Black Hat 2008: Pwnie Award Ceremony


The first night of Black Hat briefings concluded with the Pwnie Award Ceremony. The awards reward achievements in security… but mostly failures. Notably, this was the first year anyone accepted an award in person. Hack a Day took home an early victory by producing a MacBook mini-DVI to VGA adapter (pictured above). The ceremony was fairly straight forward after that. Best Server-Side Bug went to the Windows IGMP kernel vulnerability. It was a remote kernel code execution exploit in the default Windows firewall. The Best Client-Side Bug went to Multiple URL protocol handling flaws like this URI exploit. Mass 0wnage went to WordPress for many many vulnerabilities. Most Innovative Research went to the Cold Boot Attack team. Lamest Vendor Response was won by McAfee for saying XSS can’t be used to hack a server. The Most Overhyped Bug went to [Dan Kaminsky] for his DNS vulnerability. Most Epic FAIL was won by the team behind Debian for shipping the OpenSSL bug for two solid years. Lifetime Achievement Award was won by [Tim Newsham]. Finally, the Best Song was by Kaspersky Labs for Packin’ The K!, which you can find embedded below.

9 thoughts on “Black Hat 2008: Pwnie Award Ceremony

  1. I’m confused about WordPress — how can you consider vulnerable 3rd party code (plugins) manually installed by the user a vulnerability of WordPress itself? Especially more so if the user opts not to keep the 3rd party code up to date?

    It’s as if I installed Firefox on my computer, a vulnerability was found in Firefox, and then the OS was deemed insecure as a result.

    Or am I missing something?

  2. klintor:

    I’m a bit of a noob, but I don’t even see how that’s physically possible in a PHP based environment. As far as I know, you can’t easily run a PHP script in like a container or whatever.

    The only way I can think of to provide a plugin capability that met your requirements was if the plugin was like a XML file or something that just toggled flags/parameters in the software — a configuration file basically. You wouldn’t be able to expand on the software at all and would pretty much defeat the purpose of having plugins or an API.

    And by your definition then just about every piece of software on the web that has an API should get the same award. Look at Firefox, vBulletin, PunBB, etc. etc. etc. etc. They all load external files that could potentially compromise the security of the computer/server.

    If you have some brilliant idea or method to solve the problem, then please by all means, say so. Assuming it’s a reasonable solution, I’d be more than happy to contribute code towards such a solution for submission to the people that run the WordPress development.

  3. What’s really sad about WordPress outside of Matt’s lack of manners, his inability to function in society and it’s lack of security is that a full security audit has been mentioned and discussed previously but nothing has yet occurred. Gallery did one and they don’t have the millions to spend like Matt does.

    You would have thought the number of times they’ve had their own sites hacked, security would have taken a step up in importance. Guess not.

    But considering that Matt’s now spamming his own site where ever he can instead of paying any attention to the splogs on wp.com and ignoring reports about them, does anything surprise you anymore?

  4. Under current design having ‘secured’ wordpress plugin invocation sounds impossible. Plugins are basically just included into the core and invoked like the core does. Though some function hooks are available for sanitizing input, those functions are only optional, and no expose for the function occur at any plugin writing tutorials.

    Until recent releases, wordpress press releases have a tradition of suppressing any security announcement in order to make it look good. This is still true right now if press release is written by Matt himself. Only when it is written by others (like Ryan Boren) did it at least mention something. In this area Matt exactly behaves like Linus Torvald (including svn changelog messages too), if not worse.

    And my personal experience with security@wordpress.org is that, it’s yet another blackhole like those utterly dysfunctional vendors.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.