Abawinile bemiklomelo yaminyaka yonke ye-Pwnie 2021 banqunyiwe, okugqamisa ubungozi obubaluleke kakhulu kanye nokwehluleka okungenangqondo emkhakheni wokuphepha kwekhompyutha. Ama-Pwnie Awards athathwa njengalingana nama-Oscars kanye ne-Golden Raspberry ekuvikelekeni kwekhompyutha.
Abawinile abakhulu (uhlu lwabancintisanayo):
- Ilungelo elingcono lokukhulisa ukuba sengozini. Ukunqoba kunikezwe i-Qualys ngokuhlonza ubungozi be-CVE-2021-3156 kunsiza ye-sudo, evumela ukuthola amalungelo ezimpande. Ukuba sengozini bekukhona kukhodi cishe iminyaka eyi-10 futhi kuyaphawuleka ngenxa yokuthi ukuhlaziya okujulile komqondo wensiza bekudingeka ukuze kukhonjwe.
- Isiphazamisi Seseva Esingcono Kakhulu. Iklonyeliswa ngokuhlonza nokusebenzisa isiphazamisi esiyinkimbinkimbi kakhulu nesithakaselayo kusevisi yenethiwekhi. Ukunqoba kwaklonyeliswa ngokuhlonza i-vector entsha yokuhlasela ku-Microsoft Exchange. Ulwazi mayelana nokungasibo bonke ubungozi baleli klasi olushicilelwe, kodwa ulwazi seludaluliwe kakade mayelana nokuba sengcupheni kwe-CVE-2021-26855 (ProxyLogon), okuvumela ukukhipha idatha kumsebenzisi ngokunganaki ngaphandle kokuqinisekisa, kanye ne-CVE-2021-27065, eyenza kungenzeka ukwenza ikhodi yakho kuseva enamalungelo omlawuli.
- Ukuhlasela okuhle kakhulu kwe-cryptographic. Iklonyeliswe ngokuhlonza amaphutha abaluleke kakhulu ezinhlelweni zangempela, izivumelwano, nama-algorithms wokubethela. Umklomelo unikezwe iMicrosoft ngokuba sengcupheni (CVE-2020-0601) ekusebenziseni amasiginesha edijithali yejika elingakhiqiza okhiye abayimfihlo kokhiye basesidlangalaleni. Inkinga ivumele ukwakhiwa kwezitifiketi zomgunyathi ze-TLS ze-HTTPS namasiginesha edijithali aqanjiwe, aqinisekiswa ku-Windows njengathembekile.
- Ucwaningo olusha kakhulu. Umklomelo unikezwe abacwaningi abahlongoze indlela ye-BlindSide yokweqa ukuvikelwa kwekheli elisekelwe ngokungahleliwe (ASLR) ngokusebenzisa ukuvuza kwesiteshi esiseceleni okuvela ngenxa yokuqagela ukukhishwa kweziyalezo yiphrosesa.
- Ukwehluleka okukhulu (I-Epic FAIL Eningi). Umklomelo unikezwe i-Microsoft ngokulungiswa okuphukile kokukhishwa okuningi kobungozi be-PrintNightmare (CVE-2021-34527) kusistimu yokuphrinta ye-Windows ekuvumela ukuthi usebenzise ikhodi yakho. Ekuqaleni, iMicrosoft yahlaba umkhosi inkinga njengendawo, kodwa kwabe sekuvela ukuthi ukuhlasela kungenziwa ukude. Khona-ke iMicrosoft yashicilela izibuyekezo izikhathi ezine, kodwa isikhathi ngasinye ukulungiswa kuvala icala elikhethekile kuphela, futhi abacwaningi bathola indlela entsha yokwenza lokhu kuhlasela.
- Best bug in software client. Ophumelele kube umcwaningi ohlonze ukuba sengozini kwe-CVE-2020-28341 kumaphrosesa avikelekile e-Samsung crypto athole isitifiketi sokuvikeleka se-CC EAL 5+. Ukuba sengozini kwenze kwaba nokwenzeka ukudlula ngokuphelele isivikelo futhi uthole ukufinyelela kukhodi ekhishwe ku-chip nedatha egcinwe ku-enclave, udlule ukhiye wesilondolozi sesikrini, futhi wenze izinguquko ku-firmware ukuze udale umnyango ongemuva ofihliwe.
- Ukuba sengozini okulinganiselwe kakhulu. Umklomelo unikezwe i-Qualys ngokuhlonza uchungechunge lokuba sengozini kwe-21Nails kuseva ye-Exim mail, engu-10 yayo engaxhashazwa ukude. Abathuthukisi be-Exim bebenokungabaza mayelana nokwenzeka kokuxhashazwa kwezinkinga futhi bachitha ngaphezu kwezinyanga eziyisi-6 benza ukulungisa.
- Ukusabela okubuhlungu kakhulu komkhiqizi (Impendulo Yomthengisi ELamest). Ukuqokwa kwempendulo engafanele embikweni wokuba sengozini emkhiqizweni womuntu. Ophumelele kube yi-Cellebrite, inkampani eyakha ukuhlaziya okusemthethweni kanye nezicelo zokumbiwa kwedatha ukuze kugcinwe umthetho. U-Cellebrite uphendule ngokungafanele embikweni wokuba sengozini othunyelwe ngu-Moxie Marlinspike, umbhali we-Signal protocol. U-Moxxi waba nesithakazelo ku-Cellebrite ngemuva kwe-athikili yabezindaba mayelana nokudalwa kobuchwepheshe obuvumela ukugetshengwa kwemiyalezo ye-Signal ebethelwe, okwathi kamuva kwavela ukuthi iyinkohliso ngenxa yokuchazwa kabi kolwazi esihlokweni esikuwebhusayithi ye-Cellebrite, eyabe yasuswa (“ ukuhlasela” kwakudinga ukufinyelela ngokomzimba ocingweni kanye nekhono lokuvula isikrini, okungukuthi kuncishiswe ekubukeni imilayezo kusithunywa, kodwa hhayi mathupha, kodwa kusetshenziswa uhlelo lokusebenza olukhethekile olulingisa izenzo zomsebenzisi).
U-Moxxi wafunda izinhlelo zokusebenza ze-Cellebrite futhi wathola ubungozi obukhulu lapho obuvumela ikhodi engafanele ukuthi ikhishwe lapho kuzanywa ukuskena idatha eklanywe ngokukhethekile. Uhlelo lokusebenza lwe-Cellebrite luphinde lwatholakala lisebenzisa umtapo wezincwadi we-ffmpeg ophelelwe yisikhathi ongakabuyekezwa iminyaka engu-9 futhi uqukethe inani elikhulu lobungozi obungakabhaliswa. Esikhundleni sokuvuma izinkinga nokulungisa izinkinga, i-Cellebrite ikhiphe isitatimende sokuthi inendaba nobuqotho bedatha yomsebenzisi, igcina ukuphepha kwemikhiqizo yayo ezingeni elifanele, ikhulula izibuyekezo ezivamile futhi ilethe izinhlelo zokusebenza ezingcono kakhulu zohlobo lwayo.
- Impumelelo enkulu. Umklomelo unikezwe u-Ilfak Gilfanov, umbhali we-IDA disassembler kanye ne-Hex-Rays decompiler, ngeqhaza lakhe ekwakhiweni kwamathuluzi abacwaningi bezokuphepha kanye nekhono lakhe lokugcina umkhiqizo usesikhathini iminyaka engu-30.
Source: opennet.ru