Microsoft said earlier today
that it is paying its maximum award -- $100,000 -- to a security researcher who found a critical hole in its Internet Explorer web browser. James Forshaw of the Context Information Society was rewarded by Microsoft for pointing out the flaw which Microsoft patched today.
Forshaw was also the recipient of $9,400 in additional rewards for other flaws found in Internet Explorer 11 in the four-month-old bounty program. He has been credited with finding over 30 security bugs across the PC industry's software, with rewards having been paid by Hewlett Packard and others.
The reported flaw
affects all supported versions of Internet Explorer from Internet Explorer 6 through Internet Explorer 11. The exploit allows for remote code execution when an Internet Explorer user browses a website containing malicious code tailored to the specific version of the browser.
Microsoft says of the flaw that "the vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially-crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website."
Today's patch closes both the universal Internet Explorer bug, as well as some of the other flaws Forshaw reported. Microsoft was criticized for waiting until "patch Tuesday" to fix the problem, with researchers claiming the delay put more users in jeopardy.