Microsoft wins a Pwnie for failure
Microsoft has earned the dubious distinction of having the Most Epic FAIL of the last year in computer security with a browser cross-site scripting (XSS) filter that actually exacerbated the problem.
The company was given the award at the conclusion of the annual Blackhat 2010 security conference Wednesday in Las Vegas. I wasn’t there so I don’t know if anyone from Microsoft MCTS Training stepped up to accept the award, head perhaps covered by a paper bag.
According to a white paper produced by researchers Eduardo Vela Nava and David Lindsay, Internet Explorer 8 implemented an anti-XSS mechanism to detect such attacks. Here’s the funny part: “This feature can be abused by attackers in order to enable XSS on web sites and web pages that would otherwise be immune to XSS,” the researchers noted.
I’m not sure if he was specifically referencing the IE 8 XSS fail, but Kevin Turner, chief operating officer for Microsoft, said this during an analyst conference this morning in Redmond: “Yes, we had a little headwinds. We had several things we had to do with IE 8 this past year,” Turner said, right after describing the product as “the safest, most secure browser in the marketplace.”
Maybe now it is.
Microsoft beat out McAfee and IBM in the Most Epic FAIL category: McAfee for issuing an anti-virus update in April that rendered hundreds of thousands of computers worldwide inoperable; and IBM for handing out free USB drives at a conference loaded with malware.
The only other Microsoft mention was a Pwnie for Best Privilege Escalation Bug and this award went to Tavis Ormandy, the researcher who discovered it in multiple operating systems from Windows NT 3.1 to Windows 7. In awarding the Pwnie to Ormandy, Blackhat stated: “This privilege escalation bug required more than a few tricks to exploit. Its discovery shows a rare understanding of some of the more obscure aspects of the Intel architecture.”
Microsoft MCITP Certification was nominated, but failed to win — or should I say failed to lose — in the categories of Best Server-Side Bug and Best Client-Side Bug. Again, in these categories, the Pwnies went to the people who discovered the bugs, not the companies that created them.