Feeds

back to article Microsoft covers Brit who penetrated Windows 8.1 with GOLD

A UK security researcher has secured the first Microsoft $100,000 bounty after uncovering ways to get around security defences built into Windows 8.1 Preview, the latest version of Redmond's operating system. James Forshaw, head of vulnerability research at Context Information Security, scooped the award for a new mitigation …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge
Alert

I applaud this approach

Shame it took 15* years to get to the point where falling market share whittled away MS's arrogance to the point they saw the benefit of bounty programmes like this.

* 15 years takes you to the mid 90's, when the increasingly connected world pushed security flaws right up the list of "things to worry about"

8
4
Anonymous Coward

Re: I applaud this approach

""falling market share whittled away MS's arrogance"

Falling market share In what exactly? Microsoft are static at ~92% in the desktop world and is still gaining market share in most other divisions such as server, office, cloud, entertainment, etc....

3
12

Re: I applaud this approach

But desktops are a severely falling share of people's computing experience.

Like saying "We still own 100% of the horse shoe market".

18
3
Silver badge

Re: I applaud this approach

I'd like them to supply the source code for some core modules in addition to offering a bounty for vulns. I bet they would be paying out 10x as much.

2
0
Alert

Re: I applaud this approach

D'you know how much a set of horse shoes cost nowadays?

8
0
Bronze badge

Re: I applaud this approach

15 years takes you to the point where personal computing actually became popular and Windows was pretty much the only game in town. Don't get me wrong, Microsoft has many issues (including arrogance) but that is not one of them, yet.

BTW, Do you go out of your way to tell YOUR clients you fucked up? I thought not.

Desktop computing is still better than 90% on Windows. Tablets and phones are not the same as PC's and though they are growing quickly, they can't really be compared to a desktop computer as they really don't have the same function or capabilities.

Internet Explorer frankly is getting better all the time and it's competitors suffer from many of the same vulnerabilities.

No software is immune from bugs, holes or security issues and never will be.

Let's try to have a reasoned unbiased approach, unlike politicians and hysterical children.

5
8
Anonymous Coward

Re: I applaud this approach

"Microsoft are static at ~92% in the desktop world"

And what percentage of that is their EOL operating system ?

7
0
Joke

Re: I applaud this approach

As luck would have it. Yes.

0
0
Linux

Re: I applaud this approach

@AC 9th October 2013 14:09 GMT

.... and at less than 20% of consumer electronics market. They are no longer in the position where they are the only band in town and every body dances to their music. Also, "cloud"? microsoft? don't make me laugh

5
2
Silver badge
Meh

Re: I applaud this approach

Let's try to have a reasoned unbiased approach, unlike politicians and hysterical children.

On the Reg's comment boards?

Good luck with that.

6
1
Silver badge

Re: I applaud this approach

Also, "cloud"? microsoft? don't make me laugh

Azure is the operating platform for Apple's iCloud.

Laugh that off.

3
3
Anonymous Coward

Re: I applaud this approach

"We still own 100% of the horse shoe market"."

Seeing as there are ~ 60 million horses in the world, that would be 240 million horse shoes that need to be swapped regularly so probably that would be a good comparison....

Annual PC sales might have declined slightly - but are still at ~ 300 million a year - of which Microsoft has an over 90% OS share. Microsoft have rapidly growing revenues from the console, tablet and phone businesses to more than replace any revenue losses from PCs, at least in the medium term....

1
2
Anonymous Coward

Re: I applaud this approach

"I'd like them to supply the source code for some core modules in addition to offering a bounty for vulns"

Access to the Windows source code is already available via a number of routes....

0
2
Bronze badge

Re: I applaud this approach

Haver you not noticed the dramatic fall in ie market share ? Have you not see the ads on TV for ie ? Why are they spending millions on promoting their browser (which they give away) ?

The more people move from ie to anything else will be less frightened of trying linux ...

