HackerSecret.com - The Most Authoritative Site in the World on the Hacking Tools and Techniques, Penetration Testing and CyberSecurity

  • Home
  • Visit Our Shop
  • Download the free App
  • Contact us for Info
VISIT OUR SHOP! CLICK HERE !

Announcing Changes to Microsoft’s Mitigation Bypass Bounty

by / Friday, 14 June 2019 / Published in Hacking
Share
Tweet
Pin
0 Shares

Today we’re announcing a change to the Mitigation Bypass Bounty that removes Control Flow Guard (CFG) from the set of in-scope mitigations. In this blog, we’ll provide additional background and explain why we’re making this change.

Mitigation Bypass Bounty Background

Microsoft started the Mitigation Bypass Bounty in 2013 with the goal of helping us improve key defense-in-depth mitigation technologies by learning about bypasses. Since launching this program, we’ve awarded more than $ 1,000,000 in bounties and fixed numerous bypasses reported in our exploit mitigations and are looking forward to growing that number in the future.

One of the challenges we’ve faced with the Mitigation Bypass bounty program is providing clear guidance to researchers on what sorts of issues are in-scope vs. out-of-scope and what sort of cash reward can be expected. We’ve made several changes over the past few years to try to improve the situation here, such as:

  1. More clearly defining payout tiers for different types of mitigation bypasses (i.e. bugs vs. design problems).
  2. Being more transparent about the types of issues we are currently aware of so researchers know what types of bypasses are out of scope.

Even with these changes, we know we’re not perfect and we continue to listen to feedback and make changes to be more researcher friendly.

Impact of Exploit Mitigations on Exploitation

One datapoint monitored by Microsoft is the occurrences of vulnerabilities being exploited in the wild. Microsoft has seen the amount of vulnerabilities exploited in the wild decrease steadily over the past 8 years.

We believe that part of the reason for the decline of known exploits in the wild is the increase in exploitation difficulty, which transitively affects the economics of vulnerability exploitation. We attribute a large part of the increased difficulty to Microsoft’s continued investment in exploit mitigation technologies such as CFG, Arbitrary Code Guard (ACG), Code Integrity Guard (CIG), MemGC, and so on.

Before we launched the Mitigation Bypass Bounty, we were more heavily reliant on analyzing exploits found in the wild to identify mitigation opportunities. This created lag between technique use in the wild and mitigation availability. To shorten this lag time, we launched the Mitigation Bypass Bounty to proactively learn about bypasses before they were used in the wild.

CFG has been a particularly popular Mitigation Bypass Bounty target for security researchers. Thanks to this research, we’ve learned a lot about a variety of bugs and design limitations affecting CFG. This has caused us to reevaluate the threat model that we need to defend against for more robust CFI. In order to do that, we know we will need to extend and improve the design of CFG, e.g. with finer-grained CFI, read-only memory protection, safe unwind/exception handling, and so on. We recently talked about the challenges with CFG and how our threat model has evolved (Video | Slides).

Microsoft has also received submissions and made fixes for other targets in the Mitigation Bypass Bounty, such as ACG. Researchers can expect that as we build new mitigations we will add them as bounty targets.

Changes to the Mitigation Bypass Bounty Scope

As of today, CFG has been removed from the set of in-scope mitigations for the Mitigation Bypass Bounty. We believe we now have a good understanding of the limitations of CFG and the threat model we need to adapt the design to. We do not believe that additional research into CFG bypasses will be valuable until we’ve addressed these limitations and we would rather that researchers focus their attention on the other in-scope mitigations for the bounty. Although we are removing CFG from the bounty scope, we have no intention to remove or deprecate the feature and we still believe it is a valuable defense-in-depth mitigation. We look forward to bringing it back in scope once we’ve made improvements to CFG.

As always, we’d appreciate feedback from the community on this or any related topics.

 

Joe Bialek

MSRC Vulnerabilities & Mitigations Team

Security Research & Defense

Share
Tweet
Pin
0 Shares
Tagged under: Announcing, Bounty, Bypass, Changes, Microsoft’s, mitigation

Search on the site

Our customers say

Annabel M. – Systems Engineer

 
Samuel D. – Ethical Hacker

 
Karola M. – Influencer

 
Marcus P. – Private Investigator

 
Rosemary S. – Housewife

 
Amit V. – IT Consultant

 
Matthew C. – Entrepreneur

 
Aisha B. – Computer Science student

 
Li W. – IT Analyst

 
Robert C. – Programmer

 

Click here now to visit our Shop!

Click here now to visit our Shop!

Other 2300 users like you have already done it this year!

DOWNLOADED 1316 TIMES!

DOWNLOADED 1316 TIMES!

Download now Hacker Secret our free Android app.

CONTACT US NOW FOR IMMEDIATE SUPPORT!

Contact Us
Write your email address here
Write here how we can help you - we support you immediately for all your needs!

Latest posts

  • How to tell if someone is stealing your wifi

  • How to check saved passwords on Chrome

  • The Computer Security Day

  • What is digital forensics

  • How to install Metasploit in Termux?

## Are you looking for products for hacking, computer security and penetration testing? Do you need to clean up your smartphone, your PC or your site from viruses and malware? Do you need to track down someone or retrieve urgent information? Do you want to buy devices already configured to experiment all the hacking techniques quickly and easily? Do you have special needs in software or hardware? ##

Contact us now … another 2300 users like you have already done it this year!

Click here now!

 

All the techniques, products and services described or contained on this site are intendend for exclusive use of study and professional training and to test the security of own's computer network in accordance with the national legislations on access to computer and online systems. All the services provided on this site (penetration testing, social accounts hardening, Incident Response & CSIRT, MSSP, Cybersecurity Consultancy, etc.) can be provided only with prior written and documented authorization from the owners or their legitimate representatives in accordance with current national regulations .

TOP
New Order