Two Google employees earned the distinction of receiving some of the first monetary rewards (a.k.a. “bounties”) issued under the company’s newly minted bounty program.
Fermín Serna, a researcher in Google’s Mountain View, California headquarters, told The Security Ledger that he received a bounty issued by Microsoft this week for information on an Internet Explorer information leak that could allow a malicious hacker to bypass Microsoft’s Address Space Layout Randomization (or ASLR) technology. His bounty followed the first ever (officially) paid to a researcher by Microsoft: a bounty that went to Serna’s colleague, Ivan Fratic, a Google engineer based in Zurich, Switzerland, for information about a vulnerability in Internet Explorer 11 Preview. Fratic (@ifsecure) acknowledged the honor in a July 11 post on his Twitter account.
In an e-mail exchange with The Security Ledger, Serna declined to discuss the details of his discovery until Microsoft had a patch ready to release. But he said that any weakness in ASLR warranted attention. “Mainly all security mitigations in place depend on ASLR. So bringing that one down, weakens the system a lot and makes it easy the exploitation of other vulnerabilities,” he said.
Microsoft launched its bug bounty program on June 26 and will formally unveil it at the upcoming Black Hat Briefings hacker conference in Las Vegas. After resisting pressure to pay researchers for information on security holes in its products, the Redmond, Washington software maker announced a program to pay researchers up to $100,000 for “truly novel” exploitation techniques that defeat protections built into the very latest version of Windows, 8.1 Preview. It will additionally pay $50,000 for ideas for defensive strategies that accompany a bypass, raising the total potential purse for an exploit and accompanying remediation to $150,000. A separate program will, for a short time, pay up to $11,000 USD for critical vulnerabilities that affect Internet Explorer 11 Preview on the latest version of Windows (Windows 8.1 Preview). That program expires on July 26.
Microsoft announced its first bounty on July 10 and said it had many more submissions that were likely to earn pay-outs. Serna said that other bounties had been issued in addition to the one he received. Microsoft was unable to respond to a request for comment prior to publication.
As for his bounty, Serna (whose resume includes work for Microsoft on the MSRC Engineering team) said it was “way less” than the maximum $11,000 bounty for a full, working exploit that bypasses all the Windows 8 mitigations (which includes ASLR as well as the Data Execution Prevention or DEP technology). “But still…nice!”
It is a testament to Google’s success in vacuuming up security talent from around the globe in recent years, as well as the company’s commitment to giving researchers the freedom to work on non-Google platforms. Technical talent working for the search engine giant have a track record of finding serious holes in Microsoft products. In 2011, Google researcher Michal Zalewski famously attracted the ire of Redmond when he publicized the details of a serious security flaw in Internet Explorer before Microsoft had a chance to patch it. A similar dispute surfaced this month after another noted Google researcher, Tavis Ormandy, exposed a flaw in the Windows operating system. Microsoft later alleged that information on the flaw was used to attack its customers.
However, the coincidence of Google employees finding the first two vulnerabilities to qualify for bounties may also signal the limits of Microsoft’s program, when measured against the financial lure of the black market. In an e-mail to The Security Ledger, Serna said that even the full $11,000 bounty for an exploitable flaw in IE was “probably 1/10th” of what information on such a vulnerability (and how to exploit it) would fetch in the cyber underground.
As Google employees, neither Serna or Fratic are paying rent with their bounty money, and need to be wary of damaging the reputation of their employer. That makes it far more likely that they’ll prioritize responsible disclosure to the vendor over a third party. The New York Times is just the latest major media outlet to report on the thriving underground and gray market for information on software vulnerabilities that can be had for a price.
Don’t be too discouraged, though. Some good is flowing from the booming market for software holes. Serna said he would be donating his bounty to a local animal shelter in Seattle, Washington, where he lives.
