'Month of bugs' spotlight hits search engines

A Ukranian hacker known as "MustLive" has announced plans for a Month of Search Engine Bugs project in June 2007.

[The] purpose of this Month of Bugs is a demonstration of real state with security in search engines, which are the most popular sites in Internet. To let users of search engines and web community as a whole to understand all risks, which search engines bring to them. And also to draw attention of search engines’ owners to security issues of their sites.

The plan is to shake out cross-site scripting bugs in the most popular search engines (think Google, Yahoo, MSN, Ask.com) and publish details on these flaws.

Cross-site scripting vulnerabilities are widely considered the low hanging fruit in security research circles (see this list for some examples) but, when combined with other unpatched holes, they can be valuable to an attacker (see RSnake's description of scenario that blends cross-site-scripting bugs into a targeted attack).

This latest project, although less technical than previous efforts, should not be dismissed. As we know, these "month-of-bugs" initiatives get positive results -- flaws get fixed -- and that's always a good thing.

McAfee's Kevin Beets dug deeper into results from previous "month-of-bugs" projects and found that a large number of holes are being fixed by the affected vendor.

Since July last year, there have been seven "month-of-bugs" project, highlighting unpatched flaws in browsers, operating system kernels, Apple's Mac ecosystem, PHP, MySpace and ActiveX.