Forgot your password?
typodupeerror
Microsoft Bug Google Internet Explorer Security

Microsoft Bug Bounties Flow To Googlers 65

Posted by Soulskill
from the cross-company-code-cleanup dept.
chicksdaddy writes "Lucre from Microsoft's newly minted bug bounty program is lining the pockets of Google researchers. Two Google employees earned the distinction of receiving some of the first (official) monetary rewards under the company's bounty program. Fermín Serna, a researcher in Google's Mountain View, California headquarters, said he received a bounty issued by Microsoft this week for information on an Internet Explorer information leak that could allow a malicious hacker to bypass Microsoft's Address Space Layout Randomization (or ASLR) technology. His bounty followed the first ever (officially) paid to a researcher by Microsoft: a bounty that went to Serna's colleague, Ivan Fratic, a Google engineer based in Zurich, Switzerland, for information about a vulnerability in Internet Explorer 11 Preview. Serna declined to discuss the details of his discovery until Microsoft had a patch ready to release. But he said that any weakness in ASLR warranted attention. 'Mainly all security mitigations in place depend on ASLR. So bringing that one down, weakens the system a lot and makes it easy the exploitation of other vulnerabilities,' he said. As for his bounty, Serna (whose resume includes work for Microsoft on the MSRC Engineering team) said it was 'way less' than the maximum $11,000 bounty for a full, working exploit that bypasses all the Windows 8 mitigations (which includes ASLR as well as the Data Execution Prevention or DEP technology). 'But still nice!'"
This discussion has been archived. No new comments can be posted.

Microsoft Bug Bounties Flow To Googlers

Comments Filter:
  • Good (Score:5, Interesting)

    by Frankie70 (803801) on Saturday July 20, 2013 @11:46AM (#44336965)

    Microsoft now has Google Employees working for them as paid part time employees. Not a bad thing.

    • MS clearly has the world's worst collection of programmers. They need all the help they can get, since they are just too incompetent.
  • How much is a Windows 8 exploit worth these days on the open market, something like $250,000?
    • by mysidia (191772)

      How much is a Windows 8 exploit worth these days on the open market, something like $250,000?

      Microsoft requires more than a mere exploit for that; you need to defeat Windows 8 security mitigations and provide a whitepaper for even more $$$; on the open market, that's probably worth half a million, to defeat all the security mitigations MS has provided; which essentially means an infection using the exploit could become unstoppable

    • by drinkypoo (153816)

      How much is a Windows 8 exploit worth these days on the open market, something like $250,000?

      How much is it worth it to get paid without a chance of being sent to PMITAP in the future, or better yet, being richly rewarded for all that you deserve for providing arms to organized crime?

      • In my country, you can only get sent to prison for criminal activities. As in, things that the criminal law probihits. This isn't one of them.
        • by drinkypoo (153816)

          In my country, you can only get sent to prison for criminal activities. As in, things that the criminal law probihits. This isn't one of them.

          In your country, aiding and abetting a crime is not a crime?

          • In your country, aiding and abetting a crime is not a crime?

            It is. But trading with exploits is no more a crime around here than selling knives or hammers. We don't go about jailing hardware shop owners whenever some psycho kills someone with their tools.

            • I'm getting the idea that you are not a lawyer, and that you underestimate the skills of those who are.

              • Most people aren't lawyers. That doesn't change anything, though. You don't change our legislation by "skills of lawyers", at most you can do it by lobbying in our parliament and senate.
  • Say it ain't so (Score:4, Insightful)

    by Kwyj1b0 (2757125) on Saturday July 20, 2013 @12:14PM (#44337037)

    So a company announces a bug-bounty program, and bugs are found by programmers working for a major software company? Stop the press!

    Isn't this what you would expect? Most people who are good enough to find exploits (as opposed to randomly crashing Windows) generally make a profession out of programming. And the good ones generally work for the big named companies (there are exceptions, of course).

    It is interesting that both exploits have to do with IE. While I don't use IE frequently, I'd assume that it is easier to own a system using *@F# Adobe exploits (which would still be the OS's fault). Or are there restrictions that prevent rewards for exploits via third party software?

    • by Smauler (915644)

      Isn't this what you would expect? Most people who are good enough to find exploits (as opposed to randomly crashing Windows) generally make a profession out of programming. And the good ones generally work for the big named companies (there are exceptions, of course).

      Exceptions? Name a programmer. Name another. And another. How many of them work for the big name companies? (I got 0 in my top 3, 1 in my top 5).

  • "I'd like to report a bug. I upgraded my Microsoft Windows and now I see blue."

    "Ah, the famed blue screen of death. Ok, read me what it says."

    "Which one?"

    "What?"

    "Which blue screen? There are little blue screens all over the place, and little green ones, and some other colors too."

  • by tnk1 (899206)

    Googlers Paid Off By Microsoft!

    News at 11.

  • by tuppe666 (904118) on Saturday July 20, 2013 @01:07PM (#44337239)

    ...its cheaper

  • by Myria (562655) on Saturday July 20, 2013 @02:22PM (#44337529)

    I found an exploit in a different part of Windows, but they aren't paying for that. They were only paying for mitigation bypass exploits and IE11 exploits.

    I guess I'll stick to my original plan and use it to jailbreak Windows RT 8.1 and possibly Windows Phone 8.

  • Address space randomization is security through obscurity. It's an admission that you can't fix your buffer overflows. It slows down attackers, but there are counters, such as "spraying attacks".

    Worse, it means that bugs become nonrepeatable and harder to fix. So software quality degrades. It produces more of those errors you see in bug tracker as "Closed - can't reproduce".

    This is a fixable problem. Microsoft could use C#, or Java, or Go, or Python, or Javascript - languages with subscript checking.

    • ASLR is a great fix in addition to buffer overflow protections. Infact since XP SP 2 and IE 7 they are included when compiled which is why Windows 2000 is stuck with IE 6. ASLR with 64 bit virtual memory space increases the randomization greatly as you now have 2 terabytes of addresses to check if you are spraying.

      The fact that linux does not do this is a downside. ASLR is now supported in the latest versions of MacOSX as well. You can try to fix as much as you can with overruns but there are always other w

    • I mean, if a car has an airbag, that's just an admission that the driver isn't skilled enough. Right?

    • And Apache has a mechanism where it it spawns extra children and kills them periodically because it knows somehow or another one of them is going to leak memory.

      So what's your point?

  • Maybe this is exactly Microsoft's strategy. Keep paying Google employees to find their bugs, meaning they're less efficient at their current job. Eventually, the Google employees will have enough money to retire, and Microsoft will suddenly have a product that is free from major security flaws. Meanwhile, Google finds it has multiple vacancies in positions desperately behind on their work. I can just imagine Page looking around blankly, wondering when he was given the slip.

    Not bloody likely, but would be fu

"Just think of a computer as hardware you can program." -- Nigel de la Tierre

Working...