Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Bug Bounties Flow To Googlers

Posted by Soulskill on from the cross-company-code-cleanup dept.

chicksdaddy writes "Lucre from Microsoft's newly minted bug bounty program is lining the pockets of Google researchers. Two Google employees earned the distinction of receiving some of the first (official) monetary rewards under the company's bounty program. Fermín Serna, a researcher in Google's Mountain View, California headquarters, said he received a bounty issued by Microsoft this week for information on an Internet Explorer information leak that could allow a malicious hacker to bypass Microsoft's Address Space Layout Randomization (or ASLR) technology. His bounty followed the first ever (officially) paid to a researcher by Microsoft: a bounty that went to Serna's colleague, Ivan Fratic, a Google engineer based in Zurich, Switzerland, for information about a vulnerability in Internet Explorer 11 Preview. Serna declined to discuss the details of his discovery until Microsoft had a patch ready to release. But he said that any weakness in ASLR warranted attention. 'Mainly all security mitigations in place depend on ASLR. So bringing that one down, weakens the system a lot and makes it easy the exploitation of other vulnerabilities,' he said. As for his bounty, Serna (whose resume includes work for Microsoft on the MSRC Engineering team) said it was 'way less' than the maximum $11,000 bounty for a full, working exploit that bypasses all the Windows 8 mitigations (which includes ASLR as well as the Data Execution Prevention or DEP technology). 'But still nice!'"

65 comments

  1. Good by Frankie70 · · Score: 4, Interesting

    Microsoft now has Google Employees working for them as paid part time employees. Not a bad thing.

    1. Re:Good by flyingfsck · · Score: 0

      MS clearly has the world's worst collection of programmers. They need all the help they can get, since they are just too incompetent.

      --
      Excuse me, but please get off my Pennisetum Clandestinum, eh!
    2. Re:Good by cavreader · · Score: 1

      So MS didn't hire you? Now wonder judging by the ignorance displayed in your post.

  2. $11,000 for a full exploit? by K.+S.+Kyosuke · · Score: 1

    How much is a Windows 8 exploit worth these days on the open market, something like $250,000?

    --
    Ezekiel 23:20
    1. Re:$11,000 for a full exploit? by Anonymous Coward · · Score: 0

      They're so plentiful, so probably not much.

    2. Re:$11,000 for a full exploit? by Anonymous Coward · · Score: 0

      I just read a story that microsoft increased the bounty to $150,000, but it doesn't seem like they are actually going to pay that for many bugs.

    3. Re:$11,000 for a full exploit? by Anonymous Coward · · Score: 0

      Quarter million for a Windows 8 exploit? Serious? It took until this month for it to outpace Vista (at a whopping 5.1%).

      Oh, my sides....you're too much, man.

    4. Re:$11,000 for a full exploit? by mysidia · · Score: 1

      How much is a Windows 8 exploit worth these days on the open market, something like $250,000?

      Microsoft requires more than a mere exploit for that; you need to defeat Windows 8 security mitigations and provide a whitepaper for even more $$$; on the open market, that's probably worth half a million, to defeat all the security mitigations MS has provided; which essentially means an infection using the exploit could become unstoppable

    5. Re:$11,000 for a full exploit? by drinkypoo · · Score: 1

      How much is a Windows 8 exploit worth these days on the open market, something like $250,000?

      How much is it worth it to get paid without a chance of being sent to PMITAP in the future, or better yet, being richly rewarded for all that you deserve for providing arms to organized crime?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    6. Re:$11,000 for a full exploit? by K.+S.+Kyosuke · · Score: 1

      In my country, you can only get sent to prison for criminal activities. As in, things that the criminal law probihits. This isn't one of them.

      --
      Ezekiel 23:20
    7. Re:$11,000 for a full exploit? by drinkypoo · · Score: 1

      In my country, you can only get sent to prison for criminal activities. As in, things that the criminal law probihits. This isn't one of them.

      In your country, aiding and abetting a crime is not a crime?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    8. Re:$11,000 for a full exploit? by K.+S.+Kyosuke · · Score: 1

      In your country, aiding and abetting a crime is not a crime?

      It is. But trading with exploits is no more a crime around here than selling knives or hammers. We don't go about jailing hardware shop owners whenever some psycho kills someone with their tools.

      --
      Ezekiel 23:20
    9. Re:$11,000 for a full exploit? by s1lverl0rd · · Score: 1

      I'm getting the idea that you are not a lawyer, and that you underestimate the skills of those who are.

