On TechRepublic: Windows 7: Slower to boot than Vista?
BNET Business Network:
BNET
TechRepublic
ZDNet

May 18th, 2007

'Month of bugs' spotlight hits search engines

Posted by Ryan Naraine @ 7:02 am

Categories: Apple, Botnets, Browsers, Data theft, Exploit code, Google, Hackers, McAfee, Metasploit, Microsoft, Open source, Passwords, Patch Watch, Pen testing, Responsible disclosure, Viruses and Worms, Vulnerability research, Zero-day attacks

Tags: Search Engine, Ryan Naraine

A Ukranian hacker known as “MustLive” has announced plans for a Month of Search Engine Bugs project in June 2007.Google

[The] purpose of this Month of Bugs is a demonstration of real state with security in search engines, which are the most popular sites in Internet. To let users of search engines and web community as a whole to understand all risks, which search engines bring to them. And also to draw attention of search engines’ owners to security issues of their sites.

The plan is to shake out cross-site scripting bugs in the most popular search engines (think Google, Yahoo, MSN, Ask.com) and publish details on these flaws.

Cross-site scripting vulnerabilities are widely considered the low hanging fruit in security research circles (see this list for some examples) but, when combined with other unpatched holes, they can be valuable to an attacker (see RSnake’s description of scenario that blends cross-site-scripting bugs into a targeted attack).

This latest project, although less technical than previous efforts, should not be dismissed. As we know, these “month-of-bugs” initiatives get positive results — flaws get fixed — and that’s always a good thing.

McAfee’s Kevin Beets dug deeper into results from previous “month-of-bugs” projects and found that a large number of holes are being fixed by the affected vendor.
Month of bugs getting results
Since July last year, there have been seven “month-of-bugs” project, highlighting unpatched flaws in browsers, operating system kernels, Apple’s Mac ecosystem, PHP, MySpace and ActiveX.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 8 Talkback(s)
Must have missed that
Still it shows that the "Most secure OS ever written" is still not secure, because it's
written by Microsoft.... (Read the rest)
Posted by: Rick_K Posted on: 05/19/07 You are currently: a Guest | | Terms of Use
Whatever happened to Month of ActiveX bugs?  NonZealot | 05/18/07
Perhaps Microsoft paid them out to keep things under wraps .  I'm Ye, the MS SHILL . | 05/18/07
The troll speaks!  RocketEater | 05/18/07
Month?  jasonp@... | 05/18/07
It is all about accoutability  doug@... | 05/18/07
What about the UAC flaw?  Rick_K | 05/18/07
Troublemaker  yyuko@... | 05/18/07
Must have missed that  Rick_K | 05/19/07

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

  • Thought-provoking progressive ideas on diverse topics that intersect with technology, business, and life, and matter to the world at large. Visit SmartPlanet
  • More from IBM
  • Innovate your business' process model, play against the market, compete against others on our scoreboards and WIN! Try INNOV8 2.0: A BPM Simulator
  • Enabling Real-World Business Transformation through IBM Service Management Read the EMA Analyst Report
Click Here