_s
_a new “exploitation technique” in Windows, which will allow it to develop
defenses against an entire class of attacks_

\- the OP

 _new mitigation bypass technique_

\- [http://www.contextis.co.uk/news/congratulations-james-
forsha...](http://www.contextis.co.uk/news/congratulations-james-forshaw/)

\-
[http://blogs.technet.com/b/bluehat/archive/2013/10/08/congra...](http://blogs.technet.com/b/bluehat/archive/2013/10/08/congratulations-
to-james-forshaw-recipient-of-our-first-100-000-bounty-for-new-mitigation-
bypass-techniques.aspx)

------
kilovoltaire
"Internet Explorer, ... the world’s most popular browser"

That's no longer true, right?

~~~
jamesaguilar
The browser formerly known as the world's most popular browser.
[http://www.w3schools.com/browsers/browsers_stats.asp](http://www.w3schools.com/browsers/browsers_stats.asp)
[http://gs.statcounter.com/](http://gs.statcounter.com/)

I'm honestly quite amazed. When Chrome first came out, I remember asking my
teammates why we were wasting money on developing a browser, thinking it would
never be more than a niche product. Another reason why I'm not Google's CEO,
apparently.

~~~
rogerbinns
Think strategically. It doesn't really matter what the user base of Chrome or
Android are. What they do is raise the bar. Competitors and alternatives need
to be at least that good.

Javascript performance was pretty dismal until Chrome came around, and then
everyone had to up their game. Until Android, mobile platforms were tightly
controlled walled gardens (although Windows Mobile was amongst the least
worse). Now everyone wants Google Mail, Maps and Search on their mobile
devices.

Google ultimately makes money through usage and the platform + apps/browser
don't matter that much financially. Without Chrome and Android, there is a
strong possibility of being cut out completely.

~~~
mgkimsal
" It doesn't really matter what the user base of Chrome or Android are. What
they do is raise the bar. Competitors and alternatives need to be at least
that good."

Yes it does matter, at least some. No one even knows what the bar _is_ if no
one is using it.

Someone could put together a wickedly fast browser with fantastic privacy
controls, release it tomorrow, but if no one used it, it wouldn't have any
effect on major browser makers.

JS performance went up in other browsers due to Chrome only because Chrome was
gaining users (even if the base was small at first), mostly because they were
able to push Chrome from Google.com itself.

------
philliphaydon
Good on MS for paying out such a large bounty.

~~~
kamjam
It will also hopefully help more people to responsibly disclose
vulnerabilities, rather than selling them on the black market. A pat on the
back is nice, but nothing says thank you like cold, hard cash!

~~~
rmc
That's one of the points of bug bounty programmes, isn't it?

~~~
kamjam
Sure. But when the amount is small/trivial, you simply give credit to to the
finder or you send them a t-shirt, you may then be tempted to find
alternatives to get a cash incentive.

~~~
rmc
Yep, that's exactly my point. Bug Bounties are supposed to be realistic
alternatives to the black market.

------
lutusp
The title of this submission: "Microsoft pays $100K bounty to hacker"

The title of the article: "Microsoft Corp pays US$100K bounty to hacking
expert who uncovered Windows bug that could have been used to launch remote
attacks"

To me, this level of editorializing approaches arbitrarily close to lying.

~~~
zheng
How exactly is it lying? Microsoft _did_ pay a $100k bounty to a hacker. The
HN headline just leaves out extra details (what the bounty was for), but
doesn't change the meaning at all. Am I missing something?

~~~
sergiotapia
How's this:

    
    
        Guy predicts the higgs boson particle.
    
        World renowned physicist Foo Bar, accurantly models existance of boson particle.
    

\---

See the difference? The title is BS. I expected a guy from Pakistan or
somewhere third world finding the bug.

~~~
xerophtye
Isn't that rather racist? You assume that if the person isn't being called an
"expert" then he's from Pakistan? Are you trying to imply that security
researchers in Pakistan are third rate?

PS: A security researcher from Pakistan has been bagging a lot of Bug Bounties
recently. Look up news on Rafay Baloch

~~~
aunty_helen
Well no, it's not racist, being that Pakistan is a country and not a race...
it sure does make your comment emotive though.

~~~
xerophtye
Unjust Discrimination either way.

------
rowofpixels
You could buy a lot of microsoft t-shirts with that much money.

------
walshemj
I think you meant paid his company if your employed as a security researcher
his employer will own any rights.

------
briandear
How about MS just open sourcing the browser? Is their browser tech really that
trade-secret-filled?