    10. Re:$11,000 for a full exploit? by K.+S.+Kyosuke · · Score: 1

      Most people aren't lawyers. That doesn't change anything, though. You don't change our legislation by "skills of lawyers", at most you can do it by lobbying in our parliament and senate.

      --
      Ezekiel 23:20
  3. Re:I wish Google would make its Maps more function by buchner.johannes · · Score: 1

    While I applaud the engineer's efforts, I wish his employer (Google), would spend a bit more of resources in making its maps aplication more functional [for me].

    Here's my gripe, and I am not alone:

    Why is it that there's no way to make routing avoid toll roads by default?

    I have got a solution: I use Waze but worried that if Google's ambitions with it (Waze) go through, they may disable this feature.

    You sometimes wonder why things so basic, take so long to implement. Why?

    Because that's not a product they sell? Go to a car navigation company (TomTom, Garvin, Navit come to mind) and give them money, they do what you want. Why you expect more than something basic from a free service is beyond me.

    --
    NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  4. Can we get ASLR in FreeBSD yet ? by Anonymous Coward · · Score: 0

    please :3

  5. a full, working exploit that bypasses all the... by Anonymous Coward · · Score: 0

    I could make a million dollars with that, or sell it for $100,000

  6. bridge over the river kwai by Anonymous Coward · · Score: 0

    I can imagine Googlers scheming to receive MS bounties, and Redmondites doing the same for Google bounties. One upmanship. But from the perspective of the project leads, it's all good.

    1. Re:bridge over the river kwai by rvw · · Score: 1

      It could be a battle. My bets are on Google.

    2. Re:bridge over the river kwai by ShanghaiBill · · Score: 1

      But from the perspective of the project leads, it's all good.

      Not if the Googlers and Redmonders talk to each other. The could each intentionally introduce bugs, tell the other team how to find them, and then split the profits.

  7. Say it ain't so by Kwyj1b0 · · Score: 3, Insightful

    So a company announces a bug-bounty program, and bugs are found by programmers working for a major software company? Stop the press!

    Isn't this what you would expect? Most people who are good enough to find exploits (as opposed to randomly crashing Windows) generally make a profession out of programming. And the good ones generally work for the big named companies (there are exceptions, of course).

    It is interesting that both exploits have to do with IE. While I don't use IE frequently, I'd assume that it is easier to own a system using *@F# Adobe exploits (which would still be the OS's fault). Or are there restrictions that prevent rewards for exploits via third party software?

    1. Re:Say it ain't so by Anonymous Coward · · Score: 0

      Or, perhaps the little guy isn't giving his exploits away for nothing to MS, but selling for real money. Hell, when corrupt governments like US or Israel will pay you in the 6 figures for the same thing as MS is paying 11K, it is a no-brainer.

    2. Re:Say it ain't so by Anonymous Coward · · Score: 0

      Shocking twist: Fermin used to work at Microsoft. He worked on EMET, which uses some of the same technology that he broke.

      http://www.slideshare.net/rootedcon/fermin-j-serna-exploits-mitigations-emet-rootedcon-2010

    3. Re:Say it ain't so by Smauler · · Score: 1

      Isn't this what you would expect? Most people who are good enough to find exploits (as opposed to randomly crashing Windows) generally make a profession out of programming. And the good ones generally work for the big named companies (there are exceptions, of course).

      Exceptions? Name a programmer. Name another. And another. How many of them work for the big name companies? (I got 0 in my top 3, 1 in my top 5).

    4. Re:Say it ain't so by Anonymous Coward · · Score: 0

      Almost by definition famous programmers are not the same as programmers who work for the big named companies (there are exceptions there).

      What's disjoint here is that being famous doesn't necessarily correlate strongly to being "good enough to find exploits".

  8. No by Impy+the+Impiuos+Imp · · Score: 1

    "I'd like to report a bug. I upgraded my Microsoft Windows and now I see blue."

    "Ah, the famed blue screen of death. Ok, read me what it says."

    "Which one?"

    "What?"

    "Which blue screen? There are little blue screens all over the place, and little green ones, and some other colors too."

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  9. Re:I wish Google would make its Maps more function by gl4ss · · Score: 1

    why buy waze then for a god awful amount of money if it's not for a product they sell? and it is a product they sell, both directly and by proxy..

