IE 8 receives the 'Most Epic FAIL' award for ironic bug in XSS filter

Jul 29, 2010 10:15 GMT  ·  By

The winners of the 2010 Pwnie Awards were announced yesterday at the Black Hat security conference in Las Vegas. There were only seven categories this year and one of the most popular awards, the “Most Epic FAIL” one, went to Internet Explorer 8 for a bug in its XSS protection component, which actually enabled XSS attacks.

The Pwnie Awards were founded back in 2007 by Alexander Sotirov and Dino Dai Zovi, who still serve as judges along with other reputed security researchers like HD Moore, Mark Dowd, Halvar Flake, Dave Goldsmith and Dave Aitel. Each year, the panel aims to award both security successes and failures.

So far the number of awarded categories has varied every year. In 2009 there were ten, while this year only seven remained: Best Server-Side Bug, Best Client-Side Bug, Best Privilege Escalation Bug, Most Innovative Research, Lamest Vendor Response, Best Song and Most Epic FAIL.

Meder Kydyraliev received the 2010 Best Server-Side Bug Pwnie Award for discovering a critical vulnerability in the Apache Struts2 framework, which allowed for the execution of arbitrary Java code by sending a specially-crafted HTTP request. Meanwhile, Sami Koivu took home the Best Client-Side Bug award for his Java trusted method chaining exploit, which compromises the entire Java security model.

Tavis Ormandy, the Google security researcher who was criticized for releasing the zero-day Windows Help Center vulnerability in June, was awarded with the Best Privilege Escalation Bug for his Windows NT #GP trap handler flaw, deemed one of the most complicated vulnerabilities of 2010 by the judges. Dionysus Blazakis received the Most Innovative Research Pwnie for his innovative Flash pointer inference and JIT spraying technique.

The Pwnies also contain an award for rap songs written by hackers and this was the first year when the submissions had to contain an audio. The awarded song this year was Pwned - 1337 edition by Dr. Raid and Heavy Pennies. It looks like Doctor Raid has a talent for writing hacking raps, since he also won the prize in 2009 with a different song.

A company called Absolute Software managed to earn the 2010 Lamest Vendor Response Pwnie award. This is the software developer, who creates LANRev, a remote admin-type program, which received a lot of media attention after a Pennsylvania school district used it to spy on its students.

“Is it theoretically possible [to exploit this]? Of course it is. [But] we are not aware of any customer who ever had an issue with this. If any customer did express concern, we would immediately supply them with a patch.” said Tim Parker, vice president of research and development for Absolute, about a critical LANRev vulnerability leading to full system compromise.

And finally, the award that usually puts a smile on everyone's faces, the “Most Epic FAIL” went out to Microsoft's Internet Explorer 8 this year. “Internet Explorer 8 was released with built in cross-site scripting filters which, for nearly a year after release, enabled cross-site scripting on otherwise secure sites. Ironic. Epic. Fail,” the judging panel ruled.

You can follow the editor on Twitter @lconstantin