back to article Microsoft covers Brit who penetrated Windows 8.1 with GOLD

A UK security researcher has secured the first Microsoft $100,000 bounty after uncovering ways to get around security defences built into Windows 8.1 Preview, the latest version of Redmond's operating system. James Forshaw, head of vulnerability research at Context Information Security, scooped the award for a new mitigation …

COMMENTS

This topic is closed for new posts.
  1. FartingHippo
    Alert

    I applaud this approach

    Shame it took 15* years to get to the point where falling market share whittled away MS's arrogance to the point they saw the benefit of bounty programmes like this.

    * 15 years takes you to the mid 90's, when the increasingly connected world pushed security flaws right up the list of "things to worry about"

    1. Anonymous Coward
      Anonymous Coward

      Re: I applaud this approach

      ""falling market share whittled away MS's arrogance"

      Falling market share In what exactly? Microsoft are static at ~92% in the desktop world and is still gaining market share in most other divisions such as server, office, cloud, entertainment, etc....

      1. OhDearHimAgain

        Re: I applaud this approach

        But desktops are a severely falling share of people's computing experience.

        Like saying "We still own 100% of the horse shoe market".

        1. David Grierson
          Alert

          Re: I applaud this approach

          D'you know how much a set of horse shoes cost nowadays?

          1. Only me!
            Joke

            Re: I applaud this approach

            As luck would have it. Yes.

          2. hplasm
            Happy

            Re: D'you know how much a set of horse shoes cost nowadays?

            have you seen the cost of MS licences?

        2. Anonymous Coward
          Anonymous Coward

          Re: I applaud this approach

          "We still own 100% of the horse shoe market"."

          Seeing as there are ~ 60 million horses in the world, that would be 240 million horse shoes that need to be swapped regularly so probably that would be a good comparison....

          Annual PC sales might have declined slightly - but are still at ~ 300 million a year - of which Microsoft has an over 90% OS share. Microsoft have rapidly growing revenues from the console, tablet and phone businesses to more than replace any revenue losses from PCs, at least in the medium term....

          1. Hans 1

            Re: I applaud this approach

            [ Microsoft have rapidly growing revenues from the console, tablet and phone businesses to more than replace any revenue losses from PCs, at least in the medium term....]

            Where have you been over the last 5 years ?

            Tablets and phones are losing money "real" fast, 1bn for tabs, hardly any revenue for phones, increasing ad costs and the wp will have to make up for the Nokia deal (5bn) which will take some time ... if they ever exceed 5% market share, that is, I think windows phone will be canned. Ever noticed that new phones since the deal no longer sport the Nokia brand ?

            As for Xbox one ? Nobody will want that ... Problem is, back when the Xbox 360 came out it was equivalent in perf to a high end PC .... Xbox One is equivalent to an average PC, as in, you can get a better performing PC for less + PC's now have HDMI out - no issues hooking that up to the 50". Games have more features on PC's, ever heard of mods ? The second hand game scandal will not help either although they changed their mind on the subject.

          2. Z80

            Re: I applaud this approach

            "Seeing as there are ~ 60 million horses in the world, that would be 240 million horse shoes that need to be swapped regularly"

            Are you saying that all horses are shod?

      2. Anonymous Coward
        Anonymous Coward

        Re: I applaud this approach

        "Microsoft are static at ~92% in the desktop world"

        And what percentage of that is their EOL operating system ?

      3. Tomato42
        Linux

        Re: I applaud this approach

        @AC 9th October 2013 14:09 GMT

        .... and at less than 20% of consumer electronics market. They are no longer in the position where they are the only band in town and every body dances to their music. Also, "cloud"? microsoft? don't make me laugh

        1. dogged

          Re: I applaud this approach

          Also, "cloud"? microsoft? don't make me laugh

          Azure is the operating platform for Apple's iCloud.

          Laugh that off.

      4. Hans 1

        Re: I applaud this approach

        Haver you not noticed the dramatic fall in ie market share ? Have you not see the ads on TV for ie ? Why are they spending millions on promoting their browser (which they give away) ?

        The more people move from ie to anything else will be less frightened of trying linux ...

    2. DrXym

      Re: I applaud this approach

      I'd like them to supply the source code for some core modules in addition to offering a bounty for vulns. I bet they would be paying out 10x as much.

      1. Anonymous Coward
        Anonymous Coward

        Re: I applaud this approach

        "I'd like them to supply the source code for some core modules in addition to offering a bounty for vulns"

        Access to the Windows source code is already available via a number of routes....

