2021 Pwnie Award Nominees
Best Client-Side Bug
Exploiting Samsung Secure Chip (CVE-2020-28341)
MOZILLA (CVE-2021-29955), INTEL (CVE-2021-0086), AMD (CVE-2021-26314)
Best Cryptographic Attack
Kaspersky Password Manager: All your passwords are belong to us
Best Privilege Escalation Bug
Even more Windows print spooler
Floating Point Value Injection
Heap-based buffer overflow in Sudo!
Sequoia: A deep root in Linux’s filesystem layer
Best Server-Side Bug
(Another) Print Spooler Vulnerability (CVE-2021-1675)
Microsoft Exchange Server (CVE-2021-26855, CVE-2021-27065, and others TBD)
PrintNightmare (CVE-2021-34527)
UAF in HTTP.sys (CVE-2021-31166)
Best Song
Epic Achievement
Floating Point Value Injection (FPVI)
Typhoon Mangkhut: One-click Remote Universal Root Formed with Two Vulnerabilities
Lamest Vendor Response
Apple Response to Password Reset Vulnerabilities
Giggle App Account and Public Information Disclosure Vulnerability
Peloton Patches and Requires Subscription
Most Epic Fail
CREST / NCC Group – The Saga Continues
Canadian Shield iOS application is itself vulnerable
Samsung’s “secure” chip has a memcpy() buffer overflow
Voatz just generally having a bad one (year)
Most Innovative Research
APICraft: Fuzz Driver Generation for Closed-source SDK Libraries
An Analysis of Speculative Type Confusion Vulnerabilities in the Wild
Lord of the Ring(s): Side Channel Attacks on the CPU On-Chip Ring Interconnect Are Practical
Speculative Probing: Hacking Blind in the Spectre Era
Most Under-Hyped Research
SMASH: Synchronized Many-sided Rowhammer Attacks from JavaScript