ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

OpenBSD team mocked at first ever 'Pwnie' awards

By | August 2, 2007, 10:19am PDT

Summary: At the first ever Pwnie Awards announced at the Black Hat Briefings here, a team of well-known researchers picked the OpenBSD team from a list of four software vendors — BMC, EnCase and Norman AntiVirus were the others — in the “lamest vendor response” category.

OpenBSD team mocked at first ever ‘Pwnie’ awards

LAS VEGAS — The OpenBSD team has won an award for the most spectacular “mishandling” of a critical security vulnerability.

Here’s why:

The OpenBSD team refused to acknowledge the bug as a security vulnerability and issued a “reliability fix” for it. A week later Core Security had developed proof of concept code that demonstrated remote code execution. Read the full timeline and quotes in the Core advisory.

During the ceremony, a five-man panel of judges (HD Moore, Alexander Sotirov, Dave Goldsmith, Dino Dai Zovi and Dave Aitel) cheered accomplishments in the bug-finding field and jeers for lame and overhyped discoveries.

Other winners:

Best server-side bug: The Solaris in.telnetd remote root exploit released by Kingcope in February. Kingcope was given a golden Pwnie for finding this vulnerability that did not require any special hacking tools or shellcode.

Best client-side bug: Researchers skape and skywing took this award for finding a nasty Windows vulnerability (Windows 2000 SP4, XP SP1 and SP2, Server 2003 and 2003 SP1) that allowed remote attackers to execute arbitrary code via unspecified vectors involving unhandled exceptions, memory resident applications, and incorrectly “unloading chained exception.” The flaw was detailed in Uninformed Vol. 4.

Pwnie for mass ownage: This was won by the unknown hacker who found the WMF SetAbortProc remote code execution hole that was widely exploited in the wild via Internet Explorer. “This vulnerability deserves an award for its obviousness, ease of exploitation and high impact,” the judges said.

Most innovative research: Skape’s presentation, featured in the Uninformed Vol.2, grabbed this award for being the most interesting piece of work done in the last year.

Most overhyped bug: The controversial MacBook Wi-Fi vulnerabilities released by David Maynor at last year’s Black Hat took this dubious award. “In the end, the only public information about Maynor’s Wi-Fi vulnerabilities are hype, denial, a media frenzy, and a patch that may or may not have been based on Maynor’s findings,” the judges said.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Team, Award, Vulnerability, OpenBSD, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
10
Comments
Add Your Opinion

Join the conversation!

Just In

EVOLUTION OF THE STORY EXPLAINED (Links and all)
Cayble 5th Aug 2007
http://thestateofaffars.blogspot.com/
View in thread
0 Votes
+ -
David Maynor definitely deserves a Jeer
dragosani 2nd Aug 2007
He has to be one of the most unprofessional bug hunters.
0 Votes
+ -
And C|Net and their ilk...
ewelch 2nd Aug 2007
...for perpetuating the nonsense, even when it's inaccuracies were pointed out.

Big fat raspberry to all.
0 Votes
+ -
Your full of crap
Cayble 5th Aug 2007
The inaccuracies as were pointed out, and eventually proved beyond any shadow of a doubt as Apple eventually admitted as much in black and white was where the reports from lame independent reporters claimed that "APPLE" was denying the possibility of Maynors hack; Apple never once denied it, they never once said in their opinion it didn't exist, they never once said it was highly unlikely to exist, they never once said Maynor had lied about the hack, Apple never claimed their patch did not address any hack Brian Krebs claimed Maynor demonstrated to him on the Macbook wireless drivers, Apple never said they knew, or even thought Maynors claim of a vulnerability in their airport hardware was incorrect.

