Connect with us

Hi, what are you looking for?



Microsoft Rewards HP Researchers for UAF Mitigation Bypasses

Microsoft has paid out a total of $125,000 to three HP researchers who found ways to bypass mitigations designed to protect Windows users against attacks leveraging use-after-free (UAF) vulnerabilities.

Microsoft has paid out a total of $125,000 to three HP researchers who found ways to bypass mitigations designed to protect Windows users against attacks leveraging use-after-free (UAF) vulnerabilities.

The Microsoft Mitigation Bypass Bounty and BlueHat Bonus for Defense program was launched in June 2013. As part of this program, researchers are eligible for a payment of up to $100,000 if they submit new mitigation bypass methods, and an extra $50,000 for a technical whitepaper describing defenses that can be used to block the exploitation techniques.

Brian Gorenc, AbdulAziz Hariri and Simon Zuckerbraun, researchers at HP’s Zero Day Initiative (ZDI), have been awarded $100,000 for identifying methods that can be used to defeat Isolated Heap and MemoryProtection, UAF mitigations included in Microsoft’s Internet Explorer Web browser. They have also found a way to completely bypass address space layout randomization (ASLR) by leveraging the MemoryProtection function.

The experts received an additional $25,000 for providing Microsoft with information on how their mitigation bypass methods can be blocked, HP Security Research said in a blog post on Thursday.

The researchers disclosed their findings at the Black Hat security conference and in posts published on the HP Security Research blog. However, the complete details of the vulnerabilities have only been provided to Microsoft.

HP has a 120-day coordinated disclosure policy. In this case, the 120-day deadline has expired, but the company has decided to hold off the publication of the details because the vulnerabilities have not been fixed yet by Microsoft. While HP’s policy seems flexible, some companies stick to their disclosure deadline. Google, for instance, disclosed the details of three Windows vulnerabilities after its 90-day deadline expired, before Microsoft could roll out patches.

As per HP’s policies, Gorenc, Hariri and Zuckerbraun are not allowed to keep the prize money. Instead, they can donate it to a charity of their choice. In this case, the $125,000 will go to the Texas A&M University, the Concordia University in Canada, and the Khan Academy.

Advertisement. Scroll to continue reading.

HP researchers are not the only ones who found ways to bypass Microsoft’s mitigations. In January, Bromium security researcher Jared DeMott demonstrated that the Heap Isolation and Delay Free mitigations can be bypassed.

The protections in Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) have also been bypassed by researchers on numerous occasions over the past years. However, Microsoft has argued that EMET’s purpose is to make it more difficult, expensive and time consuming for attackers to exploit a system.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.