Microsoft Bug Bounties Flow To Googlers 65
chicksdaddy writes "Lucre from Microsoft's newly minted bug bounty program is lining the pockets of Google researchers. Two Google employees earned the distinction of receiving some of the first (official) monetary rewards under the company's bounty program. Fermín Serna, a researcher in Google's Mountain View, California headquarters, said he received a bounty issued by Microsoft this week for information on an Internet Explorer information leak that could allow a malicious hacker to bypass Microsoft's Address Space Layout Randomization (or ASLR) technology. His bounty followed the first ever (officially) paid to a researcher by Microsoft: a bounty that went to Serna's colleague, Ivan Fratic, a Google engineer based in Zurich, Switzerland, for information about a vulnerability in Internet Explorer 11 Preview. Serna declined to discuss the details of his discovery until Microsoft had a patch ready to release. But he said that any weakness in ASLR warranted attention. 'Mainly all security mitigations in place depend on ASLR. So bringing that one down, weakens the system a lot and makes it easy the exploitation of other vulnerabilities,' he said. As for his bounty, Serna (whose resume includes work for Microsoft on the MSRC Engineering team) said it was 'way less' than the maximum $11,000 bounty for a full, working exploit that bypasses all the Windows 8 mitigations (which includes ASLR as well as the Data Execution Prevention or DEP technology). 'But still nice!'"
Good (Score:5, Interesting)
Microsoft now has Google Employees working for them as paid part time employees. Not a bad thing.
Re: (Score:1)
Re: (Score:2)
So MS didn't hire you? Now wonder judging by the ignorance displayed in your post.
Re: (Score:2)
While I applaud the engineer's efforts, I wish his employer (Google), would spend a bit more of resources in making its maps aplication more functional [for me].
Here's my gripe, and I am not alone:
Why is it that there's no way to make routing avoid toll roads by default?
I have got a solution: I use Waze but worried that if Google's ambitions with it (Waze) go through, they may disable this feature.
You sometimes wonder why things so basic, take so long to implement. Why?
Because that's not a product they sell? Go to a car navigation company (TomTom, Garvin, Navit come to mind) and give them money, they do what you want. Why you expect more than something basic from a free service is beyond me.
Re: (Score:2)
why buy waze then for a god awful amount of money if it's not for a product they sell? and it is a product they sell, both directly and by proxy..
Re: (Score:3)
why buy waze then for a god awful amount of money if it's not for a product they sell?
To stop another company acquiring it? Shrewd move
Re: (Score:1)
But what if he promised to watch ads on his smartphone? He would prefer to do this while driving instead of paying tolls.
Re:I wish Google would make its Maps more function (Score:4, Insightful)
While I applaud the engineer's efforts, I wish his employer (Google), would spend a bit more of resources in making its maps aplication more functional [for me].
Here's my gripe, and I am not alone:
Why is it that there's no way to make routing avoid toll roads by default?
I have got a solution: I use Waze but worried that if Google's ambitions with it (Waze) go through, they may disable this feature.
You sometimes wonder why things so basic, take so long to implement. Why?
Possibly just to annoy jackoffs who don't know their hole from an ass in the ground and post off topic comments.
because people forget they set it and get LONG rts (Score:3)
Re: (Score:2)
I have no idea what you're on about. There is an "Avoid Tolls" function, and it's persistent if you're logged in. If you're wanting toll roads avoided by default for non-logged-in users, tough. There are very many people out there who don't mind paying small amounts to make their trips faster. I think it's a slim majority, and Google seems to agree.
Option in question:
http://i.imgur.com/IFSZRh5.png [imgur.com]
Re: (Score:2)
$11,000 for a full exploit? (Score:2)
Re: (Score:2)
How much is a Windows 8 exploit worth these days on the open market, something like $250,000?
Microsoft requires more than a mere exploit for that; you need to defeat Windows 8 security mitigations and provide a whitepaper for even more $$$; on the open market, that's probably worth half a million, to defeat all the security mitigations MS has provided; which essentially means an infection using the exploit could become unstoppable
Re: (Score:2)
How much is a Windows 8 exploit worth these days on the open market, something like $250,000?
How much is it worth it to get paid without a chance of being sent to PMITAP in the future, or better yet, being richly rewarded for all that you deserve for providing arms to organized crime?
Re: (Score:2)
Re: (Score:2)
In my country, you can only get sent to prison for criminal activities. As in, things that the criminal law probihits. This isn't one of them.
In your country, aiding and abetting a crime is not a crime?
Re: (Score:2)
In your country, aiding and abetting a crime is not a crime?
It is. But trading with exploits is no more a crime around here than selling knives or hammers. We don't go about jailing hardware shop owners whenever some psycho kills someone with their tools.
Re: (Score:1)
I'm getting the idea that you are not a lawyer, and that you underestimate the skills of those who are.
Re: (Score:2)
Re: (Score:2)
I could make a million dollars with that, or sell it for $100,000
You do? Or you think you do?! Maybe it's worth a million, but how do you get in touch with these people? How do you stay anonymous enough so they cannot blackmail you? Are you sure you're not selling to the NSA and ending up in jail? For $1M it's not worth the risk, unless you already know these people...
Re: (Score:1)
Re: (Score:1)
And when the boys find out there is no exploit, you leave inside another bag.
It's too late... He already posted the message hypothetically selling the exploit.
