News

Microsoft Kicks Off Speculative Execution Bug Bounty Program

• By Kurt Mackie
• 03/15/2018

Microsoft this week announced a bug bounty program to solicit security-researcher contributions about "speculative execution" side-channel CPU vulnerabilities.

Speculative execution is a normal process of CPUs that's used to speed computer operations by predicting its next steps in advance. However, researchers in January published methods known as "Meltdown" and "Spectre" that can be used to exploit that process to disclose information from operating system kernels, both Linux and Windows. Those speculative execution methods constitute a "new class of vulnerabilities," according to Microsoft.

Consequently, from March 14 until Dec. 31, 2018, Microsoft is offering to pay money for information about new exploits or mitigation bypasses associated with speculative execution attack methods. The bounties are for elements such as Windows hosts, hypervisors, OS kernel memory and the Microsoft Edge browser. Payouts range from $25,000 to $250,000, based on four "bounty tiers":

• Tier 1 represents new speculative execution side channel attacks
• Tiers 2 and 3 are for "identifying possible bypasses for mitigations that have been added to Windows and Azure"
• Tier 4 is for demonstrating "exploitable instances" of Spectre variant 1 (CVE-2017-5753) or Spectre variant 2 (CVE-2017-5715)

Microsoft outlined the terms of the bounty program in this document.

Intel today announced the release of microcode updates for all of its processors produced in the last five years to address Meltdown and Spectre attack methods. Microsoft previously issued Windows updates to address those methods as well. The processor updates and the OS updates are both needed to provide protections against possible speculative execution attack methods, which potentially affect most computers. Chips by Intel, AMD and ARM Holdings are all said by researchers to be subject to Spectre attack methods, while Meltdown mostly affects Intel machines.

The launch of Microsoft's bounty program perhaps suggests that Meltdown and Spectre mitigations could get bypassed in some way, or at least that Microsoft is willing to pay money to find out if that's the case.

In other security news, the Microsoft Edge browser was exploited on Day 1 of the Pwn2Own exploit contest held at CanSecWest in Vancouver, which offered monetary prizes for successful hacks. Day 1 results are described by Trend Micro's Zero Day Initiative at this page, where hacks of Oracle VirtualBox and the Apple Safari browser also were demonstrated.

Microsoft is a sponsor of the Pwn2Own contest, along with Trend Micro/ZDI, as mentioned in this Microsoft announcement, although the announcement didn't mention that the Edge browser had been successfully hacked. Microsoft instead bragged that "Microsoft Edge has still not been impacted by a zero-day exploit in the wild." In addition, Microsoft noted that its latest Windows Insider OS preview release could not be exploited by the contestants, nor could they get past the protections of Windows Defender Application Guard.

Day 2 of the Pwn2Own contest saw successful exploits of the Mozilla Firefox and Apple Safari browsers, according to the Zero Day Initiative's description.