Discovery of fatal flaw in Microsoft’s Internet Explorer earns security researcher $100,000

In an era where technology giants like Microsoft and Apple are fighting off juvenile teenagers, sophisticated hackers from Russia and China, and some of the most powerful and wealthy nations across the world, being a security researcher can be a lucrative career.

Moritz Jodeit, an experienced security researcher who works for Blue Frost Security, found this out personally when Microsoft paid him $100,000 after he discovered a major security flaw in Internet Explorer, Microsoft’s enduring Web browser. That’s the top prize Microsoft awards as part of its bug bounty program.

Jodeit found a fatal bug in the latest version of Internet Explorer that would leave every Internet Explorer user vulnerable to what’s known as remote code execution—the holy grail of software exploits—meaning that an attacker could gain complete control of their target’s computer. Using this exploit, “an attacker could install malware on the system or steal all the user’s data,” Jodeit told the Daily Dot via email.

Finding the bug took two to three months of research, Jodeit said, which is a short period of time compared to his 17 years of experience in computer security. 

“There will always be bugs in software. This is particularly true for complex software such as a Web browser.”

“I provided Microsoft with a complete and stable exploit chain for Internet Explorer 11 (64-bit) on Windows 10, including a sandbox escape for Enhanced Protected Mode (EPM) and a way to bypass the latest version of [Enhanced Mitigation Experience Toolkit] 5.5 as well,” Jodeit said, explaining the bug he exposed in more technical terms.

Jodeit says he had to bypass several exploit mitigations—technology developed by Microsoft to prevent hackers from attacking software—in order for his bug to work. Microsoft has yet to patch the bug, Jodeit says, and Internet Explorer 11 users are still at risk.

Once the bug is fixed, Jodeit plans to publish all of the details of his exploit. A Microsoft employee working on the security team confirmed that Jodeit had been awarded the $100,000 bounty for his exploit, but a Microsoft spokesperson wasn’t available for comment prior to publication.

Jodeit’s discovery comes at an interesting time in the debate over cybersecurity. A federal judge recently ordered Apple to build a specialized version of iOS to help the FBI bypass security features on the iPhone of San Bernardino shooter Syed Farook. Before the U.S. government backed down on its demand—the FBI hired the firm Cellebrite to do what Apple refused to do—the ensuing legal battle sparked a wave of debate over the need for strong cybersecurity, with experts inside and out of Apple arguing that building the custom version of iOS would put all iPhone users at risk.

Security experts fear that, if software companies have yet to prove that they can make software that is impenetrable, intentionally weakening these systems for law enforcement purposes threatens the privacy and security of everyone who uses that product.

This issue was highlighted earlier this week after Johns Hopkins researchers announced they found a flaw in the encryption of Apple iMessage that could allow a sophisticated attacker to decrypt photos and videos sent over the service.

“Even Apple, with all their skills—and they have terrific cryptographers—wasn’t able to quite get this right,” Mattew Green, lead researcher and cryptography expert told the Washington Post, which first reported the bug. “So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right.”

Civil-liberties groups and security experts think that the most reasonable middle ground would be for law enforcement to exploit flaws like the one Jodeit found in order to carry out investigations, not ask companies to create their own “backdoors.” Even then, these advocates think the government should report these flaws to the software companies so that they can be patched in order of protect the security of the public.

No matter what happens, we will never be completely safe. Everything, as they say, can be hacked.

“There will always be bugs in software,” Jodeit said. “This is particularly true for complex software such as a Web browser. So I knew there will be bugs. It was just a matter of finding the right one.” 

As for the sizable chunk of change Microsoft is awarding as a result of Jodeit discovering and reporting this flaw, well, his employer is keeping most of it. “The money goes to [Blue Frost Security] and will allow us to perform more cutting edge research in the future,” he said. “I might get a small bonus though ;).” 

Illustration by Jason Reed

William Turton

William Turton

Once named one of Forbes’ 20 Under 20 and hired as a staff writer for the Daily Dot when he was still a senior in high school, William Turton is a rising tech reporter focusing on information security, hacking culture, and politics. Since leaving the Daily Dot in April 2016, his work has appeared on Gizmodo, the Outline, and Vice News Tonight on HBO.