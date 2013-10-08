By Jim Finkle
BOSTON Oct 8 Microsoft Corp said on
Tuesday it is paying a well-known hacking expert more than
$100,000 for finding security holes in its software, one of the
largest such bounties awarded to date by a high-tech company.
The software maker also released a much anticipated update
to Internet Explorer, which it said fixes a bug that made users
of the world's most popular browser vulnerable to remote attack.
James Forshaw, who heads vulnerability research at
London-based security consulting firm Context Information
Security, won Microsoft's first $100,000 bounty for identifying
a new "exploitation technique" in Windows, which will allow it
to develop defenses against an entire class of attacks, the
software maker said on Tuesday.
Forshaw earned another $9,400 for identifying security bugs
in a preview release of Microsoft's Internet Explorer 11
browser, Katie Moussouris, senior security strategist with
Microsoft Security Response Center, said in a blog.
Microsoft unveiled the reward programs four months ago to
bolster efforts to prevent sophisticated attackers from
subverting new security technologies in its software, which runs
on the vast majority of the world's personal computers.
Forshaw has been credited with identifying several dozen
software security bugs. He was awarded a large bounty from
Hewlett-Packard Co for identifying a way to "pwn," or
take ownership of, Oracle Corp's Java software in a
high-profile contest known as Pwn2Own (pronounced "pown to
own").
Microsoft also released an automatic update to Internet
Explorer on Tuesday afternoon to fix a security bug that it
first disclosed last month.
Researchers say hackers initially exploited that flaw to
launch attacks on companies in Asia in an operation that the
cybersecurity firm FireEye has dubbed DeputyDog.
Marc Maiffret, chief technology officer of the cybersecurity
firm BeyondTrust, said the vulnerability was later more broadly
used after Microsoft's disclosure of the issue brought it to the
attention of cyber criminals.
He is advising computer users to immediately install the
update to Internet Explorer, if they do not have their PCs
already set to automatically download updates.
"Any time they patch something that has already been used
(to launch attacks) in the wild, then it is critical to apply
the patch," Maiffret said.
That vulnerability in Internet Explorer was known as a
"zero-day" because Microsoft, the targeted software maker, had
zero days notice to fix the hole when the initial attacks
exploiting the bug were discovered.
In an active, underground market for "zero day"
vulnerabilities, criminal groups and governments sometimes pay
$1 million or more to hackers who identify such bugs.