Move over Antoinette Perry. There is a new award in town and it will take place at the Black Hat briefings next week in Las Vegas. Pwnie awards will honor (shame?) moments of brilliance and ineptitude in the security research community. Highlights from this year’s crop of nominations include:
- Kernel-mode remote code execution that works on XP, W2K3 and Vista. This after MSFT speculated that the bug would be very difficult to exploit in the real world.
- QuickTime– no vulnerability required, the nomination committee decided the entire application is one colossal mistake, mired in the 1990s quality control standards (“compiles without errors when most warnings are disabled”) and providing another example of insecure context switching.
- DNS rebinding attacks. Using the web browser to VPN into the internal network behind a firewall. Considering that Kaminsky presented on the topic at last year’s Black Hat, this one has outlived its shelf life.
- Safari carpet bombing. Note to Apple: forcing software on user machines is not a good strategy when you are awfully slow to fix publicly reported vulnerabilities.
- Debian/OpenSSL not-very-random number generator debacle; also nominated for most epic failure.
- Linus Torvalds for controversial views on vulnerability research and handling security bugs.
- Overhyped bugs: DNS poisoning and unauthenticated UPnP control over network devices.