ActiveX Targeted For May 'Month of Bugs' Security Reports
ActiveX has been a frequent subject of security-related criticism. Most recently, Microsoft included a fix in its April Patch Tuesday for a particularly severe ActiveX bug that could allow a remote attacker to take over a vulnerable computer.
The blog's author, who posts in Italian and English under the psuedonym "shinnai," writes that he plans to mostly post relatively minor bugs that cause crashes or denial of service, though some will allow more serious remote code excution attacks. His posts to date have included detailed data on the flaw, sample exploit code and online demonstration versions. His goal, he writes, is "to inform developers about the risk of using activex controls."
This is the latest in a series of recent attempts to raise public awareness of security issues by declaring a "month of bugs." The bloggers or security specialists behind such efforts typically collect information on a variety of previously unknown security problems touching a specific technology. Then they publish detailed information on each of these problems, one at a time, over an extended period.
Other recent examples include Myspace bugs in April, bots in March and April, PHP bugs in March, Apple bugs in January, and kernel bugs in November.
The phenomenon, which stems in large part from a new software testing technique known as "fuzzing," has proved to be highly controversial. Some view these disclosures as publicity stunts that put users at risk by making vulnerabilities public without first giving vendors the opportunity to come up with a fix. Others argue that increased publicity and scrutiny on security can only be a good thing.