An independent blog has declared May to be the "Month of ActiveX Bugs," and promises to release technical details on at least one flaw in the venerable Microsoft technology each day this month.
ActiveX has been a frequent subject of security-related criticism. Most recently, Microsoft included a fix in its April Patch Tuesday for a particularly severe ActiveX bug that could allow a remote attacker to take over a vulnerable computer.
The blog's author, who posts in Italian and English under the psuedonym "shinnai," writes that he plans to mostly post relatively minor bugs that cause crashes or denial of service, though some will allow more serious remote code excution attacks. His posts to date have included detailed data on the flaw, sample exploit code and online demonstration versions. His goal, he writes, is "to inform developers about the risk of using activex controls."
This is the latest in a series of recent attempts to raise public awareness of security issues by declaring a "month of bugs." The bloggers or security specialists behind such efforts typically collect information on a variety of previously unknown security problems touching a specific technology. Then they publish detailed information on each of these problems, one at a time, over an extended period.
Other recent examples include Myspace bugs in April, bots in March and April, PHP bugs in March, Apple bugs in January, and kernel bugs in November.
The phenomenon, which stems in large part from a new software testing technique known as "fuzzing," has proved to be highly controversial. Some view these disclosures as publicity stunts that put users at risk by making vulnerabilities public without first giving vendors the opportunity to come up with a fix. Others argue that increased publicity and scrutiny on security can only be a good thing.
|
Symantec's Code Red: The Law Enforcement/Anonymous E-Mail Exchange Law enforcement officials negotiated via e-mail for more than two weeks with an Anonymous group member trying to extort $50,000 from Symantec to keep stolen product code off the Internet. |
|
How To Sell IT Security Services To Your Customers Cyberattacks can cost a business thousands, even millions, of dollars, and can deal a death blow to some. Here's how IT solution providers can help guard against malicious attacks. |
|
Cybersecurity Experts: What They Know Could Scare You A recent report based on interviews with security experts in government, business and academia finds more than half in agreement that a worldwide arms race is taking place in cyberspace. |
 More
Slide Shows |
- Trend Micro Warns Of Server Antivirus Flaws
- Patch Tuesday: Microsoft Fixes Five Critical Bugs
- Google Wallet Security Questioned
- Microsoft Shows Its Love In Valentine's Day Patch Release
- Microsoft Taps Cisco Exec To Manage Public Sector Business
- Microsoft Sets Feb. 29 For Windows 8 Consumer Preview Release
- Insider Threats: The Next Frontier for Security Resellers and SMBs
- Complete Security and Your Bottom Line: Sophos, Value and the Channel
- Tough Threats, Tougher Security: How You Can Leverage New Solutions To Combat A “Targeted Attack” Landscape
- Dark Clouds Ahead: Why the Mid-Market Needs To Ramp Up Cloud Security and How You Can Help Them Get There
