Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Rewards HP Researchers for UAF Mitigation Bypasses

Microsoft has paid out a total of $125,000 to three HP researchers who found ways to bypass mitigations designed to protect Windows users against attacks leveraging use-after-free (UAF) vulnerabilities.

Microsoft has paid out a total of $125,000 to three HP researchers who found ways to bypass mitigations designed to protect Windows users against attacks leveraging use-after-free (UAF) vulnerabilities.

The Microsoft Mitigation Bypass Bounty and BlueHat Bonus for Defense program was launched in June 2013. As part of this program, researchers are eligible for a payment of up to $100,000 if they submit new mitigation bypass methods, and an extra $50,000 for a technical whitepaper describing defenses that can be used to block the exploitation techniques.

Brian Gorenc, AbdulAziz Hariri and Simon Zuckerbraun, researchers at HP’s Zero Day Initiative (ZDI), have been awarded $100,000 for identifying methods that can be used to defeat Isolated Heap and MemoryProtection, UAF mitigations included in Microsoft’s Internet Explorer Web browser. They have also found a way to completely bypass address space layout randomization (ASLR) by leveraging the MemoryProtection function.

The experts received an additional $25,000 for providing Microsoft with information on how their mitigation bypass methods can be blocked, HP Security Research said in a blog post on Thursday.

The researchers disclosed their findings at the Black Hat security conference and in posts published on the HP Security Research blog. However, the complete details of the vulnerabilities have only been provided to Microsoft.

HP has a 120-day coordinated disclosure policy. In this case, the 120-day deadline has expired, but the company has decided to hold off the publication of the details because the vulnerabilities have not been fixed yet by Microsoft. While HP’s policy seems flexible, some companies stick to their disclosure deadline. Google, for instance, disclosed the details of three Windows vulnerabilities after its 90-day deadline expired, before Microsoft could roll out patches.

As per HP’s policies, Gorenc, Hariri and Zuckerbraun are not allowed to keep the prize money. Instead, they can donate it to a charity of their choice. In this case, the $125,000 will go to the Texas A&M University, the Concordia University in Canada, and the Khan Academy.

HP researchers are not the only ones who found ways to bypass Microsoft’s mitigations. In January, Bromium security researcher Jared DeMott demonstrated that the Heap Isolation and Delay Free mitigations can be bypassed.

The protections in Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) have also been bypassed by researchers on numerous occasions over the past years. However, Microsoft has argued that EMET’s purpose is to make it more difficult, expensive and time consuming for attackers to exploit a system.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.