Nominees have been announced for the Pwnie 2013 awards that recognise the best and worst achievements, failures and demonstrations of incompetence from the information security over the last year.
The popular awards were handed out each year at the Black Hat security conference in Las Vegas. A panel of security professionals hand picked winners in each of the nine categories from nominees selected by the community.
Each year the awards recognised the researchers who have discovered or exploited the best security bugs, the best hacks, and the vendor products which contained the worst vulnerabilities.
This year candidates for the most technically sophisticated and interesting server-side bug discovered or exploited included:
- Ruby on Rails YAML(CVE-2013-0156);
- Cryptographic flaws in Oracle database authentication protocol (CVE-2012-3137);
- SAPRouter remote heap overflow;
- Asterisk stack overflow (CVE-2012-5976),
- and Nginx overflows (CVE-2013-2028 and CVE-2013-2070)
Contenders for the best client-side bug discovered or exploited were:
- WebKit SVGElement type confusion (CVE-2013-0912);
- Adobe Flash Player regexp overflow (CVE-2013-0634);
- Microsoft Internet Explorer VML (CVE-2013-2551),
- and Adobe Reader buffer overflow and sandbox escape (CVE-2013-0641).
The researchers nominated for best privilege escalation bug discovered or exploited were:
- Linux kernel perf_swevents_init (CVE-2013-2094)
- win32k.sys EPATHOBJ::pprFlattenRec uninitialized pointer (CVE-2013-3660)
- iOS incomplete codesign bypass and kernel vulnerabilities (CVE-2013-0977, CVE-2013-0978 and CVE-2013-0981
- Motorola TrustZone array OOB write (CVE-2013-3051)
The nominees behind the most innovative research were:
- Juliano Rizzo and Thai Duong for the CRIME attack;
- Mateusz Jurczyk, Gynvael Coldwind for identifying and exploiting Windows kernel race conditions;
- Paul @pa_kt and Dion Blazakis for a timing attack to bypass browser ASLR in Firefox;
- Julian Bangert and Sergey Bratus for their Chaos Communications Congress research - Page Fault Liberation Army,
- And Ralf Hund, Carsten Willems, Thorsten Holz for timing side channel attacks against kernel space ASLR.
The contenders for the pwnie for "epic 0wnage” include:
- The anonymous author behind the Internet Census;
- Peiter Zatko for his work in developing the Cyber Fast Track DARPA funding scheme for security research;
- Malware.lu's hijacking of APT1 command and control servers,
- And a joint nomination to Edward Snowden and the NSA.
Those in the running for the most epic fail Pwnie award include:
- Cryptocat for flaws in its messaging platform that allowed seven months of a users' conversations to be crackable;
- Sophos for bugs demonstrated by researcher Tavis Ormandy;
- The Android key flaw which has now surfaced in the wild;
- The US Economic Development Administration which destroyed $US170,000 worth of hardware including mice and monitors to remove malware,
- And security publication Hackin9 for failing to fact check an article (Nmap: The Internet Considered Harmful - DARPA Inference Checking Kludge Scanning) submitted by the security community which was revealed to be a fabricated parody.
The Pwnie awards for lifetime achievement and the lamest vendor response will be announced at the ceremony on July 31.
More detail on the awards was available on the Pwnies site.