14 DAY TRIAL // Nominated in four out of the total of eight categories this year, the notorious Heartbleed bug that stirred up the entire Internet has been elected as the winner of the Best Server-Side Bug.
It also received nominations for the Best Client-Side Bug, Most Epic Fail and Most Epic 0wnage categories, where it faced fierce competition.
The judging panel at this edition of the Pwnie Awards was composed of Dino Dai Zovi, Justine Aitel, Mark Dowd, Alexander Sotirov, Brandon Edwards, Christopher Valasek, and HD Moore, all security researchers highly respected not just for their work.
The Heartbleed flaw is credited to Neel Mehta and Codenomicon, who discovered a coding error in OpenSSL that allowed stealing information from the memory of the systems protected by the cryptographic library, that would be otherwise secured through SSL/TLS encryption.
The Best Client-Side Bug award was swiped by Geohot’s Google Chrome Arbitrary Memory Read-Write vulnerability, which relied on a chain of flaws that led to reading and writing arbitrary memory.
Named so after a line of C code that happened to be too descriptive not to be considered as an appropriate name for the glitch, Apple’s “Goto Fail” has been crowned as the Most Epic Fail.
Most Epic 0wnage was awarded to Mt.Gox, the Bitcoin exchange service that went belly up and left emptiness in users’ pockets once filled with 100,000 Bitcoins (I don’t even dare to make the conversion to EUR or USD).
Another important nomination that won the respect of the judges was Sebastian Apelt’s vulnerability in AFD.sys (Ancillary Function Driver), which was named winner in the Best Privilege Escalation Bug category.
The prize for the Most Innovative Research was taken by the study of RSA key extraction via low-bandwidth acoustic cryptanalysis, credited to Daniel Genkin, Adi Shamir, and Eran Tromer.
According to their paper, an attack perpetrated this way “can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts.”
On the fun side part of things, the Lamest Vendor Response went to AVG’s reply in connection to “AVG Remote Administration” security problems saying that the weakness in the software was “by design.” To paint a better picture, Remote Administration enables a network administrator “to remotely install, update, and configure AVG across the computer network.”
In the Best Song category the “pwnie” was taken by the SSL Smiley Song, from 0xabad1dea, which faced competition from “I'm a C I Double-S P,” a 50 Cent song parody.