'Month of bugs' spotlight hits search engines

Summary:Throughout the month of June, a Ukranian hacker plans to shake out cross-site scripting bugs in the most popular search engines (think Google, Yahoo, MSN, Ask.com) and publish details on these security flaws.

A Ukranian hacker known as "MustLive" has announced plans for a Month of Search Engine Bugs project in June 2007.

Google

[The] purpose of this Month of Bugs is a demonstration of real state with security in search engines, which are the most popular sites in Internet. To let users of search engines and web community as a whole to understand all risks, which search engines bring to them. And also to draw attention of search engines’ owners to security issues of their sites.

The plan is to shake out cross-site scripting bugs in the most popular search engines (think Google, Yahoo, MSN, Ask.com) and publish details on these flaws.

Cross-site scripting vulnerabilities are widely considered the low hanging fruit in security research circles (see this list for some examples) but, when combined with other unpatched holes, they can be valuable to an attacker (see RSnake's description of scenario that blends cross-site-scripting bugs into a targeted attack).

This latest project, although less technical than previous efforts, should not be dismissed. As we know, these "month-of-bugs" initiatives get positive results -- flaws get fixed -- and that's always a good thing.

McAfee's Kevin Beets dug deeper into results from previous "month-of-bugs" projects and found that a large number of holes are being fixed by the affected vendor.

Month of bugs getting results
Since July last year, there have been seven "month-of-bugs" project, highlighting unpatched flaws in browsers, operating system kernels, Apple's Mac ecosystem, PHP, MySpace and ActiveX.

Topics: Browser

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.