$10k Bounty for Critical Windows Flaws

An anonymous reader writes "iDefense, a Verisign company, is offering $10,000 to any researchers who find and report to it information on a previously unknown Windows flaw for which Microsoft later issues a "critical" advisory, according to a story over at Washingtonpost.com. Not really surprising, considering that Russian hacking groups are now paying thousands of dollars for exploits that attack unpatched holes in Windows. From the article: "Details of the flaw must be submitted exclusively to iDefense by March 31. There is no limit on the number of prizes that can be paid: if five researchers find and report five different Windows flaws for which Microsoft later issues critical advisories, all five will get paid...iDefense will change the focus of the challenge with each quarter -- the next challenge may focus on another vendor, or it may just center on particular class of vulnerabilities.""

Can anybody say, "lawsuit"?

[Anonymous Coward]

I can't imagine MS is gonna be too pleased with this.

And they have a couple law-talkin guys on staff.

$10 k isn't a lot for hackes

[madnuke]

That isn't a lot when you could sell the exploit on the internet like the WMF exploit was a snip at $5000 each, think how many people bought that in the malicous website, porn internet, fake-anti spyware companies like Win Hound. Some how I don't think this will last long.

Shrewd business move for Verisign

[Weaselmancer]

They're investing in the first corporate-sponsored botnet. Now you can give your spam relay the corporate sponsorship it's always been craving! For an added bonus, we'll throw in a few auth certificates if you decide to become an elite Platinum Botnet customer!

Don't delay, act now! Really, we mean it. Because offer is only valid until Microsoft's next Critical Advisory.

Free Press - Contest is a joke...

[xxxJonBoyxxx]

"iDefense will change the focus of the challenge with each quarter -- the next challenge may focus on another vendor, or it may just center on particular class of vulnerabilities."

Or, iDefense may never pay any of the $10K prizes, citing independent discovery, not-really-critical status or just the fact that Verisign knows how to say "fuck you" better than almost anyone. Instead, they'll just get shitloads of free press for their cheesy security contest and a couple of marks will sign up for and/or buy whatever it is that Verisign/iDefense is hawking today.

Verisign??

[Rob T Firefly]

It's an interesting concept, but I wouldn't trust Verisign to get the tuna out of a can that had already been opened. I wonder what their deal is here.

Re:WTF?

[mythosaz]

(a) There is no telling how many remain. Windows may be getting close to "tight" in terms of remote exploitability, or it may still have several gaping holes. RPC-based exploits (the "real" dangerous ones) seem to have been closed for a while. It's mostly overflows and breakouts now, and mostly on user-initiated processes. [User-initiated processes don't spread like wildfire inside of corporate networks, like RPC-type flaws. Dangerous, but not panic-level stuff...]

(b) People pay for these exploits because if they can take advantage of them, they can continue to spread their spam and malware from and to unwitting, unwilling and unaware people. Turning thousands of PCs into your own private email relay stations is motivation. Installing scumware/adware/spyware on thousands more is motivation.

Re:Can anybody say, "lawsuit"?

[Uncle Rummy]

Why not? iDefense doesn't just release the vulnerabilities unannounced or sit on them exploiting them for profit, they submit them to Microsoft Security and publish only after a patch has been released. If anything, Microsoft should be happy that somebody is providing independent researchers a financial incentive not to release 0-day vulnerabilities to public lists.

Clank go the handcuffs

[TallMatthew]

"Here's your exploit, now where's my ten grand?"

"Sir, you've just violated the DMCA by making our mistakes public. Off to jail you go."

What about beta?

[TopSpin]

If I discover an obscure remotely exploitable security flaw in a Microsoft beta product (thus, unlikely to lead to a "critical" advisory,) why should I not sit on it until a few months after release and get paid?

Re:Windows research is clearly more profitable...

[LordLucless]

There's no inherent security architecture protecting Firefox, Linux, OSX that doesn't also exist in Windows.

That's total bollocks. Granted, the fact that windows is more popular than linux is *one* factor that discourages malware for linux, but it's far from the only one.

Linux systems are designed to be run by users, and administered as root. Windows systems, by and large, are impossible to run as anything but root - many programs require root access to work properly, and Windows (up until recently) never had the equivelant of a linux sudo to get around that requirement. Windows developers have been encouraged for years to write programs dependant on root access. Execute permissions prevent accidental execution of malware on Linux, as does not having a stupid system of extensions which are so easily spoofed (especially when default windows behaviour is to hide recognized extensions!). The move over to NTFS was good, but it only really hit the public with XP. I still know many people using FAT-based systems. How long has Linux been running a permissions-based filesystem? There's a few architectural security advantages Linux has over windows. On the more abstract level, being open source gives Linux the potential to be more secure - it's hard to hide critical vulnerabilities in Linux, whereas MS has a history of doing so for windows.

Firefox is another issue entirely; it's an application, not an OS. But comparing it to MS's Internet Explorer, it's far and away more secure. It doesn't install things behind the user's back, as MS IE does so very often. It doesn't allow the incredibly-insecure ActiveX components. I've never had a spyware infection or browser hijack simply by browsing in firefox. On my new laptop, however, I was browsing around using IE while I waited for firefox to download, and in between the time it took to start the download, and the time it had finished, IE had managed to install a little bugger called Aurora for me . Thanks IE!

Re:Linux needs a similar plan.

[freeweed]

Yeah, and considering the $10,000 applies to vulnerabilities rated as "critical", you'd hardly ever pay out.

A "critical" Windows flaw is one that allows remote exploitation. Find me a Linux distro in the past 3 or 4 years that is remotely exploitable in a default configuration, and *I'll* pay you the bounty.