On mySimon: Ultimate Box Sets!
BNET Business Network:
BNET
TechRepublic
ZDNet

August 2nd, 2007

OpenBSD team mocked at first ever 'Pwnie' awards

Posted by Ryan Naraine @ 10:19 am

Categories: Apple, Botnets, Browsers, Data theft, Exploit code, Firefox, Google, Hackers, Microsoft, Mozilla, Patch Watch, Pen testing, Responsible disclosure, Viruses and Worms, Vulnerability research, Wi-Fi security, Windows Vista, Wireless, Zero-day attacks

Tags: Team, Award, Vulnerability, OpenBSD, Ryan Naraine

In Focus » See more posts on: Black Hat

OpenBSD team mocked at first ever ‘Pwnie’ awards

LAS VEGAS — The OpenBSD team has won an award for the most spectacular “mishandling” of a critical security vulnerability.

Here’s why:

The OpenBSD team refused to acknowledge the bug as a security vulnerability and issued a “reliability fix” for it. A week later Core Security had developed proof of concept code that demonstrated remote code execution. Read the full timeline and quotes in the Core advisory.

During the ceremony, a five-man panel of judges (HD Moore, Alexander Sotirov, Dave Goldsmith, Dino Dai Zovi and Dave Aitel) cheered accomplishments in the bug-finding field and jeers for lame and overhyped discoveries.

Other winners:

Best server-side bug: The Solaris in.telnetd remote root exploit released by Kingcope in February. Kingcope was given a golden Pwnie for finding this vulnerability that did not require any special hacking tools or shellcode.

Best client-side bug: Researchers skape and skywing took this award for finding a nasty Windows vulnerability (Windows 2000 SP4, XP SP1 and SP2, Server 2003 and 2003 SP1) that allowed remote attackers to execute arbitrary code via unspecified vectors involving unhandled exceptions, memory resident applications, and incorrectly “unloading chained exception.” The flaw was detailed in Uninformed Vol. 4.

Pwnie for mass ownage: This was won by the unknown hacker who found the WMF SetAbortProc remote code execution hole that was widely exploited in the wild via Internet Explorer. “This vulnerability deserves an award for its obviousness, ease of exploitation and high impact,” the judges said.

Most innovative research: Skape’s presentation, featured in the Uninformed Vol.2, grabbed this award for being the most interesting piece of work done in the last year.

Most overhyped bug: The controversial MacBook Wi-Fi vulnerabilities released by David Maynor at last year’s Black Hat took this dubious award. “In the end, the only public information about Maynor’s Wi-Fi vulnerabilities are hype, denial, a media frenzy, and a patch that may or may not have been based on Maynor’s findings,” the judges said.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 10 Talkback(s)
EVOLUTION OF THE STORY EXPLAINED (Links and all)
http://thestateofaffars.blogspot.com/... (Read the rest)
Posted by: Cayble Posted on: 08/05/07 You are currently: a Guest | | Terms of Use
David Maynor definitely deserves a Jeer  dragosani | 08/02/07
And C|Net and their ilk...  ewelch | 08/02/07
Your full of crap  Cayble | 08/05/07
Re: Maynor's bug  mike_ohanlon | 08/03/07
Maynor's Bug  Narg | 08/03/07
Apple fixed the issue pretty quickly, If I remember right  nix_hed | 08/03/07
Despite the attempts by many..  msalzberg | 08/04/07
BINGO!!! Give this guy a huge cigar!!  Cayble | 08/05/07
in.telnetd?  Resuna | 08/03/07
EVOLUTION OF THE STORY EXPLAINED (Links and all)  Cayble | 08/05/07

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here