Google and Yahoo beware; month of search engine bugs coming

"[The] purpose of this month of bugs is a demonstration of [the] real state with security in search engines, which are the most popular sites [on] the internet," the Ukrainian hacker wrote on his blog.

He added that he wants "to let users of search engines and (the) web community as a whole understand all risks" associated with search engines.

Most disclosures during the Month of Search Engine Bugs (MOSEB) will be cross-site scripting (XSS) vulnerabilities, Mustlive said.

Many experts have criticised the ubiquitous "Month of…" projects, saying hackers should report their vulnerability discoveries to the vendor, not post them publicly. So far, there have been month-long initiatives to expose browser, kernel, Apple, MySpace, PHP and ActiveX vulnerabilities.

Microsoft "stands ready to address any potential vulnerabilities" affecting its MSN search engine, a company spokesman told SCMagazine.com.

But the software giant "encourages responsible disclosure of vulnerabilities to minimise risk to computer users," the spokesman said.

A Google spokesman said the search engine giant "takes security very seriously and integrates security protection into the overall product development process and follows commonly accepted industry best practices for vulnerability and incident response."

"We encourage security researchers who discover security issues with Google products to follow responsible disclosure practices and to contact us at security@google.com prior to publicly releasing vulnerability details," he added.

A representative from Yahoo  could not immediately be reached for comment.

Ryan Russell, quality assurance manager for BigFix, told SCMagazine.com these undertakings tend to blindside vendors.

"It puts the vendor on short notice," he said. "I respect people's rights to do it, but it probably would be better for everyone involved if you gave the vendor some knowledge. And in most cases, the vendor is the only person anyone is going to accept a fix or workaround from."

In the case of search engines, though, end users will not have to take any action to receive the patches, Russell said. "You can fix it in one place, and it fixes everyone in the world," he said.

Former hacker Mark Loveless, now a security architect at Vernier Networks, said if they are done right, the month-of-bug projects can be humorous in a "thumbing-your-nose-at-the-man" kind of way.

"Anything that stirs the pot, I'm all in favour of," he told SCMagazine.com.

But, Loveless added, considering the number of easy-to-detect XSS flaws planned, this particular initiative may lack the technical muscle that previous projects have had.

"I'm really thinking that by the end of the month, they're going to be scraping the bottom of the barrel," he said. "They're gonna be putting crap up. I think they're cheating. I'd like to see something else done that is just as creative and provocative...but something original."

Loveless said he would like to see a "Month of Vista Bugs."

Projects promising Vista and Oracle Database bugs never were launched this year.

andbugsenginegooglehackerlookmonthofoutpublishsearchsecuritytoyahoo