Microsoft Pays Out Another $100,000 Mitigation Bypass Bounty

Researcher Yang Yu was awarded $100,000 from Microsoft for writing three mitigation bypass variants as part of the company’s bounty program. Yu is the second $100,000 winner since the bounty program was launched last June.

Microsoft has paid out another $100,000 bounty as part of its Security Response Center’s bounty program.

A researcher from Asia named Yang Yu was awarded the prize today for three mitigation bypass variants, Microsoft announced.

“This payout reflects the fact that we learned something new that will help us build more robust defenses, but it was built upon known mitigation bypass techniques,” a Microsoft spokesperson told Threatpost. Efforts to reach Yu in time for publication were not successful.

This is the second $100,000 bounty the program has paid out; more than $253,000 has been awarded to date since the program began last June 26.

The mitigation bypass bounty is one of three offered by Microsoft. It pays out up to $100,000 and rewards novel exploitation techniques against mitigations native to the latest version of Windows. Microsoft also awards the Blue Hat Bonus for Defense and previously, the Internet Explorer 11 Preview Bug Bounty.

The Blue Hat Bonus for Defense pays up to $50,000 for defensive ideas that accompany a mitigation bypass; the IE bounty paid out up to $11,000 for critical vulnerabilities in the beta version of IE 11. The program was closed July 27.

Little is known about Yu’s mitigation bypass. The previous $100,000 winner, James Forshaw, won his prize in October. He collected for a bypass he developed that eluded Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP), two memory exploit defenses native to Windows.

Last year, Forshaw won the Java portion of the Pwn2Own contest at the CanSecWest conference with an exploit for a vulnerability in a trusted class in the Java framework. The exploit allowed him to bypass the sandbox and execute code remotely. That Java bug was patched in April with the release of Java 7u21 and the researcher explained in a blogpost shortly thereafter that his code allowed him to disable the security manager in Java and run malicious code as trusted.

According to Microsoft, bypass submissions must demonstrate a novel way of exploiting a remote code execution vulnerability in Windows and must be capable of exploiting an application that makes use of stack- and heap-corruption mitigations as well as code-execution mitigations. The bypass must also meet seven criteria: it must be generic in that it’s applicable to more than one memory corruption vulnerability; the exploit must be reliable and have reasonable requirements; it must be applicable to a high-risk application such as a browser or document reader; it must be applicable to user mode applications; it must also target the latest version of a Microsoft product; and it must be novel, Microsoft said.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.