Source: pwnies.com This year, at the Black Hat conference in Las Vegas, the Pwnie Awards were awarded to the discoverers of different categories of distinguished vulnerabilities. The award in the category of "Best Server-Side Bug" went to Meder Kydyraliev for a vulnerability in the Apache Struts2 framework. With a single HTTP request which included five special parameters, he was able to execute arbitrary Java code on the web server.
The "Best Client-Side Bug" was discovered by Sami Koivu; with his exploits he was able to undermine the Java security sandbox and run untrusted code with the logged on user's privileges. Dionysus Blazakis had, in the opinion of the jury, done the "Most Innovative Research" with his paper on "Flash Pointer Inference and JIT spraying". Tavis Ormandy took the award for "Best Privilege Escalation Bug".
The award for the most mishandled security vulnerability, "Lamest Vendor Response", went to Absolute; the company had responded to the reporting of a vulnerability in its LANrev remote administration software saying "Is it theoretically possible [to exploit this]? Of course it is, [But] we are not aware of any customer who ever had an issue with this. If any customer did express concern, we would immediately supply them with a patch."
Microsoft took the award in the "Most Epic FAIL" category for the error in Internet Explorer 8's XSS (Cross Site Scripting) filter which enabled XSS on otherwise secure sites for nearly a year.