    3. Dan Paul

      Re: I applaud this approach

      15 years takes you to the point where personal computing actually became popular and Windows was pretty much the only game in town. Don't get me wrong, Microsoft has many issues (including arrogance) but that is not one of them, yet.

      BTW, Do you go out of your way to tell YOUR clients you fucked up? I thought not.

      Desktop computing is still better than 90% on Windows. Tablets and phones are not the same as PC's and though they are growing quickly, they can't really be compared to a desktop computer as they really don't have the same function or capabilities.

      Internet Explorer frankly is getting better all the time and it's competitors suffer from many of the same vulnerabilities.

      No software is immune from bugs, holes or security issues and never will be.

      Let's try to have a reasoned unbiased approach, unlike politicians and hysterical children.

      1. dogged
        Meh

        Re: I applaud this approach

        Let's try to have a reasoned unbiased approach, unlike politicians and hysterical children.

        On the Reg's comment boards?

        Good luck with that.

      2. BristolBachelor Gold badge

        Re: I applaud this approach @Don Paul

        "BTW, Do you go out of your way to tell YOUR clients you fucked up? I thought not."
        Hold on. You thought that before this nobody thought that there were bugs in MS software? You forgot the joke icon :)

        However, I gave you an up vote for the rest of your post. One bugbear of mine is the people who compare the number of tablets bought vs. laptops. They might as well say that there were more skateboards bought than cars (after all, they're both used to go from one place to another)

  2. Anonymous Coward
    Anonymous Coward

    Yep - even IE is increasing it's market share...

    1. Philip Lewis

      Maybe, but I still think IE is bloody awful

      1. Anonymous Coward
        Anonymous Coward

        Correction

        "Redmond explains that payouts for new mitigation techniques are far more generous than come for fingering flaws in Internet Explorer because"

        1. there is a near-infinite supply of those anyway

        2. it would be too expensive to pay a decent amount for every one

    2. Hans 1

      Missing joke icon, for sure

      That is what I thought and the reason I upvoted you ...

  3. theblackhand

    +1 for the tag line....

    Giggle

  4. Jon Gibbins

    Seems that in today's world you get paid more for breaking software than making it!

    1. Wo

      As a tester...

      I wish that were true.

  5. Anonymous Coward
    Anonymous Coward

    Sorry state of affairs

    Security should be baked in, not outsourced to people on the internet to find.,

    1. Arctic fox
      Headmaster

      Re: Sorry state of affairs

      There is, whether one likes it or not a certain "wood for the trees" phenomenon here. IE. That those working most closely on a project lose perspective (however much they are aware of this and try to avoid it). I think Redmond are very wise to provide these incentives to external researchers who have a more dispassionate relationship to the task concerned.

    2. Anonymous Coward
      Anonymous Coward

      Re: Sorry state of affairs

      Unfortunately, two things can push back against security.

      One is performance. Doing the necessary security checks eats into performance, and this could be problematic in a demanding thing like a high-speed device driver. Makes me wonder what happens when you need a SECURE high-performance driver and find you lack the resources to do both at once acceptably.

      Another is "tunnel vision". Being surrounded by the code all day means your perspective becomes locked into that code. Not much you can do about that as it's basically part of human conditioning: helps us to focus, but it's a bad thing when thinking outside the box (necessary for security testing) is required. So basically, you HAVE to look outside to get a fresh pair of eyes.

      1. h3

        Re: Sorry state of affairs

        If that is the situation then you do more as part of the device by whatever means. (ASIC loads of techniques that can be used). Look at how long the CPS3 security system lasted.

    3. Anonymous Coward
      Anonymous Coward

      Re: Sorry state of affairs

      And you have the ability to find these vulnerabilities in someone elses code? And you're perfect and do everything right the first time, under incredible pressure to meet tight deadlines?

      you should stop wasting time commenting on El Reg and start your own consultancy.

    4. Anonymous Coward
      Anonymous Coward

      Re: Sorry state of affairs

      "Security should be baked in"

      Well it's more baked in in recent Microsoft OSs than any close competitor.

      For instance you don't need bolt-ons like SEL or Knox to make Windows OSs FIPS 140-2 compliant....

      Windows also has a proper security model with full constrained delegation of rights - not the kludge of SUDO - which always has to run as root / UID0 so that it can read the Passwd file...

