Microsoft awards hacking expert, repairs browser bug


By Jim Finkle

BOSTON, Oct 8 (Reuters) - Microsoft Corp said onTuesday it is paying a well-known hacking expert more than$100,000 for finding security holes in its software, one of thelargest such bounties awarded to date by a high-tech company.

The software maker also released a much anticipated updateto Internet Explorer, which it said fixes a bug that made usersof the world's most popular browser vulnerable to remote attack.

James Forshaw, who heads vulnerability research atLondon-based security consulting firm Context InformationSecurity, won Microsoft's first $100,000 bounty for identifyinga new "exploitation technique" in Windows, which will allow itto develop defenses against an entire class of attacks, thesoftware maker said on Tuesday.

Forshaw earned another $9,400 for identifying security bugsin a preview release of Microsoft's Internet Explorer 11browser, Katie Moussouris, senior security strategist withMicrosoft Security Response Center, said in a blog.

Microsoft unveiled the reward programs four months ago tobolster efforts to prevent sophisticated attackers fromsubverting new security technologies in its software, which runson the vast majority of the world's personal computers.

Forshaw has been credited with identifying several dozensoftware security bugs. He was awarded a large bounty fromHewlett-Packard Co for identifying a way to "pwn," ortake ownership of, Oracle Corp's Java software in ahigh-profile contest known as Pwn2Own (pronounced "pown toown").

Microsoft also released an automatic update to InternetExplorer on Tuesday afternoon to fix a security bug that itfirst disclosed last month.

Researchers say hackers initially exploited that flaw tolaunch attacks on companies in Asia in an operation that thecybersecurity firm FireEye has dubbed DeputyDog.

Marc Maiffret, chief technology officer of the cybersecurityfirm BeyondTrust, said the vulnerability was later more broadlyused after Microsoft's disclosure of the issue brought it to theattention of cyber criminals.

He is advising computer users to immediately install theupdate to Internet Explorer, if they do not have their PCsalready set to automatically download updates.

"Any time they patch something that has already been used(to launch attacks) in the wild, then it is critical to applythe patch," Maiffret said.

That vulnerability in Internet Explorer was known as a"zero-day" because Microsoft, the targeted software maker, hadzero days notice to fix the hole when the initial attacksexploiting the bug were discovered.

In an active, underground market for "zero day"vulnerabilities, criminal groups and governments sometimes pay$1 million or more to hackers who identify such bugs.

View Comments (1)