Increase in Bounty for Microsoft Outlook Zero-Day Vulnerabilities
Written on
Chapter 1: Overview of the Increased Bounty
Recently, Zerodium, a known exploit broker, has significantly raised the reward for zero-day vulnerabilities that allow remote code execution (RCE) in Microsoft Outlook to a staggering $400,000. This increase is temporary, though the exact deadline for submissions remains unspecified.
"The recent increase in payouts for Microsoft Outlook RCEs highlights the urgency of addressing these vulnerabilities," said a Zerodium spokesperson.
Section 1.1: Understanding the Reward Structure
Typically, the standard bounty for an RCE vulnerability in Microsoft Outlook for Windows stands at $250,000. To qualify for this amount, a "fully functioning and reliable exploit" is required. However, for the elevated payout of $400,000, Zerodium is specifically seeking zero-click exploits, which would enable remote code execution solely through the reception or downloading of email messages, without any user action.
Subsection 1.1.1: The Definition of Zero-Click Exploits
Section 1.2: Limitations of the Bounty Program
Zerodium clarifies that it is not offering a prize for exploits that require the user to open or read an email. However, contributors who submit such exploits may receive a lesser, undisclosed reward. The company also notes that it continues to pay up to $200,000 for RCE exploits in Mozilla Thunderbird, maintaining this program since 2019.
Chapter 2: Implications of RCE Vulnerabilities
The first video titled "Outlook NTLM Leak - 'ZERO CLICK' Vulnerability Explained (CVE-2023-23397)" provides an in-depth look at the zero-click vulnerabilities affecting Microsoft Outlook, discussing their potential impact and exploitation methods.
The second video, "Microsoft Office Zero day RCE Exploit | CVE-2023-36884 Exploit," explores another critical vulnerability in Microsoft Office, highlighting its implications for security.
The potential of an RCE vulnerability in an email client like Outlook could grant attackers access to all accounts on the affected system. Although Microsoft has not yet provided a deadline for reporting these zero-click exploits, it is likely that the window for submissions may be extended, similar to past instances.
Zerodium had previously announced on March 31, 2021, that it would temporarily triple the rewards for RCE vulnerabilities in WordPress, a program that remains active today. The average payout for exploits in this widely used content management system is currently set at $100,000.
Currently, the only active programs with increased bounties include WordPress, Mozilla Thunderbird, and Microsoft Outlook. Recently expired temporary offers included RCE and sandbox escape vulnerabilities in Google Chrome (each offering up to $400,000) and RCE vulnerabilities in VMware vCenter Server (offering up to $150,000).