Search engines are the next target of a "Month of Bugs" campaign, a Ukrainian security researcher said. Google, Yahoo, MSN and Ask.com are all in the firing line.
Tagged with the copycat "Month of Search Engines Bugs" moniker, this latest bug-a-day campaign follows Month of Browser Bugs (July 2006), Month of Apple Bugs (January 2007), the turned-out-to-be-bogus Month of MySpace Bugs (April 2007) and May's Month of ActiveX Bugs.
"Purpose of this Month of Bugs is a demonstration of [the] real state with security in search engines, which are the most popular sites in Internet," the researcher identified only as "MustLive" wrote. "To let users of search engines and [the] Web community as a whole to understand all risks, which search engines bring to them. And also to draw attention of search engines' owners to security issues of their sites." The entry was in both English and Russian.
MustLive promised cross-site scripting vulnerabilities would be the month's focus, and multiple search sites' flaws would be disclosed. Every day we'll publish vulnerabilities in different engines, said MustLive. Or, as it was originally posted online: "Everyday will be publish vulnerabilities in different engines."
Although some security analysts have blasted "Month of..." projects as publicity stunts, several of the campaigns - notably January's Apple bugs rodeo - have resulted in updated software.
According to McAfee's Kevin Beets, several of the "Month of..." runs have produced patches. More than two-thirds of the 31 Apple flaws made public, for instance, were fixed.
"It does appear that vendors are taking notice of this format," Beets said on McAfee's Avert Labs blog. "Whether you love 'em or hate 'em, it looks like the 'Month-of' projects are having an impact on the vulnerability landscape."
The Month of Search Engine Bugs begins on 1 June.