×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Bug Bounties Flow To Googlers

Soulskill posted about 9 months ago | from the cross-company-code-cleanup dept.

Microsoft 65

chicksdaddy writes "Lucre from Microsoft's newly minted bug bounty program is lining the pockets of Google researchers. Two Google employees earned the distinction of receiving some of the first (official) monetary rewards under the company's bounty program. Fermín Serna, a researcher in Google's Mountain View, California headquarters, said he received a bounty issued by Microsoft this week for information on an Internet Explorer information leak that could allow a malicious hacker to bypass Microsoft's Address Space Layout Randomization (or ASLR) technology. His bounty followed the first ever (officially) paid to a researcher by Microsoft: a bounty that went to Serna's colleague, Ivan Fratic, a Google engineer based in Zurich, Switzerland, for information about a vulnerability in Internet Explorer 11 Preview. Serna declined to discuss the details of his discovery until Microsoft had a patch ready to release. But he said that any weakness in ASLR warranted attention. 'Mainly all security mitigations in place depend on ASLR. So bringing that one down, weakens the system a lot and makes it easy the exploitation of other vulnerabilities,' he said. As for his bounty, Serna (whose resume includes work for Microsoft on the MSRC Engineering team) said it was 'way less' than the maximum $11,000 bounty for a full, working exploit that bypasses all the Windows 8 mitigations (which includes ASLR as well as the Data Execution Prevention or DEP technology). 'But still nice!'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

65 comments

Good (4, Interesting)

Frankie70 (803801) | about 9 months ago | (#44336965)

Microsoft now has Google Employees working for them as paid part time employees. Not a bad thing.

Attorney fees .. (0)

Anonymous Coward | about 9 months ago | (#44339705)

An inventive way from Google to get their lawyer's fees back from Microsoft LOL

I wish Google would make its Maps more functional (-1, Offtopic)

bogaboga (793279) | about 9 months ago | (#44336967)

While I applaud the engineer's efforts, I wish his employer (Google), would spend a bit more of resources in making its maps aplication more functional [for me].

Here's my gripe, and I am not alone:

Why is it that there's no way to make routing avoid toll roads by default?

I have got a solution: I use Waze but worried that if Google's ambitions with it (Waze) go through, they may disable this feature.

You sometimes wonder why things so basic, take so long to implement. Why?

Re:I wish Google would make its Maps more function (1)

buchner.johannes (1139593) | about 9 months ago | (#44337011)

While I applaud the engineer's efforts, I wish his employer (Google), would spend a bit more of resources in making its maps aplication more functional [for me].

Here's my gripe, and I am not alone:

Why is it that there's no way to make routing avoid toll roads by default?

I have got a solution: I use Waze but worried that if Google's ambitions with it (Waze) go through, they may disable this feature.

You sometimes wonder why things so basic, take so long to implement. Why?

Because that's not a product they sell? Go to a car navigation company (TomTom, Garvin, Navit come to mind) and give them money, they do what you want. Why you expect more than something basic from a free service is beyond me.

Re:I wish Google would make its Maps more function (1)

gl4ss (559668) | about 9 months ago | (#44337125)

why buy waze then for a god awful amount of money if it's not for a product they sell? and it is a product they sell, both directly and by proxy..

Re:I wish Google would make its Maps more function (2)

Dupple (1016592) | about 9 months ago | (#44337261)

why buy waze then for a god awful amount of money if it's not for a product they sell?

To stop another company acquiring it? Shrewd move

Re:I wish Google would make its Maps more function (0)

Anonymous Coward | about 9 months ago | (#44337145)

While I applaud the engineer's efforts, I wish his employer (Google), would spend a bit more of resources in making its maps aplication more functional [for me].

Here's my gripe, and I am not alone:

Why is it that there's no way to make routing avoid toll roads by default?

I have got a solution: I use Waze but worried that if Google's ambitions with it (Waze) go through, they may disable this feature.

You sometimes wonder why things so basic, take so long to implement. Why?

Because that's not a product they sell? Go to a car navigation company (TomTom, Garvin, Navit come to mind) and give them money, they do what you want. Why you expect more than something basic from a free service is beyond me.

Check out here maps here.com ... Comes free on all mokia phones its great and Nokia iwns the technology that is in all cars tomtoms and garmins

Re:I wish Google would make its Maps more function (0)

Anonymous Coward | about 9 months ago | (#44337251)

While it may not be a product they sell there is some competition between free services and making their users want to use their services is a big part of the equation. Many internet companies are worth billions based on their user base. Why wouldn't I expect them to respond to user requests?