2
0
Bronze badge

Re: I applaud this approach

[ Microsoft have rapidly growing revenues from the console, tablet and phone businesses to more than replace any revenue losses from PCs, at least in the medium term....]

Where have you been over the last 5 years ?

Tablets and phones are losing money "real" fast, 1bn for tabs, hardly any revenue for phones, increasing ad costs and the wp will have to make up for the Nokia deal (5bn) which will take some time ... if they ever exceed 5% market share, that is, I think windows phone will be canned. Ever noticed that new phones since the deal no longer sport the Nokia brand ?

As for Xbox one ? Nobody will want that ... Problem is, back when the Xbox 360 came out it was equivalent in perf to a high end PC .... Xbox One is equivalent to an average PC, as in, you can get a better performing PC for less + PC's now have HDMI out - no issues hooking that up to the 50". Games have more features on PC's, ever heard of mods ? The second hand game scandal will not help either although they changed their mind on the subject.

2
1
Silver badge
Happy

Re: D'you know how much a set of horse shoes cost nowadays?

have you seen the cost of MS licences?

0
0
Gold badge

Re: I applaud this approach @Don Paul

"BTW, Do you go out of your way to tell YOUR clients you fucked up? I thought not."
Hold on. You thought that before this nobody thought that there were bugs in MS software? You forgot the joke icon :)

However, I gave you an up vote for the rest of your post. One bugbear of mine is the people who compare the number of tablets bought vs. laptops. They might as well say that there were more skateboards bought than cars (after all, they're both used to go from one place to another)

1
1
Z80

Re: I applaud this approach

"Seeing as there are ~ 60 million horses in the world, that would be 240 million horse shoes that need to be swapped regularly"

Are you saying that all horses are shod?

1
0
Anonymous Coward

Yep - even IE is increasing it's market share...

2
6
Bronze badge

Maybe, but I still think IE is bloody awful

2
0
Anonymous Coward

Correction

"Redmond explains that payouts for new mitigation techniques are far more generous than come for fingering flaws in Internet Explorer because"

1. there is a near-infinite supply of those anyway

2. it would be too expensive to pay a decent amount for every one

2
0
Bronze badge

Missing joke icon, for sure

That is what I thought and the reason I upvoted you ...

0
0
Bronze badge

+1 for the tag line....

Giggle

0
0

Seems that in today's world you get paid more for breaking software than making it!

0
0
Wo

As a tester...

I wish that were true.

3
0
Anonymous Coward

Sorry state of affairs

Security should be baked in, not outsourced to people on the internet to find.,

2
8
Silver badge
Headmaster

Re: Sorry state of affairs

There is, whether one likes it or not a certain "wood for the trees" phenomenon here. IE. That those working most closely on a project lose perspective (however much they are aware of this and try to avoid it). I think Redmond are very wise to provide these incentives to external researchers who have a more dispassionate relationship to the task concerned.

4
0
Anonymous Coward

Re: Sorry state of affairs

Unfortunately, two things can push back against security.

One is performance. Doing the necessary security checks eats into performance, and this could be problematic in a demanding thing like a high-speed device driver. Makes me wonder what happens when you need a SECURE high-performance driver and find you lack the resources to do both at once acceptably.

Another is "tunnel vision". Being surrounded by the code all day means your perspective becomes locked into that code. Not much you can do about that as it's basically part of human conditioning: helps us to focus, but it's a bad thing when thinking outside the box (necessary for security testing) is required. So basically, you HAVE to look outside to get a fresh pair of eyes.

4
0
Anonymous Coward

Re: Sorry state of affairs

And you have the ability to find these vulnerabilities in someone elses code? And you're perfect and do everything right the first time, under incredible pressure to meet tight deadlines?

you should stop wasting time commenting on El Reg and start your own consultancy.

2
2
h3
Bronze badge

Re: Sorry state of affairs

If that is the situation then you do more as part of the device by whatever means. (ASIC loads of techniques that can be used). Look at how long the CPS3 security system lasted.

0
0
Anonymous Coward

Re: Sorry state of affairs

"Security should be baked in"

Well it's more baked in in recent Microsoft OSs than any close competitor.

