2008 Pwnie Award Nominees

Best Client-Side Bug

Adobe Flash DefineSceneAndFrameLabelData vulnerability (CVE-2007-0071)

Multiple URL protocol handling flaws

QuickTime (CVE-2008-*)

Safari carpet bomb (CVE-2008-2540)

Slirpie

Best Server-Side Bug

ClamAV Remote Command Execution (CVE-2007-4560)

NetWare kernel DCERPC stack buffer overflow

SQL Server 2005 (CVE-2007-4560)

Windows IGMP kernel vulnerability (CVE-2007-0069)

Best Song

Clockwork

Packin’ The K!

Symantec Song

The Data Song (Get Me LiveSecurity)

Lamest Vendor Response

Linus Torvalds

McAfee’s “Hacker Safe” certification program

NXP (formerly Philips Semiconductors)

Wonderware

Lifetime Achievement Award

Dan Geer

John McDonald

Oded Horovitz

Tim Newsham

Mass 0wnage

An unbelievable number of WordPress vulnerabilities (CVE-2008-*)

Debian’s random number generator with 15 bits of entropy (CVE-2008-0166)

SQL injection in more than 500,000 web sites

Windows IGMP kernel vulnerability (CVE-2007-0069)

XSS of the entire web for users of Earthlink, Comcast and Verizon

Most Epic Fail

Debian for shipping a backdoored OpenSSL library for two years (CVE-2008-0166)

Todd Davis, Lifelock CEO for posting his SSN on the web

Windows Vista for proving that security does not sell

Most Innovative Research

Application-Specific Attacks: Leveraging the ActionScript VM

Defeating a VM packer with a decompiler written in OCaml

Heaps about Heaps

Lest We Remember: Cold Boot Attacks on Encryption Keys

Splitting Gemini

Most Over-Hyped Bug

Adobe Flash Player non-0day remote code execution (BID 29386)

BT Home Hub authentication bypass (CVE-2008-5383 and CVE-2008-5384)

Unspecified DNS cache poisoning vulnerability (CVE-2008-1447)