HPSR, Microsoft, disclosure, and the $125,000 bug bounty

HP Security Research (HPSR) is pleased to announce that three of our Zero Day Initiative (ZDI) team members -- Brian Gorenc, AbdulAziz Hariri, and Simon Zuckerbraun -- have won the Microsoft Mitigation Bypass Bounty and Blue Hat Bonus for Defense. To collect the main $100,000 prize, the team outlined techniques and steps to attack the Isolated Heap and MemoryProtection functions in the latest version of Microsoft Internet Explorer. Along with this, they describe how an attacker can use MemoryProtection as an oracle to completely bypass ASLR. Both of these features are designed to prevent the successful exploitation of certain use-after-free (UAF) vulnerabilities. They backed that up with an idea for successfully defending systems against the technique they found, earning another $25,000.

And they won’t keep a cent of it. Let me explain.

The team and the challenge

As most readers know, our Zero Day Initiative is a bug-bounty powerhouse, spending more to buy software vulnerabilities over the past nine years ($12 million and counting) than any other program in the world. To do so effectively we hire a staff of world-class researchers, who divide their time between validating submissions from external contributors in their security lab and performing their own investigations as part of the HP Security Research group.

Simon and AbdulAziz both started with the ZDI as external contributors, submitting (among other things) a number of Microsoft Internet Explorer (IE) use-after-free (UAF) vulnerabilities. Over time, both hired on with HPSR as full-time employees, working with team manager and sandbox expert Brian.

Internet Explorer’s use-after-free problems continued, and our researchers continued to chase them. But in the summer of 2014, IE exploitation mechanisms that had been reliable started to behave differently. The team suspected the changes were due to two new mitigations – Isolated Heap and MemoryProtection (MemProtect) – Microsoft silently folded into IE through the June and July security patches.

Change is good, particularly for a browser with a history of UAF problems. The addition of MemProtect and Isolated Heap “really started to up [Microsoft’s] game in hardening Internet Explorer against memory corruption vulnerabilities,” Simon explains. But change is also a natural target for investigation, particularly of the kind that turns into published research – and HPSR is a research organization.

Suddenly it wasn’t about looking at individual software vulnerabilities, but at ways of partially or fully bypassing an entire protection mechanism. Not only was the ZDI not sure what it would find, it wasn’t sure how precisely it would proceed when it found its results.

Notification and publication

Simon’s portion of the investigation focused on reverse-engineering MemProtect and figuring out its precise effect on UAF vulns. He summarized his findings – including a warning that MemProtect is ineffective or only partially effective for certain classes of UAF – on the HP Security Research blog in late July. Brian, fresh off a Black Hat presentation on sandbox bypasses, followed with an HPSR Security Briefing looking at new ways in which that can be accomplished. And Abdul followed up in September with a Briefing looking at all of Microsoft’s UAF mitigations with special attention to Isolated Heap – which he found can be bypassed in many circumstances.

HPSR is a research group, and research groups publish their findings. That means talking openly about potential issues, as we did in those posts and presentations and papers. But security researchers must balance the need to publish and the need to protect. To strike that balance, we trusted our own 120-day coordinated-disclosure policy to guide us. We notified Microsoft and, since the discovery met the qualifications for their Mitigation Bypass Bounty, we decided to format our submission in the contest-required style and submit an appropriate proof-of-concept -- separate from and far more detailed than the research we’d published so far.

Was it weird being on the other side of the bounty-payout fence for a change? Very. Turns out that even if you’re used to paying out seven-figure sums to researchers each year, when the money’s flowing the other way, time passes a bit more slowly. After a lengthy review process, Microsoft agreed that the submission did what it set out to do.

And now we’re back where we started – at a publishing-vs-disclosure crossroads. The issue remains unpatched by Microsoft at this writing. As per our disclosure policy, we reserve the right to publish full details at any time now that the 120-day window has closed, but we believe it’s in the best interests of the ecosystem at large to wait a bit longer. The publications linked above provide some useful clues to the knowledgeable reader, and we encourage you to take a closer look at those posts.

Beyond that, watch this space. And you can also watch our own Art Gilliland, senior VP and general manager of the Enterprise Software Group (our part of the HP universe), who has more to say about it:

The team emphasizes that Microsoft’s recent work on mitigations is incredibly important – not merely for the security of individual users but for the safety of people and entities on and off the Internet. That’s why it was important to investigate it and to make our findings known, says Simon: “I'm hopeful that our contribution to research in this field will further the process towards creating secure browser technology.”

And the money?

Meanwhile, there’s all that Microsoft money on the way. We at HPSR are proud of Brian, AbdulAziz, and Simon, but as employees of HP they don’t get to keep the cash. Instead, each was invited to choose a charity to which we’ll donate a portion of the reward. Each selected an educational organization with a strong STEM (science, technology, engineering, math) emphasis. We are pleased to announce that Texas A&M University, Concordia University, and Khan Academy will each receive a third of the bounty.

While Texas A&M and Concordia are both well-respected for their college-level information security programs, the online-only Khan Academy may not be familiar to everyone – at least not as a STEM contender. Simon disagrees. “I find it to be an incredibly exciting project,” he says. “It's fantastic how they're creating a free and comprehensive resource for education in math, science and other subjects for learners of all ages.” We couldn’t agree more.

We believe that excellent, principled security research benefits the entire ecosystem. Sometimes – as with this $125,000 payout, or with the $80,000 Pwn4Fun event at last year’s Pwn2Own – HP Security Research can create additional good in the world through our actions. The Zero Day Initiative and Microsoft have worked together for nearly ten years to make the Internet safer, bringing vulnerabilities to the attention of the people who are best suited to fix them. When that disclosure process is coordinated smoothly among researchers, bounty programs, and companies, we keep safety and research ethics high and drama low – and, sometimes, get the cash flowing to good causes.