Blog

* Not limited to but including: names of popular software, names of software companies, and names of Web 2 dot uh-oh companies.

The black hats (the mal-intent crowd), for obvious reasons, do not contribute to such projects as it is in their best interest to keep all known exploits to themselves only. However, I’ll bet that they are sitting on the sidelines gleefully picking up the piping hot proof-of-concept exploits as soon as they are served up.

But why would anyone line up outside of the Department of Software Defects? Wouldn’t that be the equivalent of waiting outside of a vehicle junk yard waiting to be thrown a used car part?

Both cases are similar in that you would be scavenging, but that’s where the similarity ends. In the case of the used car part, you’re hoping to eek out some cash out of whatever intrinsic value is left in the almost-worthless hunk of metal. In the case of the exploit, it’s another life-line to your lucrative spyware and keylogger cash cow.

More exploits in their repertoire simply means more spyware and keylogger products to be pushed out to consumers. The more casual surfers they infect with drive-by downloads, the larger the size of their zombie desktop army. And that my friend, translates to cold hard cash.

Among the Month of Bugs projects in existence today (in no particular order):

Month of Browser Bugs (MoBB)

• Began July 2006
• First Month of Bugs projects, to lead the Month of Bugs phenomenon
• Led by renowned security researcher HD Moore, co-founder of the Metasploit Project
• Pledged to release 1 browser vulnerability daily, for a month, during the inception of this endeavor
• Bug tally, breakdown by browser:
  • Internet Explorer: 25
  • Safari: 2
  • Mozilla: 2
  • Opera: 1
  • Konqueror: 1
• Project lists cool toys for bug-hunting enthusiasts:
  • AxMan – ActiveX fuzzing
  • Hamachi – DHTML fuzzing
  • CSSDIE – CSS fuzzing
  • DOM-Hanoi – DOM stacking
  • MangleMe – General browser vulnerability testing

• Began November 2006
• Gartner, a leading market research firm frequently quoted by the press, called MoKB “a serious wake-up call” and to “Begin preparing now for more, and more damaging, attacks against the OS kernel”
• Pledged to release 1 kernel vulnerability daily, for a month, during the inception of this endeavor

• Began January 2007
• Focused on OS X bugs
• Anonymous security researcher on this project said that “many OS X users still think their system is bulletproof, and some people are interested on making it look that way”

• Began March 2007
• Focused on PHP core vulnerabilities that may result in insecure PHP applications
• Pledged to release 1 PHP core vulnerability daily, for a month, during the inception of this endeavor
• Project ended up releasing 45 vulnerabilities

• Began April 2007
• Focused on MySpace bugs
• Founders poked fun at themselves and other Month of Bugs projects that many thought this project was a hoax/parody
• Most of the bugs are common web exploits

• Began May 2007
• Focused on ActiveX bugs
• At time of writing, MoAxB has published discoveries that mostly involve small 3rd party vendors

• To begin June 2007
• Will focus on search engine bugs and aims to educate users on associated risks posed by search engines

In our quest against all forms of advanced Internet threats, we will monitor these projects for new developments as their findings may be leading indicators of an impending worldwide epidemic.