HP Awarded $125,000 Bug Bounty By Microsoft

Hewlett-Packard’s Zero Day Initiative (ZDI) researchers have been awarded a $125,000 prize for a submission to the Microsoft Mitigation Bypass Bounty and Blue Hat Bonus for Defense Program. The money, awarded to HP ZDI researchers Brian Gorenc, AbdulAziz Hariri and Simon Zuckerbraun, will be donated to charity.

The HP ZDI researchers focused on Microsoft’s Internet Explorer browser and use-after-free (UAF) vulnerabilities. UAF vulnerabilities are a form of memory corruption that can potentially enable attackers to exploit vulnerable systems. In any given IE update, UAF vulnerabilities are typically the vulnerability class that is most often patched.

Brian Gorenc, manager of vulnerability research for HP Security Research, explained that the ZDI research looked at the isolated heap and memory protection security features in Internet Explorer to see if there were any potential weaknesses.

“We did two months of research and discovered several weaknesses,” Gorenc told eWEEK.

The HP ZDI researchers submitted a paper to Microsoft outlining techniques to bypass the isolated heap and memory protection security features. The team was also able to bypass address space layout randomisation (ASLR) by way of the memory protection mitigation feature, Gorenc said.

$125,000 Microsoft prize

The $125,000 Microsoft prize is made up of two parts: The first $100,000 was for the research into the weaknesses in the isolated heap and memory protection security features, and an additional $25,000 was awarded to the ZDI researchers because they also explained to Microsoft, techniques that could be implemented to fix the weaknesses.

Gorenc and HP’s ZDI team are no strangers to UAF vulnerabilities across multiple applications and vendors. HP ZDI buys security research from researchers and is always interested in purchasing UAF vulnerabilities, he said, adding that the team has disclosed hundreds of UAF issues over the years.

“Hackers are using UAF vulnerabilities quite frequently to get into systems, so the more of them that we can get off the market, the better,” Gorenc said.

The UAF protection techniques HP ZDI has provided to Microsoft are specific to the Internet Explorer browser though they might be applicable to help other browser vendors in the future. “Other vendors that have issues with UAF might be able to use some of the techniques that we document and possibly harden their own applications against attack,” he said.

HP’s ZDI plans to publish a whitepaper on the Microsoft weaknesses and the potential mitigations, Gorenc said. The complete whitepaper will not be released until later this year to make sure Microsoft has time to resolve the security issues the research has outlined, Gorenc said, adding that the initial whitepaper was provided to Microsoft in October 2014. HP ZDI typically has a 120-day policy for the disclosure of flaws.

“We’re trying to give [Microsoft] time to resolve the issues, but as of Feb. 5, they still haven’t resolved the issues yet,” Gorenc said.

The $125,000 award that the HP ZDI researchers received will be divided up and given to Texas A&M University, Concordia University and Khan Academy.

HP ZDI has donated bug-bounty awards to charity in the past. In March 2013, HP ZDI donated $82,500 to the Canadian Red Cross for security research awards during the Pwn4fun contest. At that event, HP and Google researchers competed to find browser vulnerabilities.

Take our hacking quiz here!

Originally published on eWeek.

Sean Michael Kerner

Sean Michael Kerner is a senior editor at eWeek and contributor to TechWeek

Recent Posts

Mark Zuckerberg Overtakes Bezos To Become Second-Richest Man

Billionaire battle. Meta's boss Mark Zuckerberg overtakes Jeff Bezos to become the world’s second richest…

2 days ago

US, Microsoft Disrupts Russian FSB Hackers

Internet domains used by “Russian intelligence agents and their proxies” for cyberattacks, seized by the…

2 days ago

Mike Lynch Died From Drowning, Coroner Inquest Rules

UK's tech billionaire Dr Mike Lynch died from drowning on his superyacht, but his daughter's…

2 days ago

Tesla Recalls 27,000 Cybertrucks Over Rear Camera Issue

Another recall for thousands of Tesla Cybertrucks over delay with rear camera, with could hamper…

3 days ago

Browser Firms Press EU To Reconsider Microsoft Edge As Gatekeeper

Browser firms write to European Commission alleging Microsoft's Edge web browser enjoys an unfair advantage

3 days ago

Microsoft Invests €4.3 Billion In Italy For AI, Cloud

Data centre and AI spending spree continues over at Microsoft, with Italy earmarked for €4.3…

3 days ago