MICROSOFT PAY AUSTRALIAN HACKER $100,000 FOR REVEALING FLAWS IN SECURITY FLAW IN SOFTWARE

Microsoft pays Australian hacker $100,000 for finding security holes

James Forshaw of security firm Context

James Forshaw of security firm Context. Photo: Context

Microsoft is paying a well-known Australian hacking expert more than $100,000 for finding security holes in its software, one of the largest bounties awarded to date by a tech company.

The company also released a much anticipated update to Internet Explorer, which it said fixes a bug that made users of the browser vulnerable to remote attack.

James Forshaw, who heads vulnerability research at Melbourne-based consulting firm Context Information Security, won Microsoft’s first $US100,000 ($106,000) bounty for identifying a new “exploitation technique” in Windows, which will allow it to develop defences against an entire class of attacks, the company said.

microsoft logo-

Forshaw is among the many “white hat” hackers who hack for good and get rewarded for their efforts. Companies such as Apple and Facebook have hall of fame pages on their websites to recognise hackers, and some companies even pay them.

Forshaw, who is currently travelling to attend a security conference, earned another $US9400 for identifying security bugs in a preview release of Microsoft’s Internet Explorer 11 browser, Katie Moussouris, senior security strategist with Microsoft Security Response Centre, said in a blog post.

“Over the past decade working in secure development and research, I have discovered many interesting security vulnerabilities with a heavy focus of complex logic bugs,” Forshaw said.

“I’m keenly interested in the intellectual puzzle of finding novel exploitation techniques and the creativity it requires.”

To find his winning entry, Forshaw studied the mitigations available today and after brainstorming identified a few potential angles.

“Not all were viable but after some persistence I was finally successful.”

He said receiving recognition for his entry was “exciting” to him and his employer.

“It also gives me the satisfaction that I am contributing to improving the security of both Microsoft’s and Context’s customers.”

Microsoft unveiled the reward programs four months ago to bolster efforts to prevent sophisticated attackers from subverting new security technologies in its software, which runs on the majority of the world’s PCs.

Forshaw has been credited with identifying several dozen software security bugs. He was awarded a large bounty from Hewlett-Packard for identifying a way to “pwn”, or take ownership of, Oracle’s Java software in a high-profile contest known as Pwn2Own (pronounced “pown to own”).

Microsoft also released an automatic update to Internet Explorer on Tuesday afternoon to fix a security bug that it first disclosed last month.

Researchers say hackers initially exploited that flaw to launch attacks on companies in Asia in an operation that cyber security firm FireEye has dubbed DeputyDog.

Marc Maiffret, chief technology officer of the cyber security firm BeyondTrust, said the vulnerability was later more broadly used after Microsoft’s disclosure of the issue brought it to the attention of cybercriminals.

He is advising PC users to immediately install the update to Internet Explorer, if they do not have their PCs already set to automatically download updates.

“Any time they patch something that has already been used [to launch attacks] in the wild, then it is critical to apply the patch,” Maiffret said.

That vulnerability in Internet Explorer was known as a “zero-day” because Microsoft, the targeted software maker, had zero days notice to fix the hole when the initial attacks exploiting the bug were discovered.

In an active, underground market for “zero day” vulnerabilities, criminal groups and governments sometimes pay $US1 million or more to hackers who identify such bugs.

Microsoft’s reward is slightly more generous than that of Yahoo!, which recently offered a security researcher a $US25 voucher to the company’s online store for reporting three security flaws.

Yahoo later opened up a program, with rewards of up to $US15,000, after security researchers ridiculed the minuscule $US25 prize.

With Reuters

AAA

Henry Sapiecha

blue cam line

THIS ANDROID TROJAN ALMOST IMPOSSIBLE TO REMOVE

IT security firm Kaspersky claims it has discovered the “most sophisticated” Android trojan yet.

art-Android-620x349

Identified by Kaspersky as “Backdoor.AndroidOS.Obad.a”, the mobile menace can send SMS to premium-rate numbers, download other malware and install them on the infected device, as well as send malware to other devices via Bluetooth, and remotely perform commands in the console.

Obad is also extremely well concealed, by means of code obfuscation, and it uses several previously undocumented security holes in the Android operating system to make it very hard to analyse.

AAA

Once the trojan is executed on a device, it immediately tries to obtain Device Administrator privileges. Then, it becomes a real nightmare.

“One feature of this Trojan is that the malicious application cannot be deleted once it has gained administrator privileges: by exploiting a previously unknown Android vulnerability, the malicious application enjoys extended privileges, but is not listed as an application with Device Administrator privileges,” said Kaspersky Lab Expert Roman Unuchek.

Kaspersky representatives said they have already informed Google about the vulnerability in question.

The only good news about this trojan is that it’s not very widespread. According to Kaspersky, it amounts to no more than 0.15 per cent of all malware infection attempts on mobiles.

You can find more information about the Backdoor.AndroidOS.Obad.a trojan here.

AAA
Henry Sapiecha
blue cam line