For instance you don't need bolt-ons like SEL or Knox to make Windows OSs FIPS 140-2 compliant....

Windows also has a proper security model with full constrained delegation of rights - not the kludge of SUDO - which always has to run as root / UID0 so that it can read the Passwd file...

1
4

Love the term "Blue Hat"

Nice to see someone getting paid to uphold good security practises though.

0
0
Anonymous Coward

I think the editor missed a conversion, £100,000 != $100,000 it's either 1.6 x GBP in gold or 1.6 x GBP in cash. Or a way to make infinite money buying gold and changing it for cash.

0
0

Just one question about that headline... What's "GOLD" actually got to do with it?!

Is it because he wants...

GOLD! (Gold!)

Always believe there are holes

He had the power to know

That they are vulnerable

Always believin', he wants...

GOLD! (Gold!)

- Copywrong 1893 Spandex Bollocks

The Kray Twins are currently appearing in "Run for your Wife" at Her Majesty's Theatre. Other 80s new romantic turned white boy soul bands are available.

3
0
Bronze badge

LET IT DIE

Microsoft is dead, has been 20 years, only "bundlers" make it work, it was always a single PC system from start, adapted to web, where unix/linux is/always a web based secruity model, you buy windows at kmart !!!

Let it die, I am sick of its issues and updates, holes, and missuse of system resourses to sell u stuff .....

3
8
Anonymous Coward

Re: LET IT DIE

WTF is a web based security model and how could an OS designed before the WWW have one?

3
1
Bronze badge

Re: LET IT DIE

Linux had a secruity system, yes, so did other machines, my best & still favourite is a old Amiga 2000, souped up, that is imperverious to the bugs that roam, so it still sails the web, and what was netscape upto with novell for DOS etc ? Secruity has been around for a while, people just like cheap easy crap ....

1
1
Bronze badge

Re: LET IT DIE

AND PS... every heard of BBS, telnet, irc, teletext ? All online things before the internet some required secruity, others ran windows ......

0
1
Silver badge

Re: LET IT DIE

And they were secure because nobody used them outside of secure premises. Where they transmitted data - like, for example, teletype - they were absolutely NOT secure.

And you're a knob.

2
1
Anonymous Coward

Re: LET IT DIE

IRC ran before the Internet?

Internet

Relay

Chat

before the internet, are you sure?

3
0
Anonymous Coward

Re: LET IT DIE

Also, you're getting teletext and view data mixed up.

Teletext is a transmit only service via spare lines in the PAL TV transmission system. There aren't going to be any security issues here, for obvious reasons.

Viewdata is similar but used in properly interactive services like Prestel generally over POTS. There were problems with security here and there were court cases where people hacked Prestel.

0
0
Anonymous Coward

Re: LET IT DIE

"Microsoft is dead, has been 20 years"

Near universal quarter on quarter revenue increases over that period would beg to differ...

2
0

Re: LET IT DIE

"My best & still favourite is a old Amiga 2000, souped up, that is imperverious to the bugs that roam"

Er, seriously? No-one's writing exploits for the Amiga 2000 because only about 3 people are likely to be trying to browse the web on one!

Seriously, they were bloody outstanding and powerful machines when they were new (far superior to the contemporary PCs in both hardware and OS terms), but that was the mid to late 80s. The original 68000 based Amigas would already have been underpowered for browsing even almost 20 years ago when the two-pages-of-text-and-a-GIF-or-JPEG-if-you're-lucky web started becoming prominent. I doubt they'd even load anything more than the most basic modern pages.

I'm sure that people are still running Amiga 2000s, but not for serious web browsing! You might be able to target the 27 or so diehard Amiga fanatics running the allegedly "modern" models like the "Amiga One", but those are nothing like the Amiga 2000 or the classic Amigas in general.

