Windows 10: Microsoft updating terms of mitigation bypass bounty to remove CFG

Brink · Oct 3, 2018

Last week at BlueHat’s “MSRC Listens” session, I took the stage with Mechele Gruhn, manager of the Vulnerability Response PM team, to explain how MSRC is changing our communication, workflows, and tooling to deliver an improved user experience for our partners in the security research community. We promised to communicate more about what’s happening in the MSRC that affects our customers and research partners.

We weren’t expecting to get an opportunity to demonstrate this commitment quite so soon.

Back in June 2018, Microsoft updated the terms and conditions of our mitigation bypass bounty. As Joe Bialek of MSRC’s Vulnerabilities & Mitigations Team explained in a blog about the scope change, we’ve learned a lot from the great research into CFG bypasses and what we need to do to harden it, so we removed it from the list of targets. However, when MSRC migrated to a new website in August we accidentally published the old bounty terms, not the most current ones. We discovered this during BlueHat, when mitigation bypass researchers Alex Ionescu and Yunhai Zhang pointed out that CFG had re-entered the list of in-scope targets and asked if this was intentional.

Today, we’re updating the terms of the mitigation bypass bounty to remove CFG (again). If you submitted an eligible report of a CFG mitigation bypass between August 7, 2018 and today, we will evaluate the submission under the bounty terms that were published at the time of your submission.

We also see a clear opportunity to make other improvements to increase the transparency of bounty scope changes in the future.

First, we’ll bring back change logging on the page describing each bounty, just as we do today for our security update documentation.

Second, we’ll add the last edited date to the page of currently active bounty programs.

Both changes should make it easier for any researcher to determine the exact terms of the bounty both at the time they made their report, and at the time a fix is shipped. We plan to implement both of these changes in the coming weeks.

This is hard. We all want to get things right the first time and it’s embarrassing to admit it when we don’t. But having made this commitment at BlueHat, we will honor it: this is what happened, this is how we plan to avoid it in future, and this is what we’ll do to fix it today.

Kymberlee Price
Principal Security PM Manager
MSRC Community Programs

With contributions from: Christa Anderson, Matt Miller, & Matthew Dressman
Click to expand...

Source: Standing behind "MSRC Listens" - MSRC

:)

Brink · Oct 3, 2018

Announcing Changes to Microsoft’s Mitigation Bypass Bounty

Today we’re announcing a change to the Mitigation Bypass Bounty that removes Control Flow Guard (CFG) from the set of in-scope mitigations. In this blog, we’ll provide additional background and explain why we’re making this change.

Mitigation Bypass Bounty Background

Microsoft started the Mitigation Bypass Bounty in 2013 with the goal of helping us improve key defense-in-depth mitigation technologies by learning about bypasses. Since launching this program, we’ve awarded more than $1,000,000 in bounties and fixed numerous bypasses reported in our exploit mitigations and are looking forward to growing that number in the future.

One of the challenges we’ve faced with the Mitigation Bypass bounty program is providing clear guidance to researchers on what sorts of issues are in-scope vs. out-of-scope and what sort of cash reward can be expected. We’ve made several changes over the past few years to try to improve the situation here, such as:

More clearly defining payout tiers for different types of mitigation bypasses (i.e. bugs vs. design problems).

Being more transparent about the types of issues we are currently aware of so researchers know what types of bypasses are out of scope.

Even with these changes, we know we’re not perfect and we continue to listen to feedback and make changes to be more researcher friendly.

Impact of Exploit Mitigations on Exploitation

One datapoint monitored by Microsoft is the occurrences of vulnerabilities being exploited in the wild. Microsoft has seen the amount of vulnerabilities exploited in the wild decrease steadily over the past 8 years.

We believe that part of the reason for the decline of known exploits in the wild is the increase in exploitation difficulty, which transitively affects the economics of vulnerability exploitation. We attribute a large part of the increased difficulty to Microsoft’s continued investment in exploit mitigation technologies such as CFG, Arbitrary Code Guard (ACG), Code Integrity Guard (CIG), MemGC, and so on.

Before we launched the Mitigation Bypass Bounty, we were more heavily reliant on analyzing exploits found in the wild to identify mitigation opportunities. This created lag between technique use in the wild and mitigation availability. To shorten this lag time, we launched the Mitigation Bypass Bounty to proactively learn about bypasses before they were used in the wild.

CFG has been a particularly popular Mitigation Bypass Bounty target for security researchers. Thanks to this research, we’ve learned a lot about a variety of bugs and design limitations affecting CFG. This has caused us to reevaluate the threat model that we need to defend against for more robust CFI. In order to do that, we know we will need to extend and improve the design of CFG, e.g. with finer-grained CFI, read-only memory protection, safe unwind/exception handling, and so on. We recently talked about the challenges with CFG and how our threat model has evolved ( | Slides).

oOqpl-2rMTw

Microsoft has also received submissions and made fixes for other targets in the Mitigation Bypass Bounty, such as ACG. Researchers can expect that as we build new mitigations we will add them as bounty targets.

Changes to the Mitigation Bypass Bounty Scope

As of today, CFG has been removed from the set of in-scope mitigations for the Mitigation Bypass Bounty. We believe we now have a good understanding of the limitations of CFG and the threat model we need to adapt the design to. We do not believe that additional research into CFG bypasses will be valuable until we’ve addressed these limitations and we would rather that researchers focus their attention on the other in-scope mitigations for the bounty. Although we are removing CFG from the bounty scope, we have no intention to remove or deprecate the feature and we still believe it is a valuable defense-in-depth mitigation. We look forward to bringing it back in scope once we’ve made improvements to CFG.

