Connect with us

Hi, what are you looking for?


Application Security

Black Hat 2021: Microsoft Wins Worst of Pwnie Awards

Microsoft came up the big winner in this year’s Pwnie Awards, but for all the wrong reasons.

Microsoft came up the big winner in this year’s Pwnie Awards, but for all the wrong reasons.

From the PrintNightmare patching hiccups to the Exchange Server flaws to the NSA finding and disclosing a major bug in the Windows cryptography core, Microsoft’s security foibles highlighted the annual event that recognizes excellence and mocks incompetence in cybersecurity.

The worst of the awards — Most Epic Fail — went to Microsoft for its handling of the PrintNightmare Print Spooler vulnerability, a bug that led to a problematic patch and more questions about potentially vulnerable code.

The Pwnies description sums up the dubious victory:

Microsoft tried to fix it but failed.  Then tried again to fix it but failed. They’re hopefully still trying. 2 patches, and it’s still kicking! It goes without saying that Microsoft identified CVE-2021-34527 as LPE; a little willpower and Twitter drama made it RCE. Microsoft came up with another patch (out-of-band) that doesn’t fix the RCE vector properly and doesn’t even try to fix the LPE anymore.

Microsoft’s buggy code also led to two additional wins, including one to unnamed researchers in the U.S. National Security Agency (NSA) for the discovery of a flaw in the verification of signatures in Windows.

[ Black Hat: New CISA Boss Introducers Herself to Hacker Community

Advertisement. Scroll to continue reading.

The flaw — CVE-2020-0601 — completely broke the certificate trust chain and led to a major advisory from the intelligence agency.

Separately, the discovery of security defects in Microsoft Exchange Server led to a major acknowledgment for Orange Tsai, principal researcher at DEVCORE.  

Orange Tsai’s work documenting entirely new attack surfaces on Exchange Server installations won the Pwnie Award for the Best Server-Side Bug, a project that pinpointed at least seven new vulnerabilities that expose businesses to remote attacks.

The Pwnies also recognized security industry pioneer and IDA creator Ilfak Guilfanov for 30 years of contributions to reverse engineering.

“Ilfak’s impact in vulnerability research should be obvious. IDA and Hex-Rays have had an epic impact on the security landscape and the thirty year history of driving the field forward is unprecedented.”

Here are the full descriptions of all the Pwnie winners.

Related: Windows Admins Scrambling to Contain ‘PrintNightmare’ Flaw

Related: Microsoft Ships Emergency PrintNightmare Patch

Related: Microsoft Patch Tuesday: 83 Vulnerabilities, 10 Critical, 1 Actively Exploited 

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...