  6. Hulkamania

    Love the term "Blue Hat"

    Nice to see someone getting paid to uphold good security practises though.

  7. Anonymous Coward
    Anonymous Coward

    I think the editor missed a conversion, £100,000 != $100,000 it's either 1.6 x GBP in gold or 1.6 x GBP in cash. Or a way to make infinite money buying gold and changing it for cash.

  8. Michael Strorm Silver badge

    Just one question about that headline... What's "GOLD" actually got to do with it?!

    Is it because he wants...

    GOLD! (Gold!)

    Always believe there are holes

    He had the power to know

    That they are vulnerable

    Always believin', he wants...

    GOLD! (Gold!)

    - Copywrong 1893 Spandex Bollocks

    The Kray Twins are currently appearing in "Run for your Wife" at Her Majesty's Theatre. Other 80s new romantic turned white boy soul bands are available.

  9. JamesTQuirk

    LET IT DIE

    Microsoft is dead, has been 20 years, only "bundlers" make it work, it was always a single PC system from start, adapted to web, where unix/linux is/always a web based secruity model, you buy windows at kmart !!!

    Let it die, I am sick of its issues and updates, holes, and missuse of system resourses to sell u stuff .....

    1. Anonymous Coward
      Anonymous Coward

      Re: LET IT DIE

      WTF is a web based security model and how could an OS designed before the WWW have one?

      1. JamesTQuirk

        Re: LET IT DIE

        Linux had a secruity system, yes, so did other machines, my best & still favourite is a old Amiga 2000, souped up, that is imperverious to the bugs that roam, so it still sails the web, and what was netscape upto with novell for DOS etc ? Secruity has been around for a while, people just like cheap easy crap ....

        1. Michael Strorm Silver badge

          Re: LET IT DIE

          "My best & still favourite is a old Amiga 2000, souped up, that is imperverious to the bugs that roam"

          Er, seriously? No-one's writing exploits for the Amiga 2000 because only about 3 people are likely to be trying to browse the web on one!

          Seriously, they were bloody outstanding and powerful machines when they were new (far superior to the contemporary PCs in both hardware and OS terms), but that was the mid to late 80s. The original 68000 based Amigas would already have been underpowered for browsing even almost 20 years ago when the two-pages-of-text-and-a-GIF-or-JPEG-if-you're-lucky web started becoming prominent. I doubt they'd even load anything more than the most basic modern pages.

          I'm sure that people are still running Amiga 2000s, but not for serious web browsing! You might be able to target the 27 or so diehard Amiga fanatics running the allegedly "modern" models like the "Amiga One", but those are nothing like the Amiga 2000 or the classic Amigas in general.

      2. JamesTQuirk

        Re: LET IT DIE

        AND PS... every heard of BBS, telnet, irc, teletext ? All online things before the internet some required secruity, others ran windows ......

        1. dogged

          Re: LET IT DIE

          And they were secure because nobody used them outside of secure premises. Where they transmitted data - like, for example, teletype - they were absolutely NOT secure.

          And you're a knob.

        2. Anonymous Coward
          Anonymous Coward

          Re: LET IT DIE

          IRC ran before the Internet?

          Internet

          Relay

          Chat

          before the internet, are you sure?

        3. Anonymous Coward
          Anonymous Coward

          Re: LET IT DIE

          Also, you're getting teletext and view data mixed up.

          Teletext is a transmit only service via spare lines in the PAL TV transmission system. There aren't going to be any security issues here, for obvious reasons.

          Viewdata is similar but used in properly interactive services like Prestel generally over POTS. There were problems with security here and there were court cases where people hacked Prestel.

    2. Anonymous Coward
      Anonymous Coward

      Re: LET IT DIE

      "Microsoft is dead, has been 20 years"

      Near universal quarter on quarter revenue increases over that period would beg to differ...

  10. Michael Habel

    I have the secret to not having to deal with any Microsoft Bug ever again. They don't want to hear it... (Then again they likely do).... Its NOT to use any Microsoft Product post April 2014... You needn't live in perpetual fear of Patch Tuesday any longer. When you have switched to using Mint Linux!

    1. Anonymous Coward
      Anonymous Coward

      Yes, Mint never has any updates, it's perfect and all the updates that it doesn't have work properly first time. Hmm...

      In my experience Windows and Linux updates go wrong about the same amount ie: barely at all.