Google doesn't care about user base (0)

Anonymous Coward | about 9 months ago | (#44337331)

They just care about what kind of private data they can collect.

Google Maps is NOT the product they sell. The product is the dumb and ignorant user who keeps providing them with free private data.

Re:I wish Google would make its Maps more function (1)

davester666 (731373) | about 9 months ago | (#44337727)

But what if he promised to watch ads on his smartphone? He would prefer to do this while driving instead of paying tolls.

Re:I wish Google would make its Maps more function (3, Insightful)

LordThyGod (1465887) | about 9 months ago | (#44337143)

While I applaud the engineer's efforts, I wish his employer (Google), would spend a bit more of resources in making its maps aplication more functional [for me].

Here's my gripe, and I am not alone:

Why is it that there's no way to make routing avoid toll roads by default?

I have got a solution: I use Waze but worried that if Google's ambitions with it (Waze) go through, they may disable this feature.

You sometimes wonder why things so basic, take so long to implement. Why?

Possibly just to annoy jackoffs who don't know their hole from an ass in the ground and post off topic comments.

Re:I wish Google would make its Maps more function (0)

Anonymous Coward | about 9 months ago | (#44337161)

How about the recent gmail "upgrade"? They added tabs (optional, for now) so you have your standard inbox, social media shit, mailing lists, advertisements, etc.

Sounds a like good idea, right Hell, sounds like a great idea! But they couldn't be bothered to put an unread count in the tab. So now, instead of checking one place to see if there's any unread mail, you have to check 5 places to see if there's any unread mail.

because people forget they set it and get LONG rts (2)

raymorris (2726007) | about 9 months ago | (#44337243)

The reason for that is that someone will set it one day. Six months later, they've forgotten all about the setting and the app would give them a two hour route for a one hour trip. It's better, it was decided, to let people know about the shortest route first and choose to look for a longer, non-toll route if they want.

Re:I wish Google would make its Maps more function (1)

RMingin (985478) | about 9 months ago | (#44337283)

I have no idea what you're on about. There is an "Avoid Tolls" function, and it's persistent if you're logged in. If you're wanting toll roads avoided by default for non-logged-in users, tough. There are very many people out there who don't mind paying small amounts to make their trips faster. I think it's a slim majority, and Google seems to agree.

Option in question:
http://i.imgur.com/IFSZRh5.png [imgur.com]

Re:I wish Google would make its Maps more function (0)

Anonymous Coward | about 9 months ago | (#44337939)

I don't even think this is a new option. I remember using it _years_ ago. It's certainly also there in the old Google Maps, behind the show options link.

Re:I wish Google would make its Maps more function (1)

datavirtue (1104259) | about 9 months ago | (#44337457)

Same reason they don't have a contact management app to go with the calendar in google docs.

$11,000 for a full exploit? (1)

K. S. Kyosuke (729550) | about 9 months ago | (#44336995)

How much is a Windows 8 exploit worth these days on the open market, something like $250,000?

Re:$11,000 for a full exploit? (0)

Anonymous Coward | about 9 months ago | (#44337129)

They're so plentiful, so probably not much.

Re:$11,000 for a full exploit? (0)

Anonymous Coward | about 9 months ago | (#44337131)

I just read a story that microsoft increased the bounty to $150,000, but it doesn't seem like they are actually going to pay that for many bugs.

Re:$11,000 for a full exploit? (0)

Anonymous Coward | about 9 months ago | (#44337603)

Quarter million for a Windows 8 exploit? Serious? It took until this month for it to outpace Vista [pcworld.com] (at a whopping 5.1%).

Oh, my sides....you're too much, man.

Re:$11,000 for a full exploit? (1)

mysidia (191772) | about 9 months ago | (#44339057)

How much is a Windows 8 exploit worth these days on the open market, something like $250,000?

Microsoft requires more than a mere exploit for that; you need to defeat Windows 8 security mitigations and provide a whitepaper for even more $$$; on the open market, that's probably worth half a million, to defeat all the security mitigations MS has provided; which essentially means an infection using the exploit could become unstoppable

Re:$11,000 for a full exploit? (1)

drinkypoo (153816) | about 8 months ago | (#44341497)

How much is a Windows 8 exploit worth these days on the open market, something like $250,000?

How much is it worth it to get paid without a chance of being sent to PMITAP in the future, or better yet, being richly rewarded for all that you deserve for providing arms to organized crime?

Re:$11,000 for a full exploit? (1)

K. S. Kyosuke (729550) | about 8 months ago | (#44341697)

In my country, you can only get sent to prison for criminal activities. As in, things that the criminal law probihits. This isn't one of them.