The reports that Apple ever denied that Maynors hack was a fake or anything like a fake were bluntly incorrect and poorly conceived biased reporting. Given that Apple is a rather technologically advanced company that can surly hire the best in the business to evaluate claims of such vulnerabilities, Apple has had far more then enough time, as of yesterday to know if Maynors claim of such a vulnerability ever existed. Instead of finally putting the matter to bed by Apple saying something to the effect of:

"We now believe the vulnerability David Maynor claimed existed, as reported by Brian Krebs of the Washington Post, prior to the Blackhat convention in 2006, did not exist based on our own internal investigations. We have been unable to discover the existence of such a vulnerability as to our understanding of what was reported, and if any party wishes us to stand corrected they will have to provide further technical information to us in order that we may evaluate such claims from a better informed position. Currently we see no way such a vulnerability could exist given out understanding of what was reported."

Apple has to date never even made so much as a claim the exploit or vulnerability "did not exist in their opinion".

What they did do was to join forces with Maynors employers for a period of time; Secureworks, and interestingly enough neither company spoke much about the situation at all after that.

I my self am not an idiot, therefore I am not assuming that the smaller company, Secureworks had the money or power to "shut up" Apple from telling what they knew or suspected was the
truth. I am absolutely compelled to believe that Apple has the money and power in that situation and I am suspecting that Apple was the one who convinced Secureworks to "shut up" about what they knew. Either way, they both shut up, either they both did so willingly, or one of them was willing and the other was convinced to shut up by the former.

Its not rocket science, its just facts, if you accept what Apple spokes people say as fact. If you want the links, just ask, I have them all. If you just want to find a place where an Apple spokes person literally says anything close to "WE DO NOT BELIEVE MAYNORS EXPLOIT IS TRUE" Google until your hearts content. You wont find it because Apple never said it didn't exist or they believed it didn't exist. They said alot of things, but they never said that.
0 Votes
+ -
Re: Maynor's bug
mike_ohanlon 3rd Aug 2007
I wonder when we'll get a comment from Mr. Ou regarding this one.
0 Votes
+ -
Maynor's Bug
Narg 3rd Aug 2007
It seems to me that the problem was that the judges here are clueless on Macs. Apple did a LOT of FUD on this problem, so the Pwnie should have gone to Apple, not Maynor. At least Maynor did due diligence, which can't be said for Apple.
0 Votes
+ -
Apple fixed the issue pretty quickly, If I remember right
nix_hed 3rd Aug 2007
But the media was still going on and on about it, even after the patch.
0 Votes
+ -
Despite the attempts by many..
msalzberg 4th Aug 2007
to hint otherwise, Maynor never showed that exploit to anyone with credibility.
0 Votes
+ -
BINGO!!! Give this guy a huge cigar!!
Cayble 5th Aug 2007
Maynor was a screw up in this situation to be sure because he let the cat out of the bag to Brian Krebs of the Washington Post before he had details of the vulnerability to Apple. He didn't even plan on doing the Apple hardware specific exploit at the Blackhat convention and he muffed the whole deal, along with Krebs reporting it of course as it drove the Apple Jacks insane to read such a thing and they all interpreted every comment by Apple as a claim that Maynor had lied and Apple had evidence no such exploit existed.

The sad truth is that Apple never did say Maynor had lied or even that Maynor was wrong. They instead carefully parsed their words saying that Maynor had not proved it to them and then promptly joined forces with Maynors employer, Secureworks and nothing more was said from Apple or Secureworks since. Maynor and his side kick at the event, Johnny Cashe Ellck gave every obvious appearance of being "silenced" in the process and the only happy jacks around were the Apple Jacks who claimed victory in an absence of information from either side.

Nobody ever has given a reasonable explanation as to why after more then a year after the event Apple still cannot say they do not believe such a vulnerability existed as reported by Krebs.

Of course the Apple Jacks don't worry about that, any answer that makes sense would likely be hurtful to their loyalty.
0 Votes
+ -
in.telnetd?
Resuna 3rd Aug 2007
Solaris still ships with telnetd enabled? Say it ain't so!

(if it doesn't, then I think the Pwnie team needs to get a Pwnie for this)
0 Votes
+ -
EVOLUTION OF THE STORY EXPLAINED (Links and all)
Cayble 5th Aug 2007
http://thestateofaffars.blogspot.com/

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix