Hewlett-Packard security researchers have been awarded a bug bounty of $125,000 from Microsoft as part of the Microsoft Mitigation Bypass Bounty and BlueHat Bonus for Defense program.
Three members of HP’s Zero Day Initiative (ZDI) team, Brian Gorenc, AbdulAziz Hariri and Simon Zuckerbraun, scooped up the main $100,000 prize after submitting techniques and steps to attack the Isolated Heap and MemoryProtection functions in the latest version of Microsoft Internet Explorer. The submission, made to the Redmond giant’s Mitigation Bypass Bounty and Blue Hat Bonus for Defense scheme, also outlined how an attacker could use MemoryProtection as an oracle to completely bypass ASLR.
MemoryProtection functions, as well as ASLR, are designed to prevent successful exploits of certain use-after-free (UAF) vulnerabilities.
Microsoft’s Mitigation Bypass Bounty and BlueHat Bonus for Defense Program, which began in 2013, allows security researchers to submit mitigation bypasses against the Windows platform. Under the program, entrants can win up to $100,000 in addition to up to $50,000 for defense ideas.
After explaining and demonstrating the theoretical attack on Internet Explorer, HP’s researchers also offered a way to defend systems against the technique they discovered, which gave them an additional $25,000 in awards, bringing the total count to $125,000.
HP’s Zero Day Initiative focuses on bug bounties and investigations into security. The researchers have chased Internet Explorer’s use-after-free problems for some time, although the inclusion of two new mitigations — Isolated Heap and MemoryProtection (MemProtect) — added by Microsoft into IE during June and July 2014 patches “really started to up [Microsoft’s] game in hardening Internet Explorer against memory corruption vulnerabilities,” according to Zuckerbraun.
The team sticks to a 120-day disclosure policy if vulnerabilities are discovered. Microsoft was informed of the mentioned IE flaws, and since the discovery met the requirements of the tech firm’s Mitigation Bypass Bounty, the submission included a proof-of-concept case study.
At the time of writing, HP says the security issue has not been patched.
As employees of HP, the security researchers will not get to keep the cash prize. Instead, they are donating the funds to three educational establishments with emphasis on STEM research — Texas A&M University, Concordia University, and Khan Academy.