Microsoft pays hacker $100,000 for finding security holes

Microsoft is paying a well-known British hacking expert more than $100,000 for finding security holes in its software, one of the largest bounties awarded to date by a tech company.

The company also released a much anticipated update to Internet Explorer, which it said fixes a bug that made users of the browser vulnerable to remote attack.

James Forshaw, who heads vulnerability research at British consulting firm Context Information Security, won Microsoft’s first $US100,000 ($106,000) bounty for identifying a new “exploitation technique” in Windows, which will allow it to develop defences against an entire class of attacks, the company said.

Microsoft Office

Forshaw is among the many “white hat” hackers who hack for good and get rewarded for their efforts. Companies such as Apple and Facebook have hall of fame pages on their websites to recognise hackers, and some companies even pay them.

“Over the past decade working in secure development and research, I have discovered many interesting security vulnerabilities with a heavy focus of complex logic bugs,” Forshaw said.

“I’m keenly interested in the intellectual puzzle of finding novel exploitation techniques and the creativity it requires.”

To find his winning entry, Forshaw studied the mitigations available today and after brainstorming identified a few potential angles.

“Not all were viable but after some persistence I was finally successful.”

He said receiving recognition for his entry was “exciting” to him and his employer.

“It also gives me the satisfaction that I am contributing to improving the security of both Microsoft’s and Context’s customers.”

Microsoft unveiled the reward programs four months ago to bolster efforts to prevent sophisticated attackers from subverting new security technologies in its software, which runs on the majority of the world’s PCs.

Forshaw has been credited with identifying several dozen software security bugs. He was awarded a large bounty from Hewlett-Packard for identifying a way to “pwn”, or take ownership of, Oracle’s Java software in a high-profile contest known as Pwn2Own (pronounced “pown to own”).

Microsoft also released an automatic update to Internet Explorer on Tuesday afternoon to fix a security bug that it first disclosed last month.

Researchers say hackers initially exploited that flaw to launch attacks on companies in Asia in an operation that cyber security firm FireEye has dubbed DeputyDog.

Marc Maiffret, chief technology officer of the cyber security firm BeyondTrust, said the vulnerability was later more broadly used after Microsoft’s disclosure of the issue brought it to the attention of cybercriminals.

He is advising PC users to immediately install the update to Internet Explorer, if they do not have their PCs already set to automatically download updates.

“Any time they patch something that has already been used [to launch attacks] in the wild, then it is critical to apply the patch,” Maiffret said.

That vulnerability in Internet Explorer was known as a “zero-day” because Microsoft, the targeted software maker, had zero days notice to fix the hole when the initial attacks exploiting the bug were discovered.

In an active, underground market for “zero day” vulnerabilities, criminal groups and governments sometimes pay $US1 million or more to hackers who identify such bugs.

Microsoft’s reward is slightly more generous than that of Yahoo!, which recently offered a security researcher a $US25 voucher to the company’s online store for reporting three security flaws.

Yahoo later opened up a program, with rewards of up to $US15,000, after security researchers ridiculed the minuscule $US25 prize.

Correction: This article originally said Mr Forshaw was based in Melbourne and an Australian. The error came about due to information distributed by Context’s British public relations firm. Context Australia’s managing director said the information was “misleading” and confirmed Mr Forshaw was based in Britain.