Re:$11,000 for a full exploit? (1)

drinkypoo (153816) | about 8 months ago | (#44342183)

In my country, you can only get sent to prison for criminal activities. As in, things that the criminal law probihits. This isn't one of them.

In your country, aiding and abetting a crime is not a crime?

Re:$11,000 for a full exploit? (1)

K. S. Kyosuke (729550) | about 8 months ago | (#44342441)

In your country, aiding and abetting a crime is not a crime?

It is. But trading with exploits is no more a crime around here than selling knives or hammers. We don't go about jailing hardware shop owners whenever some psycho kills someone with their tools.

Re:$11,000 for a full exploit? (1)

s1lverl0rd (1382241) | about 8 months ago | (#44344175)

I'm getting the idea that you are not a lawyer, and that you underestimate the skills of those who are.

Re:$11,000 for a full exploit? (1)

K. S. Kyosuke (729550) | about 8 months ago | (#44344245)

Most people aren't lawyers. That doesn't change anything, though. You don't change our legislation by "skills of lawyers", at most you can do it by lobbying in our parliament and senate.

Can we get ASLR in FreeBSD yet ? (0)

Anonymous Coward | about 9 months ago | (#44337019)

please :3

a full, working exploit that bypasses all the... (0)

Anonymous Coward | about 9 months ago | (#44337029)

I could make a million dollars with that, or sell it for $100,000

Re:a full, working exploit that bypasses all the.. (1)

rvw (755107) | about 9 months ago | (#44337133)

I could make a million dollars with that, or sell it for $100,000

You do? Or you think you do?! Maybe it's worth a million, but how do you get in touch with these people? How do you stay anonymous enough so they cannot blackmail you? Are you sure you're not selling to the NSA and ending up in jail? For $1M it's not worth the risk, unless you already know these people...

Re:a full, working exploit that bypasses all the.. (1)

larry bagina (561269) | about 9 months ago | (#44337167)

Simple: I anonymously post a message on slashdot about "hypothetically" selling a working exploit for a million dollars. Two hours later, the NSA shows up with a bag of cash.

Re:a full, working exploit that bypasses all the.. (0)

Anonymous Coward | about 9 months ago | (#44337183)

And when the boys find out there is no exploit, you leave inside another bag.

Re:a full, working exploit that bypasses all the.. (1)

NeveRBorN (86123) | about 9 months ago | (#44337255)

And when the boys find out there is no exploit, you leave inside another bag.

It's too late... He already posted the message hypothetically selling the exploit.

Re:a full, working exploit that bypasses all the.. (1)

chromas (1085949) | about 9 months ago | (#44337915)

Aha! But he didn't do it anonymously, so he'll be alright. My logic is flawless!

bridge over the river kwai (0)

Anonymous Coward | about 9 months ago | (#44337031)

I can imagine Googlers scheming to receive MS bounties, and Redmondites doing the same for Google bounties. One upmanship. But from the perspective of the project leads, it's all good.

Re:bridge over the river kwai (1)

ShanghaiBill (739463) | about 9 months ago | (#44337295)

But from the perspective of the project leads, it's all good.

Not if the Googlers and Redmonders talk to each other. The could each intentionally introduce bugs, tell the other team how to find them, and then split the profits.

Say it ain't so (3, Insightful)

Kwyj1b0 (2757125) | about 9 months ago | (#44337037)

So a company announces a bug-bounty program, and bugs are found by programmers working for a major software company? Stop the press!

Isn't this what you would expect? Most people who are good enough to find exploits (as opposed to randomly crashing Windows) generally make a profession out of programming. And the good ones generally work for the big named companies (there are exceptions, of course).

It is interesting that both exploits have to do with IE. While I don't use IE frequently, I'd assume that it is easier to own a system using *@F# Adobe exploits (which would still be the OS's fault). Or are there restrictions that prevent rewards for exploits via third party software?

Re:Say it ain't so (0)

Anonymous Coward | about 9 months ago | (#44337079)

Or, perhaps the little guy isn't giving his exploits away for nothing to MS, but selling for real money. Hell, when corrupt governments like US or Israel will pay you in the 6 figures for the same thing as MS is paying 11K, it is a no-brainer.

Re:Say it ain't so (0)

Anonymous Coward | about 9 months ago | (#44337569)

Shocking twist: Fermin used to work at Microsoft. He worked on EMET, which uses some of the same technology that he broke.

http://www.slideshare.net/rootedcon/fermin-j-serna-exploits-mitigations-emet-rootedcon-2010

Re:Say it ain't so (1)

Smauler (915644) | about 9 months ago | (#44339397)

Isn't this what you would expect? Most people who are good enough to find exploits (as opposed to randomly crashing Windows) generally make a profession out of programming. And the good ones generally work for the big named companies (there are exceptions, of course).

