2013 Pwnie Award Nominees

Best Client-Side Bug

Adobe Flash Player RegExp Overflow (CVE-2013-0634)

Adobe Reader Buffer Overflow and Sandbox Escape (CVE-2013-0641)

Microsoft Internet Explorer VML (CVE-2013-2551)

WebKit SVGElement Type Confusion (CVE-2013-0912)

Best Privilege Escalation Bug

Linux kernel perf_swevents_init (CVE-2013-2094)

Motorola TrustZone array OOB write (CVE-2013-3051)

iOS incomplete codesign bypass and kernel vulnerabilities (CVE-2013-0977, CVE-2013-0978 and CVE-2013-0981)

win32k.sys EPATHOBJ::pprFlattenRec uninitialized pointer (CVE-2013-3660)

Best Server-Side Bug

Asterisk Stack Overflow (CVE-2012-5976)

Cryptographic flaws in the Oracle Database authentication protocol (CVE-2012-3137)

Nginx Overflows (CVE-2013-2028 and CVE-2013-2070)

Ruby on Rails YAML (CVE-2013-0156)

SAPRouter Remote Heap Overflow

Best Song

All the Things

Format String

SSH to Your Heart

Safe

WatchGuard’s Security Shop

Epic 0wnage

APT1 pwnage by malware.lu

Cyber Fast Track

Internet Census 2012

Joint nomination to Edward Snowden and the NSA

Lifetime Achievement Award

Barnaby Jack

Most Epic Fail

Android “Master Key” Vulnerability

Cryptographic failures in CryptoCat

Nmap: The Internet Considered Harmful – DARPA Inference Checking Kludge Scanning

Sophos

U.S. Govt Destroys $170k worth of Hardware in Hunt for Non-Existant Malware

Most Innovative Research

CRIME attack

Identifying and Exploiting Windows Kernel Race Conditions via Memory Access Patterns

Leaking Addresses with Vulnerabilities that Cant Read Good

Page Fault Liberation Army

Practical Timing Side Channel Attacks Against Kernel Space ASLR