James Forshaw generally prefers finding bugs in code logic than memory corruption issues, but he admits he was incentivized by Microsoft’s $100,000 mitigation-bypass bounty.
Browsing Category: Microsoft
Microsoft released a patch for a second zero-day vulnerability in Internet Explorer yesterday, one that caught administrators off-guard.
Eight bulletins and 28 vulnerabilities, including two Internet Explorer zero days, are addressed by Microsoft’s October Patch Tuesday update.
One day after announcing that it had paid researchers $28,000 for reporting a number of vulnerabilities in Internet Explorer 11, Microsoft revealed that it has written a much bigger check–this one for $100,000–to a researcher who has discovered a new attack technique that bypasses all of the exploit mitigations on the newest version of Windows.
As part of its first-ever bounty program, Microsoft has paid out $28,000 to a small group of researchers who identified and reported vulnerabilities in Internet Explorer 11. The IE 11 bounty program only ran for one month during the summer, but it attracted a number of submissions from well-known researchers.
Microsoft has announced that it plans to release eight patches next week as part of October’s Patch Tuesday release, addressing flaws in its Windows, Internet Explorer, .NET Framework, Office, Server and Silverlight software.
Regardless of which sect or splinter cell you belong to in the disclosure debate, for most people it all comes down to finding the most effective way to get a fix published and in the hands of users as quickly as possible. But the lines get a little blurry when the discussion veers into the appropriate moment to tell the public that a given vulnerability is being actively exploited.
Guest contributor Andrew Storms reflects on a decade of Patch Tuesday. The Microsoft initiative turns 10 next week.
A Metasploit exploit module has been released for the zero-day vulnerability in Internet Explorer. The flaw has been exploited in attacks against Japanese targets, and expert think the availability of a Metasploit exploit could accelerate attacks.
Microsoft’s latest Law Enforcement Requests Report shows that no requests for Skype user content were made in the first half of 2013.