Microsoft up for its share of Pwnies at Black Hat conference
If you’re a technology company trying to maintain a reputation for security, you don’t necessarily want to receive a Pwnie Award at the annual Black Hat security conference in Las Vegas.
While some legitimately honor enterprising security experts who uncovered vulnerabilities, or important research, others are ignominious, such as the award for “Lamest Vendor Response” and “Most Epic Fail.”
Researchers who discovered bugs in Microsoft MCTS Training software are among the nominees in seven categories total, including Best Song; thePwnie Awards 2010 winners will be announced Wednesday at Black Hat. The Pwnies are represented by an illustration of a child’s toy pony. Why, I don’t know.
Black Hat’s most notorious incidents
One of the nominees for the Pwnie for Best Server-Side Bug — based on being the “most technically sophisticated and interesting” bug — is Laurent Gaffié, who discovered an exploitable vulnerability in Windows 7 in the server message block (SMB) code, which enables shared access to files, printers and serial ports. Hernan Ochoa is nominated for finding another SMB code vulnerability in operating systems from Windows NT4 to Windows Server 2008 that could enable someone to access a server without any credentials.
The Best Client-Side Bug Pwnie could go to the team that discovered the vulnerability in Internet Explorer version 6 that enabled the famous Aurora attack believe perpetrated in China against Google and other brand name companies late last year. Tavis Ormandy is nominated twice in this category, one for discovering a “memory corruption vulnerability in the win32k code that parses font files embedded on web pages,” according to the nomination. The second is for a “Windows Help Center escape sequence vulnerability.”
Ormandy may have to prepare multiple acceptance speeches as he’s also nominated in the Best Privilege Escalation Bug, this one in OSes from Windows NT 3.1 to Windows 7. Pwnies could also go to John McDonald and Chris Vasalek, nominated together in the Most Innovative Research category for their work on something called “heap exploitation,” related to buffer overflow, in Windows XP.
Microsoft may be embarrassed to win in the Most Epic Fail category for releasing IE 8 with, as the nomination explains, “built-in cross-site scripting filters which, for nearly a year after release enabled cross-site scripting on otherwise secure sites.”
Still, it could have been worse for Microsoft. It could have been Epic Fail nominee McAfee, which issued an anti-virus update in April that rendered hundreds of thousands of computers worldwide inoperable. And Microsoft MCITP Certification is glad it’s not IBM, which handed out free USB drives to attendees at a conference in Australia in May that were infected with two types of malware.