Discovered by: anonymous
The remote code execution vulnerability in the WMF file format was a feature, not a bug. The exploit was discovered in the wild in December of 2005 and led to massive exploitation on the Interweb. This vulnerability deserves an award for its obviousness, ease of exploitation and high impact.