The Pwnie Awards honor or discredit the award winners in various categories – for the most terrible mistakes in IT security. But the greatest successes in this area are also awarded.
The US secret service NSA did not go home with one of the negative pwnies like “Lamest Vendor Response” or “Most epic fail”. Instead, the jury awarded the state code breakers the prize in the “Best Crypographic Attack” category. For the vulnerability in a Windows crypto library published at the beginning of 2020. Anyone who wants to win the prize in this category must be able to demonstrate a cryptographic attack with serious effects on systems used in practice. According to the Pwnie judges, this is the first crypto bug ever to have a negative impact on real life.
About the award for his life’s work (“Epic Achievement”) Ilfak Guilfanov can be happy. He is the maker of the popular and ubiquitous Debuggers IDAwho has had a “monumental impact on the security landscape” for 30 years now.
The worst that failed …
The aforementioned “Lamest Vendor Response” has earned Cellebrite, provider of spy software. The company simply did not react to the weaknesses that signal developer Moxie Marlinspike described.
The second Golden Raspberry went to Microsoft. The jury sees Microsoft’s inability to repair the vulnerability in the Windows printer spooler, dubbed PrintNightmare, as the “Most Epic Fail”. Despite the patch and the subsequent emergency patch, the danger is still not averted.
Microsoft – involuntarily – also plays a role in the “Best Server-Side Bug” category: The researcher Orange Tsai received this award for uncovering various vulnerabilities in Microsoft’s Exchange Server. The hacker explains in a freely accessible lecture as part of the Defcon security conference, details on the Exchange vulnerabilities.
As “Most Under-Hyped Research”, the Pwnie jury honored the 21 bugs that Qualys uncovered in the Exim mail server this year. By misusing the loopholes, attackers could gain root rights on the software that has been installed millions of times around the world.
In addition, the jurors awarded further pwnies, among other things for the best song (Spoiler Alert: worth hearing) or the most innovative security research. A complete list of the award winners can be found on the jury’s website.
(jk)
