HP Awarded $125,000 Bug Bounty By Microsoft

Hewlett-Packard’s Zero Day Initiative (ZDI) researchers have been awarded a $125,000 prize for a submission to the Microsoft Mitigation Bypass Bounty and Blue Hat Bonus for Defense Program. The money, awarded to HP ZDI researchers Brian Gorenc, AbdulAziz Hariri and Simon Zuckerbraun, will be donated to charity.

The HP ZDI researchers focused on Microsoft’s Internet Explorer browser and use-after-free (UAF) vulnerabilities. UAF vulnerabilities are a form of memory corruption that can potentially enable attackers to exploit vulnerable systems. In any given IE update, UAF vulnerabilities are typically the vulnerability class that is most often patched.

Brian Gorenc, manager of vulnerability research for HP Security Research, explained that the ZDI research looked at the isolated heap and memory protection security features in Internet Explorer to see if there were any potential weaknesses.

“We did two months of research and discovered several weaknesses,” Gorenc told eWEEK.

The HP ZDI researchers submitted a paper to Microsoft outlining techniques to bypass the isolated heap and memory protection security features. The team was also able to bypass address space layout randomisation (ASLR) by way of the memory protection mitigation feature, Gorenc said.

$125,000 Microsoft prize

The $125,000 Microsoft prize is made up of two parts: The first $100,000 was for the research into the weaknesses in the isolated heap and memory protection security features, and an additional $25,000 was awarded to the ZDI researchers because they also explained to Microsoft, techniques that could be implemented to fix the weaknesses.

Gorenc and HP’s ZDI team are no strangers to UAF vulnerabilities across multiple applications and vendors. HP ZDI buys security research from researchers and is always interested in purchasing UAF vulnerabilities, he said, adding that the team has disclosed hundreds of UAF issues over the years.

“Hackers are using UAF vulnerabilities quite frequently to get into systems, so the more of them that we can get off the market, the better,” Gorenc said.

The UAF protection techniques HP ZDI has provided to Microsoft are specific to the Internet Explorer browser though they might be applicable to help other browser vendors in the future. “Other vendors that have issues with UAF might be able to use some of the techniques that we document and possibly harden their own applications against attack,” he said.

HP’s ZDI plans to publish a whitepaper on the Microsoft weaknesses and the potential mitigations, Gorenc said. The complete whitepaper will not be released until later this year to make sure Microsoft has time to resolve the security issues the research has outlined, Gorenc said, adding that the initial whitepaper was provided to Microsoft in October 2014. HP ZDI typically has a 120-day policy for the disclosure of flaws.

“We’re trying to give [Microsoft] time to resolve the issues, but as of Feb. 5, they still haven’t resolved the issues yet,” Gorenc said.

The $125,000 award that the HP ZDI researchers received will be divided up and given to Texas A&M University, Concordia University and Khan Academy.

HP ZDI has donated bug-bounty awards to charity in the past. In March 2013, HP ZDI donated $82,500 to the Canadian Red Cross for security research awards during the Pwn4fun contest. At that event, HP and Google researchers competed to find browser vulnerabilities.

Take our hacking quiz here!

Originally published on eWeek.

Sean Michael Kerner

Sean Michael Kerner is a senior editor at eWeek and contributor to TechWeek

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

1 hour ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

2 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

3 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

5 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

7 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

8 hours ago