Security News > 2021 > August > Black Hat 2021: Microsoft Wins Worst of Pwnie Awards

Black Hat 2021: Microsoft Wins Worst of Pwnie Awards
2021-08-06 14:50

Microsoft came up the big winner in this year's Pwnie Awards, but for all the wrong reasons.

From the PrintNightmare patching hiccups to the Exchange Server flaws to the NSA finding and disclosing a major bug in the Windows cryptography core, Microsoft's security foibles highlighted the annual event that recognizes excellence and mocks incompetence in cybersecurity.

The worst of the awards - Most Epic Fail - went to Microsoft for its handling of the PrintNightmare Print Spooler vulnerability, a bug that led to a problematic patch and more questions about potentially vulnerable code.

2 patches, and it's still kicking! It goes without saying that Microsoft identified CVE-2021-34527 as LPE; a little willpower and Twitter drama made it RCE. Microsoft came up with another patch that doesn't fix the RCE vector properly and doesn't even try to fix the LPE anymore.

Microsoft's buggy code also led to two additional wins, including one to unnamed researchers in the U.S. National Security Agency for the discovery of a flaw in the verification of signatures in Windows.

Separately, the discovery of security defects in Microsoft Exchange Server led to a major acknowledgment for Orange Tsai, principal researcher at DEVCORE. Orange Tsai's work documenting entirely new attack surfaces on Exchange Server installations won the Pwnie Award for the Best Server-Side Bug, a project that pinpointed at least seven new vulnerabilities that expose businesses to remote attacks.


News URL

http://feedproxy.google.com/~r/securityweek/~3/hZN7GngLpDA/black-hat-2021-microsoft-wins-worst-pwnie-awards

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-07-02 CVE-2021-34527 Improper Privilege Management vulnerability in Microsoft products
<p>A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations.
network
low complexity
microsoft CWE-269
8.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 480 75 2308 5127 264 7774