Security Strategy, Plan, Budget

Look out, Google and Yahoo; hacker to publish month of search engine bugs

A hacker using the alias "Mustlive" announced this week that June will feature the next month-long vulnerability disclosure project, this one dedicated to search engine bugs.

"The purpose of this month of bugs is a demonstration of the real state with security in search engines, which are the most popular sites on the internet," the Ukrainian hacker wrote on his blog.

He added that he wants "to let users of search engines and the web community as a whole to understand all risks" associated with search engines.

Most disclosures during the Month of Search Engine Bugs (MOSEB) will be cross-site scripting (XSS) vulnerabilities, Mustlive said.

Many experts have criticized the ubiquitous "Month of…" projects, saying hackers should report their vulnerability discoveries to the vendor, not post them publicly. So far, there have been month-long initiatives to expose browser, kernel, Apple, MySpace, PHP and ActiveX vulnerabilities.

Microsoft "stands ready to address any potential vulnerabilities" affecting its MSN search engine, a company spokesman told today. But the software giant "encourages responsible disclosure of vulnerabilities to minimize risk to computer users," the spokesman said.

A Google spokesman said the search engine giant "takes security very seriously and integrates security protection into the overall product development process and follows commonly accepted industry best practices for vulnerability and incident response."

"We encourage security researchers who discover security issues with Google products to follow responsible disclosure practices and to contact us at [email protected] prior to publicly releasing vulnerability details," he added.

A representative from Yahoo could not immediately be reached for comment.

Ryan Russell, quality assurance manager for BigFix, told today these undertakings tend to blindside vendors.

"It puts the vendor on short notice," he said. "I respect people's rights to do it, but it probably would be better for everyone involved if you gave the vendor some knowledge. And in most cases, the vendor is the only person anyone is going to accept a fix or workaround from."

In the case of search engines, though, end-users will not have to take any action to receive the patches, Russell said. "You can fix it in one place, and it fixes everyone in the world," he said.

Former hacker Mark Loveless, now a security architect at Vernier Networks, said if they are done right, the month-of-bug projects can be humorous in a "thumbing-your-nose-at-the-man" kind of way.

"Anything that stirs the pot, I'm all in favor of," he told

But, Loveless added, considering the number of easy-to-detect XSS flaws planned, this particular initiative may lack the technical muscle that previous projects have had.

"I'm really thinking that by the end of the month, they're going to be scraping the bottom of the barrel," he said. "They're going to be putting crap up. I think they're cheating. I'd like to see something else done that is just as creative and provocative...but something original."

Loveless said he would like to see a "Month of Vista Bugs."

Projects promising Vista and Oracle Database bugs never were launched this year.


Get more IT security news. Click here for SC Magazine Blogs.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.