Cybersecurity: Anger is brewing among researchers, who find that Microsoft is no longer paying enough.

“Yellow vests” atmosphere among security researchers. Believing that the prices of Microsoft’s bug bounty program are now too low, security researcher Abdelhamid Naceri has decided to no longer play the game of “responsible disclosure”. He directly published on GitHub a zero-day flaw he found.
It allows to perform an elevation of privileges and to obtain the System rights from a standard user account. This attack works with all versions of Windows, including Windows 11 and Windows Server. Here is a video demo made by Bleeping Computer.

This flaw, which is not currently fixed, is in fact a variant of another similar flaw that he had previously found (CVE-2021-41379), and which was patched on November 9th. But this patch was not good.

“This variant was discovered during the analysis of patch CVE-2021-41379. The bug was not corrected correctly. However, instead of posting a workaround, I preferred to rock this variant because it is more powerful than the original. I’ve also made sure the proof of concept is extremely reliable and doesn’t require anything, so it works every time. “, can we read on GitHub. And boom !

Also to discover in video:

Asked by Bleeping Computer, he explains that he has a lot of things to do with the potato.

“Microsoft bonuses have been going badly since April 2020. I really wouldn’t do it if MSFT didn’t make the decision to reduce these bonuses”, explained Naceri, who is not the only one to point the finger at the Redmond firm.

Discontent grows

On Twitter, more and more people are complaining.

“They updated the bounty rules to exclude enhanced mode RDP on November 8, 2021. Then they use it as an excuse to lower the bounty.”, explains the VictorV.
“As part of Microsoft’s new bug bounty program, one of my zero days went from $ 10,000 to $ 1,000”, relates, annoyed, MalwareTech.
” WARNING ! Microsoft will reduce your premium at any time! Here is a Hyper-V RCE vulnerability, which can be triggered from a guest machine, but it is only eligible for a bounty of $ 5,000 under the Windows Insider Preview bounty program. It is unfair ! “, alert Rthhh.

Disgruntled researchers may soon gather around a virtual roundabout to show their displeasure. You never know how these things can turn out.

Source : Bleeping Computer

Leave a Comment