News

Microsoft Launches Bounty Offer in Wake of Meltdown and Spectre

Microsoft is offering security researchers cash rewards in exchange for their help in rooting out flaws like "Meltdown" and "Spectre."

Announced last week, the new bug bounty program targets "speculative execution" side-channel CPU vulnerabilities. Speculative execution is a normal process of CPUs that's used to speed computer operations by predicting its next steps in advance.

However, researchers in January published methods known as Meltdown" and Spectre that can be used to exploit that process to disclose information from operating system kernels, both Linux and Windows. Those speculative execution methods constitute a "new class of vulnerabilities," according to Microsoft.

Consequently, from March 14 until Dec. 31, 2018, Microsoft is offering to pay money for information about new exploits or mitigation bypasses associated with speculative execution attack methods. The bounties are for elements such as Windows hosts, hypervisors, OS kernel memory and the Microsoft Edge browser. Payouts range from $25,000 to $250,000, based on four "bounty tiers":

  • Tier 1 represents new speculative execution side channel attacks.

  • Tiers 2 and 3 are for "identifying possible bypasses for mitigations that have been added to Windows and Azure."

  • Tier 4 is for demonstrating "exploitable instances" of Spectre variant 1 (CVE-2017-5753) or Spectre variant 2 (CVE-2017-5715).

Microsoft outlined the terms of the bounty program in this document.

Intel last week announced the release of microcode updates for all of its processors produced in the last five years to address Meltdown and Spectre attack methods. Microsoft previously issued Windows updates to address those methods as well. The processor updates and the OS updates are both needed to provide protections against possible speculative execution attack methods, which potentially affect most computers. Chips by Intel, AMD and ARM Holdings are all said by researchers to be subject to Spectre attack methods, while Meltdown mostly affects Intel machines.

The launch of Microsoft's bounty program perhaps suggests that Meltdown and Spectre mitigations could get bypassed in some way, or at least that Microsoft is willing to pay money to find out if that's the case.

In other security news, the Microsoft Edge browser was exploited on Day 1 of the Pwn2Own exploit contest held at CanSecWest in Vancouver, which offered monetary prizes for successful hacks. Day 1 results are described by Trend Micro's Zero Day Initiative at this page, where hacks of Oracle VirtualBox and the Apple Safari browser also were demonstrated.

Microsoft is a sponsor of the Pwn2Own contest, along with Trend Micro/ZDI, as mentioned in this Microsoft announcement, although the announcement didn't mention that the Edge browser had been successfully hacked. Microsoft instead bragged that "Microsoft Edge has still not been impacted by a zero-day exploit in the wild." In addition, Microsoft noted that its latest Windows Insider OS preview release could not be exploited by the contestants, nor could they get past the protections of Windows Defender Application Guard.

Day 2 of the Pwn2Own contest saw successful exploits of the Mozilla Firefox and Apple Safari browsers, according to the Zero Day Initiative's description.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.

Featured

  • Microsoft, Salesforce Ink Deal Around Azure Cloud and Teams

    As part of a new partnership, CRM service provider Salesforce will leverage certain Microsoft Azure services, as well as Microsoft Teams, for services to customers.

  • 2019 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss this year.

  • The 2019 Microsoft Product Roadmap

    From the next major update to Windows 10 to the next generation of HoloLens, here's what's on tap from Microsoft this year.

  • Version 1909 of Windows 10 and Windows Server Released

    Windows 10 version 1909, also known as the "Windows 10 November 2019 Update," was officially released by Microsoft on Tuesday.

RCP Update

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.