    --
    world was created 5 seconds before this post as it is.
  10. Re:a full, working exploit that bypasses all the.. by rvw · · Score: 1

    I could make a million dollars with that, or sell it for $100,000

    You do? Or you think you do?! Maybe it's worth a million, but how do you get in touch with these people? How do you stay anonymous enough so they cannot blackmail you? Are you sure you're not selling to the NSA and ending up in jail? For $1M it's not worth the risk, unless you already know these people...

  11. Re:I wish Google would make its Maps more function by LordThyGod · · Score: 3, Insightful

    While I applaud the engineer's efforts, I wish his employer (Google), would spend a bit more of resources in making its maps aplication more functional [for me].

    Here's my gripe, and I am not alone:

    Why is it that there's no way to make routing avoid toll roads by default?

    I have got a solution: I use Waze but worried that if Google's ambitions with it (Waze) go through, they may disable this feature.

    You sometimes wonder why things so basic, take so long to implement. Why?

    Possibly just to annoy jackoffs who don't know their hole from an ass in the ground and post off topic comments.

  12. Re:I wish Google would make its Maps more function by Anonymous Coward · · Score: 0

    While I applaud the engineer's efforts, I wish his employer (Google), would spend a bit more of resources in making its maps aplication more functional [for me].

    Here's my gripe, and I am not alone:

    Why is it that there's no way to make routing avoid toll roads by default?

    I have got a solution: I use Waze but worried that if Google's ambitions with it (Waze) go through, they may disable this feature.

    You sometimes wonder why things so basic, take so long to implement. Why?

    Because that's not a product they sell? Go to a car navigation company (TomTom, Garvin, Navit come to mind) and give them money, they do what you want. Why you expect more than something basic from a free service is beyond me.

    Check out here maps here.com ... Comes free on all mokia phones its great and Nokia iwns the technology that is in all cars tomtoms and garmins

  13. Re:I wish Google would make its Maps more function by Anonymous Coward · · Score: 0

    How about the recent gmail "upgrade"? They added tabs (optional, for now) so you have your standard inbox, social media shit, mailing lists, advertisements, etc.

    Sounds a like good idea, right Hell, sounds like a great idea! But they couldn't be bothered to put an unread count in the tab. So now, instead of checking one place to see if there's any unread mail, you have to check 5 places to see if there's any unread mail.

  14. Re:a full, working exploit that bypasses all the.. by larry+bagina · · Score: 1

    Simple: I anonymously post a message on slashdot about "hypothetically" selling a working exploit for a million dollars. Two hours later, the NSA shows up with a bag of cash.

    --
    Do you even lift?

    These aren't the 'roids you're looking for.

  15. Re:a full, working exploit that bypasses all the.. by Anonymous Coward · · Score: 0

    And when the boys find out there is no exploit, you leave inside another bag.

  16. Scandal! by tnk1 · · Score: 1

    Googlers Paid Off By Microsoft!

    News at 11.

  17. Pay them in Surface Tablets by tuppe666 · · Score: 2

    ...its cheaper

  18. because people forget they set it and get LONG rts by raymorris · · Score: 2

    The reason for that is that someone will set it one day. Six months later, they've forgotten all about the setting and the app would give them a two hour route for a one hour trip. It's better, it was decided, to let people know about the shortest route first and choose to look for a longer, non-toll route if they want.

  19. Hey, Google, fix your own sh*t! by Anonymous Coward · · Score: 0

    There are enough security problems in Android to keep yon Googly bughunters busy for a lifetime.

    How about you spend a little time looking in the mirror, Google, and pull that log out of your own eye before worrying about the Redmond forest?

  20. Re:I wish Google would make its Maps more function by Anonymous Coward · · Score: 0

    While it may not be a product they sell there is some competition between free services and making their users want to use their services is a big part of the equation. Many internet companies are worth billions based on their user base. Why wouldn't I expect them to respond to user requests?

  21. Re:a full, working exploit that bypasses all the.. by NeveRBorN · · Score: 1

    And when the boys find out there is no exploit, you leave inside another bag.

    It's too late... He already posted the message hypothetically selling the exploit.

  22. Re:I wish Google would make its Maps more function by Dupple · · Score: 2

    why buy waze then for a god awful amount of money if it's not for a product they sell?

    To stop another company acquiring it? Shrewd move

    --
    Watch those corners
  23. Re:I wish Google would make its Maps more function by RMingin · · Score: 1

    I have no idea what you're on about. There is an "Avoid Tolls" function, and it's persistent if you're logged in. If you're wanting toll roads avoided by default for non-logged-in users, tough. There are very many people out there who don't mind paying small amounts to make their trips faster. I think it's a slim majority, and Google seems to agree.

