The 2011 Pwnie nominations are in!
The premier event on the software vulnerability research calendar is the Pwnie Awards ceremony (it's pronounced "pony"). The 2011 nominees include critical vulnerabilities in Microsoft ASP.NET, iOS, Google Chrome, Java, the Linux kernel, and an award for special achievement in insecurity to Sony.
Read the nominations page for the full list. Here are my selections:
Pwnie for Best Server-Side Bug. Because of the potential widespread impact, I have to give this one to "ASP.NET Framework Padding Oracle (CVE-2010-3332)" -- Credit: Juliano Rizzo, Thai Duong -- which could be used to remotely compromise almost any ASP.NET server application. It's worth noting that Microsoft only rated this "Important", probably because only some .NET versions were affected and there were easy mitigations available. None of the bugs are slam-dunks this year.
Pwnie for Best Client-Side Bug. All five of these are headline vulnerabilities, top stuff. I'd be tempted to pick "VUPEN's Google Chrome sandbox bypass" but they never released details and didn't even notify Google, which is kind of a jerk way to go about things. Of the rest I'd say the most impressive one is "Blackberry Pwn2Own exploit". Credit: Vincenzo Iozzo, Willem Pinckaers, Ralf-Phillipp Weinmann which combined two information leak vulnerabilities in Webkit to result in code execution on the BlackBerry, and they did it without a debugger or the other usual technical tools and docs.
Pwnie for Best Privilege Escalation Bug. These are all pretty obscure problems that require already running code on the system. I like Tavis Ormandy's "Linux $ORIGIN privilege escalation (CVE-2010-3847)", which also used work from several anonymous researchers.
Pwnie for Most Innovative Research. Combining several techniques, Haifei Li was able to get past both DEP and ASLR with his "Understanding and Exploiting Flash ActionScript Vulnerabilities".
Lamest Vendor Response No contest: The "RSA SecurID token compromise" is the security scandal of the year, far worse than anything Sony did.
Pwnie for Epic 0wnage. There are arguably no good guys in this list, but I'll pick Stuxnet, the most impressive malware and targeted attack ever.
There is also an annual award for the best hacking song. They all suck this year (as always, sad to say), but this one was the most tolerable to me.: "gli anni". Author: ethanhunt - astharot
This is an Italian song recorded at the end of 2010. It's a nostalgic song that remembers the old times of hacking scene, with all references on all groups and events. It's recorded in Italian, but the YouTube video has English subtitles:
The awards will be given at BlackHat on August 3rd.
Larry Seltzer is a freelance writer and consultant, dealing mostly with security matters. He has written recently for Infoworld, eWEEK, Dr. Dobb's Journal, and is a Contributing Editor at PC Magazine and author of their Security Watch blog. He has also written for Symantec Authentication (formerly VeriSign) and Lumension's Intelligent Whitelisting site.