'Month of bugs' pins bull's-eye on Google, Yahoo

Computerworld - Yet another month-long round of daily bugs cranks up June 1, a Ukrainian researcher announced yesterday. This time, the target will be search engines such as Google, Yahoo, MSN and Ask.com.

Tagged with the copycat "Month of Search Engines Bugs" moniker, this latest bug-a-day campaign follows Month of Browser Bugs (July 2006), Month of Apple Bugs (January 2007), the turned-out-to-be-bogus Month of MySpace Bugs (April 2007) and May's Month of ActiveX Bugs.

"Purpose of this Month of Bugs is a demonstration of [the] real state with security in search engines, which are the most popular sites in Internet," the researcher identified only as "MustLive" explained. "To let users of search engines and [the] Web community as a whole to understand all risks, which search engines bring to them. And also to draw attention of search engines' owners to security issues of their sites." The entry was in both English and Russian.

MustLive promised cross-site scripting vulnerabilities would be the month's focus, and multiple search sites' flaws would be disclosed. Every day we'll publish vulnerabilities in different engines, said MustLive. Or, as it was originally posted online: "Everyday will be publish vulnerabilities in different engines."

Although some security analysts have blasted "Month of..." projects as publicity stunts, several of the campaigns -- notably January's Apple bugs rodeo -- have resulted in updated software. According to McAfee Inc.'s Kevin Beets, several of the "Month of..." runs have produced patches. More than two-thirds of the 31 Apple flaws made public, for instance, were fixed. "It does appear that vendors are taking notice of this format," Beets said on McAfee's Avert Labs blog. "Whether you love 'em or hate 'em, it looks like the 'Month-of' projects are having an impact on the vulnerability landscape."

The Month of Search Engines Bugs will kick off at this URL.

Read more about Security in Computerworld's Security Topic Center.