14 DAY TRIAL // The nominations for the Pwnie Awards of the security industry for 2014 have been submitted, and some of the vulnerabilities competing for the prize managed to rock the online world quite a bit.
The submissions for the eight categories this year have caused both smiles and tears, as they cover the entire scale from seriousness bordering horror to plain fun.
Heartbleed is definitely the most popular vulnerability, as it competes in four categories, with nominations for the Best Server and Client-Side Bug, as well as for the most Epic Fail and Epic 0wnage.
Battling with it for the title of the Best Server-Side Bug is Michele Spagnuolo’s Rosetta Flash, Dan Farmer’s IPMI (Intelligent Platform Management Interface) protocol vulnerabilities, and Craig Heffner’s discovery of DSP-W215 exploitable glitches.
These alone have been the cause of a lot of online ruckus, with hundreds of thousands of machines being affected, upon which millions of clients depended.
Heartbleed has strong competitors in the Best Client-Side Bug, too. Geohot’s discovery of the Google Chrome Arbitrary Memory Read Write vulnerability, Ian Beer’s Pwn4Fun Safari flaw and the “Goto Fail” SSL bug in Apple’s products are all hot on its heels.
Fighting in the best privilege escalation bug category are Sebastian Apelt’s finding of a weak spot in AFD.sys (Ancillary Function Driver), Francisco Falcon’s VirtualBox VM breakout using 3D acceleration, the Linux Futex bug uncovered by Comex and exploited by Geohot for rooting Androids, and two iOS jailbreaks, evasi0n and Pangu, credited to evad3rs and Pangu and Stefan Esser, respectively.
Most Innovative Research is disputed between no less than five nominations: exploitability of hardware bug conditions, ARM errata in particular (Ralf-Philipp Weinmann), bypassing Windows 8.1 mitigations using unsafe COM objects (James Forshaw), RSA key extraction via low-bandwidth acoustic cryptanalysis (Daniel Genkin, Adi Shamir and Eran Tromer), Windows 8 UEFI Secure Boot bypasses (credited to multiple researchers) and bypassing both ASLR and non-executable stack, credited to Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazieres and Dan Boneh.
The next categories make the most fun part of the awards, as they include nominations for the Lamest Vendor Response, Best Song, the Most Epic Fail and Epic 0wnage, where Heartbleed (more than 500,000 servers affected) is in competition with the Target breach (up to 110 million individuals affected).
Inputs.io (massive breach that ended with the theft of 4,100 bitcoins) and Mt. Gox (bitcoin exchange service that closed shop leaving users without funds - hundreds of millions of dollars went missing) are also nominated in this category.
First entry in the Best Song category is “I'm a C I Double S P.”
