The winners of the annual Pwnie Awards 2020 determined , highlighting the most significant vulnerabilities and absurd failures in the field of computer security. The Pwnie Awards are considered to be the Oscars and Golden Raspberry counterparts in computer security.
Major winners and nominations a>:
- Best server bug. Awarded for identifying and exploiting the most technically challenging and interesting error in a network service. Victory was awarded for identifying vulnerability (CVE-2020-10188 ) to remotely attack Fedora 31 embedded devices via telnetd buffer overflows.
- Best bug in client software. The winner was the researchers who identified the vulnerability in Samsung’s Android firmware, exploited by sending MMS.
- Best privilege escalation vulnerability. The victory was awarded for identifying a vulnerability in the bootrom of Apple iPhones, iPads, Apple Watches and Apple TV based on A5, A6, A7, A8, A9, A10 and A11 chips, which allows bypassing firmware jailbreak and organizing dual boot of other OS. li>
- The best cryptographic attack. Awarded for identifying the most significant flaws in real systems, protocols and encryption algorithms. The prize was awarded for the identification of the Zerologon vulnerability (CVE-2020-1472) in the MS-NRPC protocol and the AES-CFB8 crypto algorithm, which allows an attacker to gain administrator rights on a Windows domain controller or Samba.
- Most innovative research. The prize is awarded to researchers who have shown that RowHammer attacks can be used against modern DDR4 memory chips to alter the content of individual bits of dynamic random access memory (DRAM).
- Lamest Vendor Response. Nominated for the most inadequate response to a vulnerability report in its own product. The winner was the legendary Daniel J. Bernstein, who 15 years ago did not consider it serious and did not fix the vulnerability (CVE-2005-1513) in qmail, since its exploitation required a 64-bit system with more than 4GB of virtual memory. … For 15 years, 64-bit systems on servers supplanted 32-bit ones, the amount of supplied memory dramatically increased, and as a result, a working exploit was created that could be used to attack systems with qmail in the default configuration.
- Most underestimated vulnerability. Awarded for vulnerabilities
/Release. View in full here.