Exceptions? Name a programmer. Name another. And another. How many of them work for the big name companies? (I got 0 in my top 3, 1 in my top 5).

Re:Say it ain't so (0)

Anonymous Coward | about 9 months ago | (#44346271)

Almost by definition famous programmers are not the same as programmers who work for the big named companies (there are exceptions there).

What's disjoint here is that being famous doesn't necessarily correlate strongly to being "good enough to find exploits".

Eat fruits and vegetables tied to longest lifetime (-1)

Anonymous Coward | about 9 months ago | (#44337039)

Eat fruits and vegetables tied to longest lifetime
NEW YORK (Reuters Health) - ingest fewer than 5 servings of fruit and vegetables [blogspot.com]
  day by day is connected with a better probability of dying early, in line with an outsizes study from Scandinavian nation.
Go to:http://actionstime.blogspot.com/2013/07/eat-fruits-and-vegetables-tied-to.html

No (1)

Impy the Impiuos Imp (442658) | about 9 months ago | (#44337095)

"I'd like to report a bug. I upgraded my Microsoft Windows and now I see blue."

"Ah, the famed blue screen of death. Ok, read me what it says."

"Which one?"

"What?"

"Which blue screen? There are little blue screens all over the place, and little green ones, and some other colors too."

Hey, Google, fix your own sh*t! (0)

Anonymous Coward | about 9 months ago | (#44337245)

There are enough security problems in Android to keep yon Googly bughunters busy for a lifetime.

How about you spend a little time looking in the mirror, Google, and pull that log out of your own eye before worrying about the Redmond forest?

years from now it'll be Google we laugh at. (0)

Anonymous Coward | about 9 months ago | (#44337383)

Twenty years ago Microsoft was the tech darling that everyone loved. Then they became the tech company that everyone loved to hate. Now they're the gigantic, monolith that can't help but do stupid things, e.g. Surface RT.

Ten years ago it was Apple that everyone loved. Today they're the company that many love to hate. Ten years from now?

I predict that 20 years from now it'll be Google's turn.

Emotional about Mega Corporations (1)

tuppe666 (904118) | about 9 months ago | (#44337615)

Apple that everyone loved. Today they're the company that many love to hate.

Except people aren't that emotional. Apple simply produced compelling products the iPod, iPhone and iPad and many here enjoyed their computers before Apple became an electronics company. They market well, and are popular in the media (and shareholders), They are out of favour as their product lines look tired compared to the competition, and the chance of repeated success in new markets looks increasingly unlikely (iwatch, itv, iconsole), and well the share price, profits, revenues, market share, technical edge, brand value are all down.

Pretending that people are randomly emotional about mega corporations is simply weird. People on the whole buy(and respond well to companies) of products which have reasonable value and quality...marketed well, and those products are coming from Google(and their OEMs) not Apple(or Microsoft) who foolishly think their users are cattle.

Re:Emotional about Mega Corporations (1)

oldlurker (2502506) | about 9 months ago | (#44337715)

Apple that everyone loved. Today they're the company that many love to hate.

Except people aren't that emotional. Apple simply produced compelling products the iPod, iPhone and iPad and many here enjoyed their computers before Apple became an electronics company. They market well, and are popular in the media (and shareholders), They are out of favour as their product lines look tired compared to the competition, and the chance of repeated success in new markets looks increasingly unlikely (iwatch, itv, iconsole), and well the share price, profits, revenues, market share, technical edge, brand value are all down.

Pretending that people are randomly emotional about mega corporations is simply weird. People on the whole buy(and respond well to companies) of products which have reasonable value and quality...marketed well, and those products are coming from Google(and their OEMs) not Apple(or Microsoft) who foolishly think their users are cattle.

For most people this is the rational way of looking at it, yes. But Apple most certainly have managed to produce a more.. fervent.. kind of supporters. That far transcends the usual fan-boys many tech companies have. If you have managed to avoid them, good for you, a few years back I found that voicing any criticism of Apple brought them out in force (and I knew a couple of them real life too). And you can often see today when the shine has come off Apple somewhat that they now think that everybody loves to hate Apple, and voice this frequently.

BBC made a very interesting documentary that among other things included researching the emotions Apple evokes in some of their supporters (including using MRI scanners!): According to a BBC documentary, Apple stimulates the same part of the brain as religious imagery does in believing people [esato.com]. The program is recommended viewing for anyone interested in this topic.