Re: (Score:2)
Re: (Score:2)
It could be a battle. My bets are on Google.
Re: (Score:2)
But from the perspective of the project leads, it's all good.
Not if the Googlers and Redmonders talk to each other. The could each intentionally introduce bugs, tell the other team how to find them, and then split the profits.
Say it ain't so (Score:4, Insightful)
So a company announces a bug-bounty program, and bugs are found by programmers working for a major software company? Stop the press!
Isn't this what you would expect? Most people who are good enough to find exploits (as opposed to randomly crashing Windows) generally make a profession out of programming. And the good ones generally work for the big named companies (there are exceptions, of course).
It is interesting that both exploits have to do with IE. While I don't use IE frequently, I'd assume that it is easier to own a system using *@F# Adobe exploits (which would still be the OS's fault). Or are there restrictions that prevent rewards for exploits via third party software?
Re: (Score:2)
Isn't this what you would expect? Most people who are good enough to find exploits (as opposed to randomly crashing Windows) generally make a profession out of programming. And the good ones generally work for the big named companies (there are exceptions, of course).
Exceptions? Name a programmer. Name another. And another. How many of them work for the big name companies? (I got 0 in my top 3, 1 in my top 5).
No (Score:1)
"I'd like to report a bug. I upgraded my Microsoft Windows and now I see blue."
"Ah, the famed blue screen of death. Ok, read me what it says."
"Which one?"
"What?"
"Which blue screen? There are little blue screens all over the place, and little green ones, and some other colors too."
Scandal! (Score:2)
Googlers Paid Off By Microsoft!
News at 11.
Pay them in Surface Tablets (Score:3)
...its cheaper
Emotional about Mega Corporations (Score:2)
Apple that everyone loved. Today they're the company that many love to hate.
Except people aren't that emotional. Apple simply produced compelling products the iPod, iPhone and iPad and many here enjoyed their computers before Apple became an electronics company. They market well, and are popular in the media (and shareholders), They are out of favour as their product lines look tired compared to the competition, and the chance of repeated success in new markets looks increasingly unlikely (iwatch, itv, iconsole), and well the share price, profits, revenues, market share, technical
Re: (Score:2)
Apple that everyone loved. Today they're the company that many love to hate.
Except people aren't that emotional. Apple simply produced compelling products the iPod, iPhone and iPad and many here enjoyed their computers before Apple became an electronics company. They market well, and are popular in the media (and shareholders), They are out of favour as their product lines look tired compared to the competition, and the chance of repeated success in new markets looks increasingly unlikely (iwatch, itv, iconsole), and well the share price, profits, revenues, market share, technical edge, brand value are all down.
Pretending that people are randomly emotional about mega corporations is simply weird. People on the whole buy(and respond well to companies) of products which have reasonable value and quality...marketed well, and those products are coming from Google(and their OEMs) not Apple(or Microsoft) who foolishly think their users are cattle.
For most people this is the rational way of looking at it, yes. But Apple most certainly have managed to produce a more.. fervent.. kind of supporters. That far transcends the usual fan-boys many tech companies have. If you have managed to avoid them, good for you, a few years back I found that voicing any criticism of Apple brought them out in force (and I knew a couple of them real life too). And you can often see today when the shine has come off Apple somewhat that they now think that everybody loves to
Re: (Score:2)
Only paying for certain types of exploits (Score:4, Interesting)
I found an exploit in a different part of Windows, but they aren't paying for that. They were only paying for mitigation bypass exploits and IE11 exploits.
I guess I'll stick to my original plan and use it to jailbreak Windows RT 8.1 and possibly Windows Phone 8.
Address randomization - security through obscurity (Score:2)
Address space randomization is security through obscurity. It's an admission that you can't fix your buffer overflows. It slows down attackers, but there are counters, such as "spraying attacks".
Worse, it means that bugs become nonrepeatable and harder to fix. So software quality degrades. It produces more of those errors you see in bug tracker as "Closed - can't reproduce".
This is a fixable problem. Microsoft could use C#, or Java, or Go, or Python, or Javascript - languages with subscript checking.
Re: (Score:1)
ASLR is a great fix in addition to buffer overflow protections. Infact since XP SP 2 and IE 7 they are included when compiled which is why Windows 2000 is stuck with IE 6. ASLR with 64 bit virtual memory space increases the randomization greatly as you now have 2 terabytes of addresses to check if you are spraying.
The fact that linux does not do this is a downside. ASLR is now supported in the latest versions of MacOSX as well. You can try to fix as much as you can with overruns but there are always other w
Re: (Score:2)
The fact that linux does not do this is a downside.
Uhh, what? [wikipedia.org]
Just like airbags (Score:2)
I mean, if a car has an airbag, that's just an admission that the driver isn't skilled enough. Right?
Re: (Score:2)
And Apache has a mechanism where it it spawns extra children and kills them periodically because it knows somehow or another one of them is going to leak memory.
So what's your point?
All strategy (Score:2)
Maybe this is exactly Microsoft's strategy. Keep paying Google employees to find their bugs, meaning they're less efficient at their current job. Eventually, the Google employees will have enough money to retire, and Microsoft will suddenly have a product that is free from major security flaws. Meanwhile, Google finds it has multiple vacancies in positions desperately behind on their work. I can just imagine Page looking around blankly, wondering when he was given the slip.
Not bloody likely, but would be fu