Microsoft, for obvious reasons, wants people to use Windows 8.1 on their PCs with the knowledge that it has been created to as secure as possible. That's why the company launched new bounty programs in June that pay third party security researchers rewards if they find and report exploits in Windows 8.1 to Microsoft. This week, the company announced that researcher James Forshaw was the first to be awarded in their new bounty program and, as it turned out, the mitigation bypass exploit he found in Windows 8.1 was big enough that Microsoft awarded him the the full $100,000 prize.
Neowin got Forshaw to answer a few questions via email about himself and his reaction to winning the big bounty from Microsoft, among other topics:
First can you tell us a bit about your background in computer software security?
I have been working in the industry developing secure software and doing security research for over 10 years. Currently I am the Head of Vulnerability Research at Context Information Security which affords me a lot of freedom to pursue bounty programs such as this.
What was your reaction when Microsoft announced its new software bounty awards?
I was initially surprised that Microsoft had been able to have a bounty at all (last year’s Bluehat prize wasn’t quite the same thing). It did become clear however that they wanted to offer bounties for areas not traditionally handled by many of the other vulnerability brokers or vendors which I thought was an interesting approach to take.
You found what Microsoft says is a mitigation bypass exploit in Windows 8.1. We know you can't go into details about what you found but can you tell us how hard it was to find the exploit and how much time it took?
Overall my research took around 3 or 4 weeks, although there were some initial false starts due to some of my ideas not being viable approaches. The winning submission was perhaps 2 weeks of work from the initial idea to the final finished version which I sent to Microsoft. It was certainly an interesting challenge as Microsoft have done a lot of work to mitigate against security vulnerabilities.
You also found a number of issues in the preview version of IE11 which Microsoft also rewarded with a separate bounty. Did you use a different method to find exploits in IE11 than for Windows 8.1?
The approach was different, in so far as the mitigation bypass work started with more abstract ideas which I then attempted to validate while the IE11 exploits came from me reverse engineering the product and looking for vulnerabilities.
When you first heard that Microsoft was going to give you the full $100,000 bounty, what was your first reaction?
I was very happy to have the recognition that I had come up with something novel.
What do you plan to do with that money when you receive it?
The majority of the money will go to my employer, I head up a vulnerability research team at Context and it will be useful for that. I will receive a part of the money as a bonus but I do not yet know what I will do with it.
What are your feelings on Windows 8.1 as a whole in terms of security compared to older versions of Windows?
I feel 8.1 is certainly the most secure, at least in terms of mitigations against the exploitation of security vulnerabilities. Even compared to 8 there have been interesting changes which try to mitigate against whole classes of vulnerabilities. Still I am sure there is more to be done.
Finally, if a person is interested in becoming a computer security researcher, what advice would you give him or her?
I would say study as much about software vulnerabilities as possible, understand existing exploits say by looking through the Metasploit source code, and get a good grasp of programming languages and lower level machine instructions. Most important to successful security research is persistence, unless you are extremely lucky you won’t find a new vulnerability in everything you look at, sometimes there are just no bugs to find. You need to be able to live with the occasional failure.
We would like to thank James for answering our questions!
Image via Microsoft