Yet another daily bug hunt, dubbed Week of Vista Bugs (WOVB), was only a hoax, the project's "creators" have revealed.
News of the WOVB first appeared late last week, when announcements hit security mailing lists of "new undisclosed vulnerabilities, flaws, exploitation techniques, with advanced technical details and zero-days, related to Microsoft Windows Vista."
Obviously, a spin-off of several other one-bug-daily projects - which started with July 2006's Month of Browser Bugs - was greeted with some scepticism. It turns out that the sceptics were right.
"First, I thought about a simple, quite funny, April fool," said the trickster, who was only identified as JA on the newly revised WOVB site. "Then, I have thinked [sic] about one with a little bit of interest and educational purpose for no-experts people and IT Medias."
Although JA's stated purpose was to dupe a gullible - and according to his take, sensation-seeking - IT security press, at least one antivirus vendor was also fooled.
Yesterday, Symantec warned users of its DeepSight threat management alert network that WOVB was leading off with a critical zero-day bug in the Vista firewall. But Symantec's researchers were cautious in their warning. "The [vulnerability] description provided, however, does not directly coincide with the claim," said the alert. "The information is disjointed and suggests that there are at least two possible remote holes in Vista associated with the IPv6 and DCOM implementations.
"No explicit descriptions of a firewall-bypass issue are contained on the site. However, three screenshots may be of potential interest," Symantec added.
JA spelled out the trick. "We have to produce credible and relevant information. As we are under the scope of a lot of security experts (with more skills than me), I will try to do my best to publish something looking true. We will use the same tools as the hackers, to do relevant screenshots and have a credible, well-funded scenario."
JA didn't apologise for the spoof, but instead claimed a higher purpose. "One more time, the goal was to remember that the human factor is one of the most important in IT security."
Coincidently, while JA fired up the bogus WOVM, a real zero-day flaw in Windows, including Vista, was being actively exploited by attackers. Microsoft is expected to patch the animated cursor bug later Tuesday.