    2. Anonymous Coward
      Anonymous Coward

      "You needn't live in perpetual fear of Patch Tuesday any longer. When you have switched to using Mint Linux!"

      erm - you know Mint (Ubuntu) has had several times more vulnerabilities than current versions of Windows? So no fear of patch Tuesday. Just a replacement fear of more randomly released patches...

      Oh - and you know the latest version is only supported until Jan 2014? Despite only being released in April 2013? Just LOL at replacing Windows with that...

      1. Hans 1

        You cannot really compare Linux with Windows in that respect ... I mean, you update windows and linux pretty much as often, Windows has you reboot 27 times a year for updates - on linux that would be 4 to 5

        Linux: new kernel -> reboot

        Windows: new notepad.exe patch -> reboot

        Windows is the only system I know where I have to unplug a USB printer to install the driver, where the driver software needs more than one reboot - one reboot is already bad, but two ?

        I seriously do not know what windows is doing in businesses ... I used it for a full month (Windows 7) and the fully updated + latest drivers could not handle hibernate mode properly or unplugging the power cord - in both cases the wifi would just go (no use disabling/enabling device - the card was "disabled" as if I had pressed the button to turn it off). The wifi would also drop every few hours, enabling/disabling the device fixes it but it sucks for online games.

        Then you get these delta-search lolipop blahblah toolsbars (I see that on PC's I repair all the time), never seen that on Mac or Linux ...

        Then come Patchy Tuesday, it asks for a reboot, which you can postpone twice (4 hours each, 8 hours total), then it will just reboot without warning -> you lose work so you install Linux to avoid losing work.

        Seriously, Windows is gonna go! People are really tired of all this shit ...

        1. Hans 1

          Oh, and don't get me started on PowerShell, I think it would just make you sad.

          1. dogged

            Your disconnect with reality already makes me sad.

          2. Tim Bates

            "Linux: new kernel -> reboot

            Windows: new notepad.exe patch -> reboot

            Oh, and don't get me started on PowerShell, I think it would just make you sad."

            Yep. Don't forget that if notepad.exe was patched twice, you need to install patch 1, reboot, then install patch 2 aswell...

            And bloody Powershell. What the effing duck if is with Windows not being able to do an upgrade repair install (you know the one - same version "upgrade") if Power effing Shell is installed, but it won't let you uninstall it either?!?!? What cockhead at Microsoft came up with that bullcrap!?! Thank gooseness it only checks for the Powershell directory, so one can simply rename it to "PowerHell" instead (can't delete it because that would be too blanking easy, wouldn't it?).

            Bugger - you got ME started on Powershell.

        2. Gordon Pryra

          "Seriously, Windows is gonna go! People are really tired of all this shit ..."

          Almost 20 years pissing around in IT and I have learnt nothing really changes

          The technology doesn't really change

          The software just changes version number

          Speeds are pretty close to what they were in the past

          People still spout the same tired old cliches

          1. JamesTQuirk

            Re: "Seriously, Windows is gonna go! People are really tired of all this shit ..."

            Very true, I worked in sales alot, about $(AUD) 1500(Student), $2500(Home), $3500 (Game/Soho), are 3 basic prices for systems, has been for as long as I remember, u can get a starter for grand, then its up the price ladder, However they are very happy to charge like a wounded bull, for these tablets, ( I had a Ollvetti 386 Tablet, win 3.1, it sucked too). I cant get through to youngers around here, the computer told them it was a bargain, so they believe them .....

            I was shown one other day, 128 gb ram/hd 10" screen, twice price of my HP Lappy (I7,ATI, 512, gb SDD, 16GB ram), without constant internet these things are/will be effectivly useless off net, they are a BILL, My lappy will still boot & work in 20 years I hope, with the software that is on it, I got 2 ipad2's here in parts box, brand new in their boxes, they will sit there next 20 years ..... Junk ...

    3. JamesTQuirk

      Run windows as VM in linux, I have dos 3 to 7 and win 98 up as VM machines, much better, linux controls network, windows gets to walk around with its pants down, linux controls network, when u get stressed, updates, scans, just minimise or kill it .....

  11. Andy Davies

    50 posts and no-one admits to not knowing what 'mitigation bypass' means - on a quick check Google doesn't know either!

  12. MrEdC

    Doesn't finding security deficiencies violate the DCMA?

    See https://www.techdirt.com/articles/20070820/111927.shtml

    Time to eliminate the DCMA!!!!!!!

This topic is closed for new posts.

Other stories you might like