Re:Emotional about Mega Corporations (1)

tlhIngan (30335) | about 9 months ago | (#44350741)

For most people this is the rational way of looking at it, yes. But Apple most certainly have managed to produce a more.. fervent.. kind of supporters. That far transcends the usual fan-boys many tech companies have. If you have managed to avoid them, good for you, a few years back I found that voicing any criticism of Apple brought them out in force (and I knew a couple of them real life too). And you can often see today when the shine has come off Apple somewhat that they now think that everybody loves to hate Apple, and voice this frequently.

It's not just Apple fanbois, it's Apple-haters as well. It's remarkably polarized, I find.

It's also a great source of income for blogger and such because only Apple stories generate the kind of clicks and ad views that Google, Microsoft and others can only dream about. Even Microsoft-haters have diminished somewhat. But Apple has constantly been hated ever since they were incorporated (what is it, 40-odd years of dying now?).

It's why people end up generating content- and news-less articles about Apple - because if you can rile up the Apple haters or Apple supporters, it's a significant boost to your income. (Either group works because it inevitably attracts the others).

Oh yeah, it's always been cool to hate Apple. And even with the shine off, it still gets the eyeballs, which is important.

Only paying for certain types of exploits (3, Interesting)

Myria (562655) | about 9 months ago | (#44337529)

I found an exploit in a different part of Windows, but they aren't paying for that. They were only paying for mitigation bypass exploits and IE11 exploits.

I guess I'll stick to my original plan and use it to jailbreak Windows RT 8.1 and possibly Windows Phone 8.

Address randomization - security through obscurity (1)

Animats (122034) | about 9 months ago | (#44337675)

Address space randomization is security through obscurity. It's an admission that you can't fix your buffer overflows. It slows down attackers, but there are counters, such as "spraying attacks".

Worse, it means that bugs become nonrepeatable and harder to fix. So software quality degrades. It produces more of those errors you see in bug tracker as "Closed - can't reproduce".

This is a fixable problem. Microsoft could use C#, or Java, or Go, or Python, or Javascript - languages with subscript checking. Or fix C. [animats.com] Or extend their static driver verifier to cover more kinds of code. Address space randomization just obscures the problem.

Re:Address randomization - security through obscur (0)

Anonymous Coward | about 9 months ago | (#44337963)

Yes, because Java hasn't been a complete security disaster or anything.

Re:Address randomization - security through obscur (1)

Billly Gates (198444) | about 9 months ago | (#44339393)

ASLR is a great fix in addition to buffer overflow protections. Infact since XP SP 2 and IE 7 they are included when compiled which is why Windows 2000 is stuck with IE 6. ASLR with 64 bit virtual memory space increases the randomization greatly as you now have 2 terabytes of addresses to check if you are spraying.

The fact that linux does not do this is a downside. ASLR is now supported in the latest versions of MacOSX as well. You can try to fix as much as you can with overruns but there are always other ways to exploit.

Re:Address randomization - security through obscur (0)

Anonymous Coward | about 9 months ago | (#44339813)

Microsoft could use C#

Uh, what? Why would they do that?

Just like airbags (1)

WD (96061) | about 8 months ago | (#44341295)

I mean, if a car has an airbag, that's just an admission that the driver isn't skilled enough. Right?

Re:Address randomization - security through obscur (1)

fulldecent (598482) | about 8 months ago | (#44344093)

And Apache has a mechanism where it it spawns extra children and kills them periodically because it knows somehow or another one of them is going to leak memory.

So what's your point?

All strategy (1)

HairyNevus (992803) | about 9 months ago | (#44337853)

Maybe this is exactly Microsoft's strategy. Keep paying Google employees to find their bugs, meaning they're less efficient at their current job. Eventually, the Google employees will have enough money to retire, and Microsoft will suddenly have a product that is free from major security flaws. Meanwhile, Google finds it has multiple vacancies in positions desperately behind on their work. I can just imagine Page looking around blankly, wondering when he was given the slip.

Not bloody likely, but would be funny if it happened.

Re:All strategy (0)

Anonymous Coward | about 9 months ago | (#44339853)

I can just imagine Page looking around blankly, wondering when he was given the slip.

Good show, sir!

Taxes (0)

Anonymous Coward | about 9 months ago | (#44337865)

I hope they pay taxes on that but I am guessing they just pocketed it.

MSFT proves its employees are so incompetant, (0)

Anonymous Coward | about 9 months ago | (#44340247)

... that it has to pay its leading competitor to do their work for them! ;P

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...