Attacks/Breaches

3/19/2018
11:15 AM
50%
50%

Microsoft Offers New Bug Bounties for Spectre, Meltdown-Type Flaws

Microsoft is offering a short-term bug bounty program for speculative execution side-channel vulnerabilities and threats.

Microsoft last week announced new bug bounties for speculative execution side-channel vulnerabilities. These vulnerabilities, of which Spectre and Meltdown were the first known examples, represent a new class of problem and Microsoft would like to know what else might be lurking in the neighborhood.

The bug bounties - on offer through December 31, 2018 - are:

Tier 1: New categories of speculative execution attacks

Up to $250,000

Tier 2: Azure speculative execution mitigation bypass

Up to $200,000

Tier 3: Windows speculative execution mitigation bypass

Up to $200,000

 

Tier 4: Instance of a known speculative execution vulnerability (such as CVE-2017-5753) in Windows 10 or Microsoft Edge. This vulnerability must enable the disclosure of sensitive information across a trust boundary

Up to $25,000

According to Microsoft, Tier 1 vulnerabilities are new attacks, Tiers 2 and 3 are techniques that get around protections already put in place against existing vulnerabilities, and Tier 4 is a demonstrating an actual successful attack method using already known vulnerabilities.

Phillip Misner, principal security group manager at the Microsoft Security Response Center, said in Microsoft's post announcing the program: "Speculative execution side channel vulnerabilities require an industry response." To that end, Microsoft says that they will share any discovered vulnerabilities and attacks with the industry in ethical, industry standard forms.

For more, read here and here.

 

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10016
PUBLISHED: 2019-03-25
GForge Advanced Server 6.4.4 allows XSS via the commonsearch.php words parameter, as demonstrated by a snippet/search/?words= substring.
CVE-2019-10018
PUBLISHED: 2019-03-25
An issue was discovered in Xpdf 4.01.01. There is an FPE in the function PostScriptFunction::exec at Function.cc for the psOpIdiv case.
CVE-2019-10019
PUBLISHED: 2019-03-25
An issue was discovered in Xpdf 4.01.01. There is an FPE in the function PSOutputDev::checkPageSlice at PSOutputDev.cc for nStripes.
CVE-2019-10020
PUBLISHED: 2019-03-25
An issue was discovered in Xpdf 4.01.01. There is an FPE in the function Splash::scaleImageYuXu at Splash.cc for x Bresenham parameters.
CVE-2019-10021
PUBLISHED: 2019-03-25
An issue was discovered in Xpdf 4.01.01. There is an FPE in the function ImageStream::ImageStream at Stream.cc for nComps.