The 2010 Pwnie Nominee For Best Client-Side Bug

Windows EOT font parser vulnerability (CVE-2009-2514)

Credit: Tavis Ormandy

Jumping from an iframe straight into the kernel! Tavis Ormandy discovered a memory corruption vulnerability in the win32k code that parses font files embedded on web pages. This vulnerability allows attackers to run arbitrary code in the kernel, bypassing any user-level security and sandboxing technologies.