0
0

This post has been deleted by a moderator

Bronze badge

Re: LET IT DIE

I am sorry, about last post but, being a grand dad I can get snappy with youngsters, Let me try to clarify this you, this is year 43 with PC's for me, I sold your parents generation commodore Vic20's, C64, C128, Amiga, Amstards, Ataris, segas, mega, thingys ...... ALL developments of previous technology, My first "home" pc, a TRS80 Mod 1 Lev 1, 2k ram if remember correctly, but I expanded to 4k, so I could program Hangman ....

You SEE a beautiful windows 8, I see GEOS on Commodore64, coloured boxes you click on to get at your files ... (not to mention, Concurrent CPM), You see Internet and give Bill Gates Birthday as start ? OK, I wish they had a party, sorry we where using the tech, windows was always a spectrum with some users, not the whole light ....

You see wonderful easy "internet", I still have a 300 baud accoustic coupler here, and a working Chedai Lapcrusher, 512k ram, 20 meg HD, CGA, ammongst other old machines that still function fine, I still play a game on VIC 20 now and again, just for the hell of it ...

This ALL didn't happen overnight, it was a evolution, constant improvement on previous designs, we users just kept paying for it to keep working, it amazes me that some dweebs still want companies like microsoft to control it, or that make u think they own it ...

Watch a old startrek episode, when they pull up info on bridge "screen", from the database, very basic, funny, and still want a PC with lots of flashing lights on front !!!

I love how my old tired Amiga slave army, with lowly WB3.1, still manages to run LiteWave 3d fine as Toaster farm for family wedding/party videos ocassionly ....

These old things things still work, cause they have the OS & software they were designed for, I left them alone, use them like that, no upgrading after a point, only repairs, Dos 2.11 did not stop working when dos 3.0 came out ...

But using linux over last 20 years has shown be betters ways ..

0
0
Silver badge

Re: LET IT DIE

Hasn't shown any betters spelling, has it?

0
0
Bronze badge

I have the secret to not having to deal with any Microsoft Bug ever again. They don't want to hear it... (Then again they likely do).... Its NOT to use any Microsoft Product post April 2014... You needn't live in perpetual fear of Patch Tuesday any longer. When you have switched to using Mint Linux!

1
1
Anonymous Coward

Yes, Mint never has any updates, it's perfect and all the updates that it doesn't have work properly first time. Hmm...

In my experience Windows and Linux updates go wrong about the same amount ie: barely at all.

2
2
Anonymous Coward

"You needn't live in perpetual fear of Patch Tuesday any longer. When you have switched to using Mint Linux!"

erm - you know Mint (Ubuntu) has had several times more vulnerabilities than current versions of Windows? So no fear of patch Tuesday. Just a replacement fear of more randomly released patches...

Oh - and you know the latest version is only supported until Jan 2014? Despite only being released in April 2013? Just LOL at replacing Windows with that...

0
3
Bronze badge

You cannot really compare Linux with Windows in that respect ... I mean, you update windows and linux pretty much as often, Windows has you reboot 27 times a year for updates - on linux that would be 4 to 5

Linux: new kernel -> reboot

Windows: new notepad.exe patch -> reboot

Windows is the only system I know where I have to unplug a USB printer to install the driver, where the driver software needs more than one reboot - one reboot is already bad, but two ?

I seriously do not know what windows is doing in businesses ... I used it for a full month (Windows 7) and the fully updated + latest drivers could not handle hibernate mode properly or unplugging the power cord - in both cases the wifi would just go (no use disabling/enabling device - the card was "disabled" as if I had pressed the button to turn it off). The wifi would also drop every few hours, enabling/disabling the device fixes it but it sucks for online games.

Then you get these delta-search lolipop blahblah toolsbars (I see that on PC's I repair all the time), never seen that on Mac or Linux ...

Then come Patchy Tuesday, it asks for a reboot, which you can postpone twice (4 hours each, 8 hours total), then it will just reboot without warning -> you lose work so you install Linux to avoid losing work.

Seriously, Windows is gonna go! People are really tired of all this shit ...

2
0

Page:

This topic is closed for new posts.