As always, we’d appreciate feedback from the community on this or any related topics.

Joe Bialek
MSRC Vulnerabilities & Mitigations Team
Click to expand...

Source: Announcing Changes to Microsoft's Mitigation Bypass Bounty Defense

Brink · Oct 3, 2018

Microsoft Bounty Programs Expansion – Azure and Project Spartan

I am excited to announce significant expansions to the Microsoft Bounty Programs. We are evolving the 'Online Services Bug Bounty, launching a new bounty for Project Spartan, and updating the Mitigation Bypass Bounty.

This continued evolution includes additions to the Online Services Bug Bounty Program:

Azure

Azure is Microsoft’s cloud platform and the backbone of Microsoft cloud services.

This program will include a number of Azure services, such as: Azure virtual machines, Azure Cloud Services, Azure Storage, Azure Active Directory and much more

Sway.com

Sway.com is a web application that lets users express ideas in an entirely new way across many devices and platforms

Raising the maximum payout for the Online Services Bounty Program

We will pay up to $15,000 USD for critical bugs, as always, more for more impactful and better documented bugs.

We’re also launching a new bounty related to the Windows 10 Technical Preview:

Project Spartan Bug Bounty

Microsoft’s new browser will be the onramp to the internet for millions of users when Windows 10 launches later this year. Securing this platform is a top priority for the browser team.

This bounty includes Remote Code Execution and Sandbox Escapes, as well as design-level security bugs.

Always be sure to use the latest version released in the Windows 10 Technical Preview

Microsoft will pay up to $15,000 USD for security vulnerabilities reported in Project Spartan, you can see the specifics in the program terms. Don’t hesitate as the Project Spartan Bug Bounty will run from April 22, 2015 to June 22, 2015

The bounties for Spartan are tiered by the criticality of the issue reported, as well as the quality of the documentation and how reproducible the issue is.

The Mitigation Bypass bounty and the Bonus bounty for Defense are both very active, paying up to $100,000 USD for novel methods to bypass active mitigations (e.g. ASLR and DEP) in our latest released version of operating system (currently Windows 8.1 and Server 2012 R2) and a bonus of up to $50,000 USD for actionable defense techniques to the reported bypass. We have one addition to the Mitigation bypass bounty:

Hyper-V escape

Guest-to-Host

Guest-to-Guest

Guest-to-Host DoS (non-distributed, from a single guest)

These important additions to the Bounty Programs reflect the continued shift and evolution of technology towards the cloud. The additions to the bounty program will be part of the rigorous security programs at Microsoft. They will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services and Security and Compliance Accreditations by third party audits.

Microsoft has a long history of working closely with security researchers. Having personally done penetration testing and exploit mitigation, I understand that this is intense and difficult work. I can say that we truly value these contributions. Bug bounties are an increasingly important part of the vulnerability research and defense ecosystem and will continue to evolve over time. We will be regularly managing the Microsoft Bounty Programs to help us best protect our many users.

Mark Russinovich will be sharing some information in his “Assume Breach: An Inside Look at Cloud Service Provider Security” talk. You can also come by the Microsoft Booth at RSA on April 23, 2PM for a Bounty Program Q&A or you can always find the most up to date information about our bounty programs at https://aka.ms/BugBounty and in the associated terms and FAQs.

I’m looking forward to seeing some great submissions!
Jason Shirk
Click to expand...

Source: Microsoft Bounty Programs Expansion – Azure and Project Spartan - Microsoft Security Response Center - Site Home - TechNet Blogs

Raevenlord · Oct 3, 2018

Microsoft Announces the Windows Bounty Program

While Microsoft has been offering bug bounty incentives since at least 2012, Google has arguably been much more vocal in its bug bounty programs. The company recently increased the maximum payout in its bug bounty programs (mainly focused on Android) to a staggering $200,000, and now Microsoft is not only following suit - it's upping the game.

With the Windows Bounty Program, which Microsoft announced yesterday, the company is looking towards an increased incentive to security-hardening suggestions from tech-savvy users. This program will extend to all features of the Windows Insider Preview in addition to focus areas in Hyper-V, Mitigation bypass, Windows Defender Application Guard, and Microsoft Edge. And incentives starting at $500 and going all the way up to $250,000 are very, very respectful.

Source: Blogs.Technet @ Microsoft

Windows 10: Microsoft updating terms of mitigation bypass bounty to remove CFG

Microsoft updating terms of mitigation bypass bounty to remove CFG

Microsoft updating terms of mitigation bypass bounty to remove CFG

Microsoft updating terms of mitigation bypass bounty to remove CFG

Microsoft updating terms of mitigation bypass bounty to remove CFG - Similar Threads - Microsoft updating terms

Microsoft Announces the Xbox Bounty program

Microsoft Announces the Microsoft Edge Insider Bounty

Microsoft Bounty Program Updates

Microsoft launches Identity Bounty program

Can Spectre, Meltdown etc mitigations be bypassed?

Can Spectre, Meltdown etc mitigations be bypassed?

Announcing Changes to Microsoft’s Mitigation Bypass Bounty

Extending the Microsoft Office Bounty Program

Extending Microsoft Edge Bounty Program