The 2016 Pwnie Nominee For Lamest Vendor Response

“PatchDoor”

Credit: RoundCube

Keeping pace is important to stay relevant in the technology world, where everything moves so fast. Vroooom. So when a researcher reports a textbook memory corruption bug (aka dinosaur bones) in your native-code PHP module, it’s important to show them thay you’re keeping up with the changing times. Swap out those hammer-pants strcpy bugs for 2001’s dankest bug class–improperly escaped user-supplied command arguments–and rest assured that your routers’s LEDs will keep the party lit fam.

OK, real talk: we shouldn’t be shocked that RoundCube decided to swap out the correct escape function, even if the fix only required a size check (which itself appears off-by-one from the screenshot, introducing a new non-NULL-termination bug, but that’s none of our business though). In reality, the name RoundCube should have been a strong indicator that they’re probably not the greatest at reasoning. We remain excited to see what new creative shapes of attack surface they make next!

“PatchDoor”