Microsoft Kicks Off Speculative Execution Bug Bounty Program

Microsoft this week announced a bug bounty program to solicit security-researcher contributions about "speculative execution" side-channel CPU vulnerabilities.

Speculative execution is a normal process of CPUs that's used to speed computer operations by predicting its next steps in advance. However, researchers in January published methods known as "Meltdown" and "Spectre" that can be used to exploit that process to disclose information from operating system kernels, both Linux and Windows. Those speculative execution methods constitute a "new class of vulnerabilities," according to Microsoft.

Consequently, from March 14 until Dec. 31, 2018, Microsoft is offering to pay money for information about new exploits or mitigation bypasses associated with speculative execution attack methods. The bounties are for elements such as Windows hosts, hypervisors, OS kernel memory and the Microsoft Edge browser. Payouts range from $25,000 to $250,000, based on four "bounty tiers":

  • Tier 1 represents new speculative execution side channel attacks
  • Tiers 2 and 3 are for "identifying possible bypasses for mitigations that have been added to Windows and Azure"
  • Tier 4 is for demonstrating "exploitable instances" of Spectre variant 1 (CVE-2017-5753) or Spectre variant 2 (CVE-2017-5715)

Microsoft outlined the terms of the bounty program in this document.

Intel today announced the release of microcode updates for all of its processors produced in the last five years to address Meltdown and Spectre attack methods. Microsoft previously issued Windows updates to address those methods as well. The processor updates and the OS updates are both needed to provide protections against possible speculative execution attack methods, which potentially affect most computers. Chips by Intel, AMD and ARM Holdings are all said by researchers to be subject to Spectre attack methods, while Meltdown mostly affects Intel machines.

The launch of Microsoft's bounty program perhaps suggests that Meltdown and Spectre mitigations could get bypassed in some way, or at least that Microsoft is willing to pay money to find out if that's the case.

In other security news, the Microsoft Edge browser was exploited on Day 1 of the Pwn2Own exploit contest held at CanSecWest in Vancouver, which offered monetary prizes for successful hacks. Day 1 results are described by Trend Micro's Zero Day Initiative at this page, where hacks of Oracle VirtualBox and the Apple Safari browser also were demonstrated.

Microsoft is a sponsor of the Pwn2Own contest, along with Trend Micro/ZDI, as mentioned in this Microsoft announcement, although the announcement didn't mention that the Edge browser had been successfully hacked. Microsoft instead bragged that "Microsoft Edge has still not been impacted by a zero-day exploit in the wild." In addition, Microsoft noted that its latest Windows Insider OS preview release could not be exploited by the contestants, nor could they get past the protections of Windows Defender Application Guard.

Day 2 of the Pwn2Own contest saw successful exploits of the Mozilla Firefox and Apple Safari browsers, according to the Zero Day Initiative's description.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Microsoft Warns SameSite Cookie Changes Could Break Some Apps

    IT pros could face Web application issues as early as next month with the implementation of a coming SameSite Web change, which will affect how cookies are used across sites.

  • Populating a SharePoint Document Library by E-Mail, Part 1

    While Microsoft doesn't allow you to build a SharePoint Online document library using e-mail, there is a roundabout way of getting the job done using the tools that are included with Office 365. Brien shows you how.

  • Microsoft Previews New App Reporting and Consent Tools in Azure AD

    Microsoft last week described a few Azure Active Directory improvements for organizations wanting to connect their applications to Microsoft's identity and access service.

  • Free Software Foundation Asks Microsoft To Release Windows 7 Code

    The Free Software Foundation this week announced that it has established a petition demanding that Microsoft release its proprietary Windows 7 code as free software.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.