Microsoft's ActiveX technology is to have a "Month of Bugs", following in the footsteps of the likes of Windows, Mac, PHP and Myspace.
Although some researchers have already dismissed the project as copycat, others are warning its findings might put Windows users at risk of attack.
The sparse postings so far on the Month of ActiveX Bugs (MoAxB) site by someone identified as "shinnai" hint that the majority of the vulnerabilities will be denial-of-service (DoS) flaws that can cause applications and/or the operating system to crash.
ActiveX is a Microsoft technology for making web pages more interactive. ActiveX is used for a bewildering array of chores, from initiating Microsoft's Windows Update to adding streaming media to a website.
As of Wednesday, MoAxB has posted two vulnerabilities. One is in a PowerPoint viewer; the other in an Excel viewer. The controls can be used to host an Excel or PowerPoint file in an online form or on a web page, and they are sold by a developer tools company called Office OCX.
In a warning to customers of its DeepSight threat network, security vendor Symantec dismissed the debut bug, saying, "The first posted vulnerability is of little significance." But other security companies, including Danish bug tracker Secunia and the French firm FrSIRT.com, have pegged the ActiveX vulnerabilities as "highly critical" and "critical," respectively.
And some writers on the Full Disclosure security mailing list weren't ready to brush off the bugs simply because they seemed to be DoS vulnerabilities, not more dangerous remote-execution-type flaws. "Regardless of whether it results in remote code execution, I don't think a DoS should necessarily be discounted as frivolous or irrelevant," said one writer identified as Steven. "It might not rank up there with 'critical' or 'high' vulnerabilities, but it is a vulnerability nonetheless."
"There have been multiple instances on the [security mailing] lists throughout the years where a DoS suddenly became promoted to a remotely exploitable bug," said a writer named Robert on the same thread.