Microsoft Rewards HP Researchers for UAF Mitigation Bypasses

Microsoft has paid out a total of $125,000 to three HP researchers who found ways to bypass mitigations designed to protect Windows users against attacks leveraging use-after-free (UAF) vulnerabilities.

The Microsoft Mitigation Bypass Bounty and BlueHat Bonus for Defense program was launched in June 2013. As part of this program, researchers are eligible for a payment of up to $100,000 if they submit new mitigation bypass methods, and an extra $50,000 for a technical whitepaper describing defenses that can be used to block the exploitation techniques.

Brian Gorenc, AbdulAziz Hariri and Simon Zuckerbraun, researchers at HP’s Zero Day Initiative (ZDI), have been awarded $100,000 for identifying methods that can be used to defeat Isolated Heap and MemoryProtection, UAF mitigations included in Microsoft’s Internet Explorer Web browser. They have also found a way to completely bypass address space layout randomization (ASLR) by leveraging the MemoryProtection function.

The experts received an additional $25,000 for providing Microsoft with information on how their mitigation bypass methods can be blocked, HP Security Research said in a blog post on Thursday.

The researchers disclosed their findings at the Black Hat security conference and in posts published on the HP Security Research blog. However, the complete details of the vulnerabilities have only been provided to Microsoft.

HP has a 120-day coordinated disclosure policy. In this case, the 120-day deadline has expired, but the company has decided to hold off the publication of the details because the vulnerabilities have not been fixed yet by Microsoft. While HP’s policy seems flexible, some companies stick to their disclosure deadline. Google, for instance, disclosed the details of three Windows vulnerabilities after its 90-day deadline expired, before Microsoft could roll out patches.

As per HP’s policies, Gorenc, Hariri and Zuckerbraun are not allowed to keep the prize money. Instead, they can donate it to a charity of their choice. In this case, the $125,000 will go to the Texas A&M University, the Concordia University in Canada, and the Khan Academy.

HP researchers are not the only ones who found ways to bypass Microsoft’s mitigations. In January, Bromium security researcher Jared DeMott demonstrated that the Heap Isolation and Delay Free mitigations can be bypassed.

The protections in Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) have also been bypassed by researchers on numerous occasions over the past years. However, Microsoft has argued that EMET’s purpose is to make it more difficult, expensive and time consuming for attackers to exploit a system.