Microsoft Offers Prize Money For Enhancing Windows Security
BlueHat Prize contest focused on new ways to defend against memory-safety exploits.
Microsoft took a new spin on security researcher bounties by offering more than $250,000 in cash and prizes for contestants who come with new ways to mitigate exploits.
The new BlueHat Prize contest specifically looks for the most innovative methods for exploiting memory-safety vulnerabilities such as return-oriented programming (ROP) and just-in-time spraying (JITSpray). The grand prize is $200,000; second place, $50,000; and third place, an MSDN Universal subscription valued at $10,000. JIT spraying attacks basically are used to cheat Microsoft's address space layout randomization (ASLR) and data execution prevention (DEP) security technologies.
"Microsoft wants to defend against entire classes of attack with the innovation that comes via the BlueHat Prize," Katie Moussouris, senior security strategist lead for the Microsoft Security Response Center, said in a Twitter interview with Dark Reading. "The BlueHat Prize is looking for mitigations to block memory safety exploitation techniques such as ROP or JITSpray."
Unlike bug bounty programs offered by Google and other vendors, Microsoft instead is looking at getting researchers involved in providing solutions, security experts said.
The software giant traditionally has been opposed to offering money to researchers for vulnerability finds, but Moussouris didn't completely dismiss the possibility of Microsoft someday changing its tune on that. "We continue to evaluate the best way to collaborate with the research community, and we'll let you know if anything changes there," she said when asked whether Microsoft would ever add a bug bounty option.
What happens to the winners' technology? The inventor retains ownership of the intellectual property, and then grants Microsoft a license to the technology; researchers whose technology is not selected by Microsoft also still own their intellectual property.
The BlueHat Prize contest kicked off Wednesday, with a submission deadline of April 1, 2012. A panel of Microsoft security engineers will judge the technologies based on practicality and functionality (30%); robustness (30%); and impact (40%).
Published: 2014-08-29 Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.
Published: 2014-08-29 Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...
Published: 2014-08-29 FileUploadServlet in the Administration service in Novell GroupWise 2014 before SP1 allows remote attackers to read or write to arbitrary files via the poLibMaintenanceFileSave parameter, aka ZDI-CAN-2287.
Published: 2014-08-29 IBM Worklight Foundation 5.x and 6.x before 18.104.22.168, as used in Worklight and Mobile Foundation, allows remote authenticated users to bypass the application-authenticity feature via unspecified vectors.
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.