    Option in question:
    http://i.imgur.com/IFSZRh5.png

    --
    The preceding comment is my own, and in no way construes an opinon of the Emperor of Mankind.
  24. Google doesn't care about user base by Anonymous Coward · · Score: 0

    They just care about what kind of private data they can collect.

    Google Maps is NOT the product they sell. The product is the dumb and ignorant user who keeps providing them with free private data.

  25. years from now it'll be Google we laugh at. by Anonymous Coward · · Score: 0

    Twenty years ago Microsoft was the tech darling that everyone loved. Then they became the tech company that everyone loved to hate. Now they're the gigantic, monolith that can't help but do stupid things, e.g. Surface RT.

    Ten years ago it was Apple that everyone loved. Today they're the company that many love to hate. Ten years from now?

    I predict that 20 years from now it'll be Google's turn.

  26. Re:I wish Google would make its Maps more function by datavirtue · · Score: 1

    Same reason they don't have a contact management app to go with the calendar in google docs.

    --
    I object to power without constructive purpose. --Spock
  27. Only paying for certain types of exploits by Myria · · Score: 3, Interesting

    I found an exploit in a different part of Windows, but they aren't paying for that. They were only paying for mitigation bypass exploits and IE11 exploits.

    I guess I'll stick to my original plan and use it to jailbreak Windows RT 8.1 and possibly Windows Phone 8.

    --
    "Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
  28. Emotional about Mega Corporations by tuppe666 · · Score: 1

    Apple that everyone loved. Today they're the company that many love to hate.

    Except people aren't that emotional. Apple simply produced compelling products the iPod, iPhone and iPad and many here enjoyed their computers before Apple became an electronics company. They market well, and are popular in the media (and shareholders), They are out of favour as their product lines look tired compared to the competition, and the chance of repeated success in new markets looks increasingly unlikely (iwatch, itv, iconsole), and well the share price, profits, revenues, market share, technical edge, brand value are all down.

    Pretending that people are randomly emotional about mega corporations is simply weird. People on the whole buy(and respond well to companies) of products which have reasonable value and quality...marketed well, and those products are coming from Google(and their OEMs) not Apple(or Microsoft) who foolishly think their users are cattle.

    1. Re:Emotional about Mega Corporations by oldlurker · · Score: 1

      Apple that everyone loved. Today they're the company that many love to hate.

      Except people aren't that emotional. Apple simply produced compelling products the iPod, iPhone and iPad and many here enjoyed their computers before Apple became an electronics company. They market well, and are popular in the media (and shareholders), They are out of favour as their product lines look tired compared to the competition, and the chance of repeated success in new markets looks increasingly unlikely (iwatch, itv, iconsole), and well the share price, profits, revenues, market share, technical edge, brand value are all down.

      Pretending that people are randomly emotional about mega corporations is simply weird. People on the whole buy(and respond well to companies) of products which have reasonable value and quality...marketed well, and those products are coming from Google(and their OEMs) not Apple(or Microsoft) who foolishly think their users are cattle.

      For most people this is the rational way of looking at it, yes. But Apple most certainly have managed to produce a more.. fervent.. kind of supporters. That far transcends the usual fan-boys many tech companies have. If you have managed to avoid them, good for you, a few years back I found that voicing any criticism of Apple brought them out in force (and I knew a couple of them real life too). And you can often see today when the shine has come off Apple somewhat that they now think that everybody loves to hate Apple, and voice this frequently.

      BBC made a very interesting documentary that among other things included researching the emotions Apple evokes in some of their supporters (including using MRI scanners!): According to a BBC documentary, Apple stimulates the same part of the brain as religious imagery does in believing people. The program is recommended viewing for anyone interested in this topic.

    2. Re:Emotional about Mega Corporations by tlhIngan · · Score: 1

      For most people this is the rational way of looking at it, yes. But Apple most certainly have managed to produce a more.. fervent.. kind of supporters. That far transcends the usual fan-boys many tech companies have. If you have managed to avoid them, good for you, a few years back I found that voicing any criticism of Apple brought them out in force (and I knew a couple of them real life too). And you can often see today when the shine has come off Apple somewhat that they now think that everybody loves to hate Apple, and voice this frequently.

      It's not just Apple fanbois, it's Apple-haters as well. It's remarkably polarized, I find.

