Microsoft Pays $100K Bounty: James Forshaw, British Hacker, Rewarded For Discovering Windows 8.1 Bug

  on

James Forshaw, a 34-year-old computer security consultant living in London, was rewarded $100,000 (£63,000) by Microsoft Corp. (NASDAQ:MSFT) for discovering an exploit in Windows 8.1.

"It's quite nice to get that recognition and have some satisfaction in my peers acknowledging that I am good in my field," Forshaw said.

Forshaw, who works for Context Information Security and authored the Canape testing tool for arbitrary network protocols, said he spent about a month researching ways to circumvent Microsoft’s various defenses built into the working preview of Windows 8.1

“My total research process was about three-and-a-half weeks because I had a few false starts,” Forshaw said. “I brainstormed lots of ideas and the first few didn’t come to anything before I hit on one that was successful. There was two weeks of development from that initial concept to the final product I sent to Microsoft.”

Forshaw, who said he has over 10 years of experience in researching and discovering software exploits and vulnerabilities, had also previously won a smaller bounty from Microsoft for finding a bug in Internet Explorer 11.

Kate Moussouris, a senior security strategist at Microsoft, explained why Forshaw was rewarded so much more money for the Windows 8.1 vulnerability than he was for discovering the Internet Explorer bug.

“While we can’t go into the details of this new mitigation bypass technique until we address it, we are excited that we will be better able to protect customers by creating new defenses for future versions of our products because we learned about this technique and its variants,” Moussouris said. “This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications.”

The Security Bounty Programs, according to Microsoft, "add fresh depth and flexibility to our existing community outreach programs" by providing a way "to harness the collective intelligence and capabilities of security researchers to help further protect customers." On June 26, Microsoft initiated three new programs, including the Mitigation Bypass Bounty -- the same bounty won by Forshaw -- which offers $100,000 for "truly novel exploitation techniques against protections built into the latest version of our operating system (Windows 8.1 Preview). Microsoft also offers its BlueHat Bonus for Defense, which offers up to $50,000 for "defensive ideas that accompany a qualifying Mitigation Bypass submission," and the Internet Explorer 11 Preview Bug Bounty, which offers up to $11,000 for "critical vulnerabilities that affect Internet Explorer 11 Preview on the latest version of Windows (Windows 8.1 Preview)."

Forshaw must be pretty pleased to have won two out of the three bounty programs offered by Microsoft.

More About Windows 8.1

Back on Aug. 14, Microsoft announced Windows 8.1 would release to the public on Oct. 17 at 4 a.m. PDT as a free update for Windows 8 users through the Windows Store. Windows 8.1 will also release on retail shelves and new Microsoft devices starting on Oct. 18. Though its release date won’t arrive for another week (Oct. 17), users can still download a full preview of Windows 8.1 right now.

Windows 8.1, according to Microsoft, “continues the vision” the company began with Windows 8, which was initially released in August but saw its general release date arrive on Oct. 26, 2012. Unfortunately for Microsoft, many critics lambasted Windows 8 for its restricted Windows Store and its touch-centric features that appeared to alienate Microsoft’s traditional desktop users, especially with its flagship hardware, the Microsoft Surface RT tablet, which was underwhelming in its own right from a sales, PR and critical perspective.

But despite the disastrous start for Windows 8 from both a hardware and software perspective, Microsoft remains extremely confident about the release of Windows 8.1, originally acknowledged in March as “Windows Blue.”

Windows 8.1 will introduce many changes to the new Windows 8 operating system, including the return of Microsoft’s signature Start button, new apps for lifestyle and productivity needs, a file manager integrated into Microsoft’s cloud-based SkyDrive app, the new Internet Explorer 11 browser, an updated security system, and Windows Store 2.0, which features a better layout and allows users to automatically update their apps. Windows 8.1 will also release with a much-improved snap view feature, which allows users to see multiple apps on the screen at once.

“You can resize apps to any size you want, share the screen between two apps, or have up to four apps on screen,” Microsoft said on its Windows blog. “If you have multiple displays connected, you can have different Windows Store apps running on all the displays at the same time and the Start Screen can stay open on one monitor. This makes multi-tasking even easier.”

The release of Windows 8.1 will also add new support for NFC printing, Wi-Fi Direct printing, and even native APIs for 3D printing, as well as device encryption for all editions of Windows 8.

The release date of Windows 8.1 will arrive just before the first year anniversary of Windows 8, and Microsoft intends on advertising many of its new Windows 8 devices prior to the Windows 8.1 release date, including the Microsoft Surface, the Lenovo Yoga 11s, the Dell XPS 18 and the Acer Iconia W3. Microsoft is also pushing its Windows Chip-In program, which is a crowd-funding program to help students and parents purchase new Windows devices for school.

Follow Dave Smith on Twitter

Join the Discussion