“Over the past decade working in secure development and research, I have discovered many interesting security vulnerabilities with a heavy focus of complex logic bugs,” Forshaw said.
“I’m keenly interested in the intellectual puzzle of finding novel exploitation techniques and the creativity it requires.”
To find his winning entry, Forshaw studied the mitigations available today and after brainstorming identified a few potential angles.
“Not all were viable but after some persistence I was finally successful.”
He said receiving recognition for his entry was “exciting” to him and his employer.
“It also gives me the satisfaction that I am contributing to improving the security of both Microsoft’s and Context’s customers.”
Microsoft unveiled the reward programs four months ago to bolster efforts to prevent sophisticated attackers from subverting new security technologies in its software, which runs on the majority of the world’s PCs.
Forshaw has been credited with identifying several dozen software security bugs. He was awarded a large bounty from Hewlett-Packard for identifying a way to “pwn”, or take ownership of, Oracle’s Java software in a high-profile contest known as Pwn2Own (pronounced “pown to own”).
Microsoft also released an automatic update to Internet Explorer on Tuesday afternoon to fix a security bug that it first disclosed last month.
Researchers say hackers initially exploited that flaw to launch attacks on companies in Asia in an operation that cyber security firm FireEye has dubbed DeputyDog.
Marc Maiffret, chief technology officer of the cyber security firm BeyondTrust, said the vulnerability was later more broadly used after Microsoft’s disclosure of the issue brought it to the attention of cybercriminals.
He is advising PC users to immediately install the update to Internet Explorer, if they do not have their PCs already set to automatically download updates.
“Any time they patch something that has already been used [to launch attacks] in the wild, then it is critical to apply the patch,” Maiffret said.
That vulnerability in Internet Explorer was known as a “zero-day” because Microsoft, the targeted software maker, had zero days notice to fix the hole when the initial attacks exploiting the bug were discovered.
In an active, underground market for “zero day” vulnerabilities, criminal groups and governments sometimes pay $US1 million or more to hackers who identify such bugs.
Microsoft’s reward is slightly more generous than that of Yahoo!, which recently offered a security researcher a $US25 voucher to the company’s online store for reporting three security flaws.
Yahoo later opened up a program, with rewards of up to $US15,000, after security researchers ridiculed the minuscule $US25 prize.
Correction: This article originally said Mr Forshaw was based in Melbourne and an Australian. The error came about due to information distributed by Context’s British public relations firm. Context Australia’s managing director said the information was “misleading” and confirmed Mr Forshaw was based in Britain.
The Houston Texans will place tight end Owen Daniels on injured reserve with the designation to return, meaning he will miss at least the next eight weeks, a league source told ESPN NFL Insider Adam Schefter.. Owens suffered a non-displaced fibula fracture late in... Selengkapnya
Silahkan pilih kategori artikel yang ingin Anda telusuri.