Pwnie Awards 2017

The 2009 Pwnie Award For Best Client-Side Bug


Ryan Smith, Alex Wheeler

At first glance, this bug may appear to just be yet-another vulnerability in an ActiveX component. Easily exploited vulnerabilities in ActiveX components typically lead to malware outbreaks all over the Interwebs and that’s exactly what happened with this one. But ActiveX component bugs are hardly the stuff that Pwnie Awards are made of. As more people begin to research this vulnerability, it became clear that the vulnerability was not in the ActiveX component’s code, but instead in the ATL code (IPersistStreamInit::Load) staticly built into it. Oh, snap. It’s a kill- bit bloodbath out there.

As this vulnerability had begun to be exploited in the wild prior to its scheduled patch release, it conveniently became eligible for this year’s Pwnie Awards. Don’t let its CVE number fool you, this wasn’t one of last year’s bugs. Microsoft was sitting on this vulnerability for somewhere around 16 months.