      It's also a great source of income for blogger and such because only Apple stories generate the kind of clicks and ad views that Google, Microsoft and others can only dream about. Even Microsoft-haters have diminished somewhat. But Apple has constantly been hated ever since they were incorporated (what is it, 40-odd years of dying now?).

      It's why people end up generating content- and news-less articles about Apple - because if you can rile up the Apple haters or Apple supporters, it's a significant boost to your income. (Either group works because it inevitably attracts the others).

      Oh yeah, it's always been cool to hate Apple. And even with the shine off, it still gets the eyeballs, which is important.

  29. Address randomization - security through obscurity by Animats · · Score: 1

    Address space randomization is security through obscurity. It's an admission that you can't fix your buffer overflows. It slows down attackers, but there are counters, such as "spraying attacks".

    Worse, it means that bugs become nonrepeatable and harder to fix. So software quality degrades. It produces more of those errors you see in bug tracker as "Closed - can't reproduce".

    This is a fixable problem. Microsoft could use C#, or Java, or Go, or Python, or Javascript - languages with subscript checking. Or fix C. Or extend their static driver verifier to cover more kinds of code. Address space randomization just obscures the problem.

  30. Re:I wish Google would make its Maps more function by davester666 · · Score: 1

    But what if he promised to watch ads on his smartphone? He would prefer to do this while driving instead of paying tolls.

    --
    Sleep your way to a whiter smile...date a dentist!
  31. All strategy by HairyNevus · · Score: 1

    Maybe this is exactly Microsoft's strategy. Keep paying Google employees to find their bugs, meaning they're less efficient at their current job. Eventually, the Google employees will have enough money to retire, and Microsoft will suddenly have a product that is free from major security flaws. Meanwhile, Google finds it has multiple vacancies in positions desperately behind on their work. I can just imagine Page looking around blankly, wondering when he was given the slip.

    Not bloody likely, but would be funny if it happened.

    --
    You were critically hit for no damage. The bruise will look nice, and maybe the scars will make good party talk.
    1. Re:All strategy by Anonymous Coward · · Score: 0

      I can just imagine Page looking around blankly, wondering when he was given the slip.

      Good show, sir!

  32. Taxes by Anonymous Coward · · Score: 0

    I hope they pay taxes on that but I am guessing they just pocketed it.

  33. Re:a full, working exploit that bypasses all the.. by chromas · · Score: 1

    Aha! But he didn't do it anonymously, so he'll be alright. My logic is flawless!

  34. Re:I wish Google would make its Maps more function by Anonymous Coward · · Score: 0

    I don't even think this is a new option. I remember using it _years_ ago. It's certainly also there in the old Google Maps, behind the show options link.

  35. Re:Address randomization - security through obscur by Anonymous Coward · · Score: 0

    Yes, because Java hasn't been a complete security disaster or anything.

  36. Re:Address randomization - security through obscur by Billly+Gates · · Score: 1

    ASLR is a great fix in addition to buffer overflow protections. Infact since XP SP 2 and IE 7 they are included when compiled which is why Windows 2000 is stuck with IE 6. ASLR with 64 bit virtual memory space increases the randomization greatly as you now have 2 terabytes of addresses to check if you are spraying.

    The fact that linux does not do this is a downside. ASLR is now supported in the latest versions of MacOSX as well. You can try to fix as much as you can with overruns but there are always other ways to exploit.

    --
    http://saveie6.com/
  37. Attorney fees .. by Anonymous Coward · · Score: 0

    An inventive way from Google to get their lawyer's fees back from Microsoft LOL

  38. Re:Address randomization - security through obscur by Anonymous Coward · · Score: 0

    Microsoft could use C#

    Uh, what? Why would they do that?

  39. MSFT proves its employees are so incompetant, by Anonymous Coward · · Score: 0

    ... that it has to pay its leading competitor to do their work for them! ;P

  40. Re:Address randomization - security through obscur by marsu_k · · Score: 1

    The fact that linux does not do this is a downside.

    Uhh, what?

  41. Just like airbags by WD · · Score: 1

    I mean, if a car has an airbag, that's just an admission that the driver isn't skilled enough. Right?

  42. Re:Address randomization - security through obscur by fulldecent · · Score: 1

    And Apache has a mechanism where it it spawns extra children and kills them periodically because it knows somehow or another one of them is going to leak memory.

    So what's your point?

    --

    -- I was raised on the command line, bitch