Fermín Serna, a researcher in Google’s Mountain View, California headquarters, told The Security Ledger that he received a bounty issued by Microsoft this week for information on an Internet Explorer information leak that could allow a malicious hacker to bypass Microsoft’s Address Space Layout Randomization (or ASLR) technology.
His bounty followed the first ever (officially) paid to a researcher by Microsoft (https://securityledger.com/2013/07/microsoft-set-to-pay-first-bug-bounty-for-ie-hole/): a bounty that went to Serna’s colleague, Ivan Fratic, a Google engineer based in Zurich, Switzerland, for information about a vulnerability in Internet Explorer 11 Preview. Fratic (@ifsecure) acknowledged the honor in a July 11 post on his Twitter account.
In an e-mail exchange with The Security Ledger, Serna declined to discuss the details of his discovery until Microsoft had a patch ready to release. But he said that any weakness in ASLR warranted attention. “Mainly all security mitigations in place depend on ASLR. So bringing that one down, weakens the system a lot and makes it easy the exploitation of other vulnerabilities,” he said.
Microsoft announced its first bounty on July 10 and said it had many more submissions that were likely to earn pay-outs. Serna said that other bounties had been issued in addition to the one he received. Microsoft told The Security Ledger that it has, in accordance with the program, "notified some researchers that they will receive bounties."
As for his bounty, Serna (whose resume includes work for Microsoft on the MSRC Engineering team) said it was “way less” than the maximum $11,000 bounty for a full, working exploit that bypasses all the Windows 8 mitigations (which includes ASLR as well as the Data Execution Prevention or DEP technology). “But stillnice!” He plans to donate his windfall to a local animal shelter in Seattle. Awwww!!!!