Defined Winners of the Annual Prize Pwnie Awards 2021 , allocating the most significant Vulnerabilities and absurd dips in computer security. Pwnie Awards is considered an analogue of Oscar and Gold Raspberries in the field of computer security.
Basic Winners ( list of applicants ):
- Best vulnerability, leading to an increase in privileges. The victory was awarded to QUALYS for identifying the Vulnerability of CVE-2021-3156 in the Sudo utility, which allows you to get root privileges. The vulnerability was present in the code for about 10 years and is notable for identifying it takes the analysis of the work of the utility.
- Best Server Error. It is awarded to identify and operate the most technically complex and interesting error in the network service. Victory is awarded for Detection of new vector attacks on Microsoft Exchange. Information is not about all vulnerabilities remains open, but the CVE-2021-26855 vulnerability data (ProxyLogon) has already been published, which allows you to extract the data of an arbitrary user without authentication, and CVE-2021-27065, which gives you the ability to execute your code on the server with administrator rights.
- Best Cryptographic Attack. It is awarded to identify the most significant boys in real systems, protocols and encryption algorithms. The award awarded Microsoft for Vulnerability (CVE-2020-0601) in the implementation of digital signatures based on elliptic curves, allowing you to generate closed keys based on open keys. The problem allowed you to create fake TLS certificates for HTTPS and fictitious digital signatures that verified in Windows as trustworthy.
- the most innovative study. The premium is awarded to researchers, We offer Blindside method to bypass protection based on addressing addresses (ASLR) with leaks on third-party channels, arising from speculative execution of instructions to the processor.
- The biggest failure (Most Epic Fail). The award was awarded to Microsoft for a multiplely released non-working remedy vulnerabilities Printnightmare (CVE-2021- 34527) In the printing system, Windows allows you to perform your code.
Initially, Microsoft marked the problem as a local one, but then it turned out that the attack could be done remotely. Then Microsoft published updates four times, but each time the correction closed only a special case and researchers found a new way to make an attack.
/Media reports.