Anyone wishing that the Month of Bugs phenomenon would fade away will be disappointed in May.
A lone researcher has apparently compiled enough flaws in various ActiveX controls to release a bug every day for the month of May. Dubbing the effort the Month of ActiveX Bugs (MoAxB), the hacker --who only identified himself by the name "shinnai" -- wrote, in broken English, that the effort was an attempt to educate people on the risks of ActiveX controls.
"Most of them are simple DoS (denial-of-service vulnerabilities) -- don't worry there are also some code execution -- but that's because MoAxB has only a sense: to inform developers about the risk of using activex controls," the researcher wrote.
The initiative is the six month of daily bugs, following the Month of Browser Bugs in July, the Month of Kernel Bugs in November, the Month of Apple Bugs in January, the Month of PHP Bugs in March, and the Month of MySpace Bugs in April (though that project only released 19 issues). Another announced project, the Week of Vista Bugs, was a hoax (corrected), and a week dedicated to Oracle bugs was scuttled.
ActiveX has caused security headaches for Microsoft almost since it was created. ActiveX started life as the Object Linking and Embedding (OLE) features created in 1990 to allow Windows applications to exchange data. The general framework became the Component Object Model in 1993--now known as the Distributed Component Object Model (DCOM)--while Microsoft renamed OLE 2.0 as ActiveX and pushed Web developers to add more interactivity to their sites using the technology.
Last summer, noted security researcher HD Moore used fuzzing to find a hundred bugs in commonly installed ActiveX components.
CORRECTION: The original news brief mistakenly characterized the Month of MySpace Bugs as a hoax. While the initiative had poked fun at itself and the Month of Bugs trend, it was not a hoax, releasing 19 defects found in the MySpace Web site in April.
Posted by: Robert Lemos