Image: stock photo

Microsoft has awarded $100,000 to researcher James Forshaw for a new attack technique which bypasses an attack mitigation in Windows 8.1.

The reward $100,000 is the maximum payout in Microsoft's Mitigation Bypass Bounty program.

Mitigation Bypass is one of three bounty programs announced in June by Microsoft's Katie Moussouris. Another was a special program for critical vulnerabilities in the Internet Explorer 11 Preview.

Last Friday, Moussouris announced six winners in that program, collecting over $28,000.

The third bounty program is the Blue Hat Bonus for Defense, with as much as $50,000 for a defensive technique which would counter an attack technique that can bypass current attack mitigations. No announcements of winners in this program have yet been made. Examples of established attack mitigations are Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP), and Structured Exception Handler Overwrite Protection (SEHOP).

Forshaw is Head of Vulnerability Research, Context Information Security based in the U.K. He is a regular presenter at security conferences and is the author of the network attack tool Canape.

According to Microsoft, he has produced numerous design-level attack techniques and is very good at it.

Moussouris told me that Microsoft will not be disclosing the nature of the attack(s) for which Forshaw won until they have implemented defenses against them. I asked if Microsoft would wait until then to disclose the attack technique to other vendors who might be affected by it. She said that these techniques are not likely to affect other vendors.

Forshaw provided a statement: