LAS VEGAS -- The OpenBSD team has won an award for the most spectacular "mishandling" of a critical security vulnerability.
The OpenBSD team refused to acknowledge the bug as a security vulnerability and issued a "reliability fix" for it. A week later Core Security had developed proof of concept code that demonstrated remote code execution. Read the full timeline and quotes in the Core advisory.
During the ceremony, a five-man panel of judges (HD Moore, Alexander Sotirov, Dave Goldsmith, Dino Dai Zovi and Dave Aitel) cheered accomplishments in the bug-finding field and jeers for lame and overhyped discoveries.
Best server-side bug: The Solaris in.telnetd remote root exploit released by Kingcope in February. Kingcope was given a golden Pwnie for finding this vulnerability that did not require any special hacking tools or shellcode.
Best client-side bug: Researchers skape and skywing took this award for finding a nasty Windows vulnerability (Windows 2000 SP4, XP SP1 and SP2, Server 2003 and 2003 SP1) that allowed remote attackers to execute arbitrary code via unspecified vectors involving unhandled exceptions, memory resident applications, and incorrectly "unloading chained exception." The flaw was detailed in Uninformed Vol. 4.
Pwnie for mass ownage: This was won by the unknown hacker who found the WMF SetAbortProc remote code execution hole that was widely exploited in the wild via Internet Explorer. "This vulnerability deserves an award for its obviousness, ease of exploitation and high impact," the judges said.
Most innovative research: Skape's presentation, featured in the Uninformed Vol.2, grabbed this award for being the most interesting piece of work done in the last year.
Most overhyped bug: The controversial MacBook Wi-Fi vulnerabilities released by David Maynor at last year's Black Hat took this dubious award. "In the end, the only public information about Maynor's Wi-Fi vulnerabilities are hype, denial, a media frenzy, and a patch that may or may not have been based on Maynor's findings," the judges said.