The software giant has paid $100,000 to the UK researcher James Forshaw, who found a critical security flaw in Microsoft’s upcoming Windows 8.1 OS.
Forshaw, a researcher for the security company, has found a “mitigation bypass”. This hack circumvented the built-in protection systems that could have allowed intruders access to the system.
Microsoft said it couldn’t provide any details of that mitigation bypass technique until it found a way to address it. However, the software giant promised to strengthen platform-wide mitigations, and make it harder to exploit vulnerabilities in all software that runs on Windows platform, not only their own apps.
The researcher admitted it had taken him 25 days to find the bug, responding to “a very specific brief” from the software giant. Forshaw originally came up with the winning idea sitting at home and pondering what he could do. $100,000 bounty is a lot of money, but James Forshaw said that he wasn’t talking retirement money there. Indeed, when it comes to security flaw bounties like Microsoft’s, most of it goes to the company. Actually, even if it didn’t, after paying taxes it is already not a life-changing amount.
The researcher admitted that using outside experts was just part of the process due to the scale of the task involved. The software giant has a huge security department which actively looks for software bugs in its products, but it might be just a problem of being too close to the product – you simply cannot see the wood for the trees. Forshaw recommends to step back and take a look at the entire product and its interactions in order to find the higher-level flaws.
It seems that outsourcing is also important from a monetary point of view. In fact, the company couldn’t dedicate enough resources to find everything, because it is cheaper to pay external researchers bounties like this one. Apparently, there is only a finite pool of talented people who are able to find vulnerabilities in software products.
One can argue that the bugs and vulnerabilities should not exist in the first place, but everyone knows that humans are fallible and nobody can write perfect code.
Forshaw, a researcher for the security company, has found a “mitigation bypass”. This hack circumvented the built-in protection systems that could have allowed intruders access to the system.
Microsoft said it couldn’t provide any details of that mitigation bypass technique until it found a way to address it. However, the software giant promised to strengthen platform-wide mitigations, and make it harder to exploit vulnerabilities in all software that runs on Windows platform, not only their own apps.
The researcher admitted it had taken him 25 days to find the bug, responding to “a very specific brief” from the software giant. Forshaw originally came up with the winning idea sitting at home and pondering what he could do. $100,000 bounty is a lot of money, but James Forshaw said that he wasn’t talking retirement money there. Indeed, when it comes to security flaw bounties like Microsoft’s, most of it goes to the company. Actually, even if it didn’t, after paying taxes it is already not a life-changing amount.
The researcher admitted that using outside experts was just part of the process due to the scale of the task involved. The software giant has a huge security department which actively looks for software bugs in its products, but it might be just a problem of being too close to the product – you simply cannot see the wood for the trees. Forshaw recommends to step back and take a look at the entire product and its interactions in order to find the higher-level flaws.
It seems that outsourcing is also important from a monetary point of view. In fact, the company couldn’t dedicate enough resources to find everything, because it is cheaper to pay external researchers bounties like this one. Apparently, there is only a finite pool of talented people who are able to find vulnerabilities in software products.
One can argue that the bugs and vulnerabilities should not exist in the first place, but everyone knows that humans are fallible and nobody can write perfect code.
No comments:
Post a Comment