A group of security researchers began issuing what they said will be a month-long list of undisclosed bugs, as well as detailed binary analysis of known vulnerabilities. The first zero-day: A Linux-based Web hosting console.
It is a tool to highlight the skills of the Abysssec guys, which is fine, but I don't think there is a general security principal they are trying to make, or at least I don't get it.
principal analystIndependent Security Evaluators
The Abysssec Security Team said it would disclose vulnerabilities in software made by Adobe Systems, Microsoft, Mozilla, Apple, HP, Novel and other vendors. The Month of Abysssec Undisclosed Bugs issued two advisories Wednesday: A detailed binary analysis for a bug affecting previous versions of Adobe Reader and Adobe Flash and a zero-day flaw affecting cPanel, a Linux-based server Web hosting console.
Abysssec is made up of several anonymous researchers who specialize in penetration testing and binary code analysis. The group is trying to highlight its Exploit Database, an archive of exploits and vulnerable software collected from mailing lists and submissions.
The researchers issued a binary analysis of an invalid pointer vulnerability in Adobe Flash Player and Adobe Reader. An Adobe spokesperson said the analysis was one of 32 vulnerabilities addressed by Adobe on June 10 and June 29 in Adobe Reader.
"Since the majority of attacks we are seeing are exploiting software installations that are not up to date on the latest security updates, Adobe always strongly recommends that users follow security best practices by installing the latest security updates as the best possible defense against those with malicious intent," the spokesperson said.
Abysssec also issued a low-level zero-day vulnerability. The cPanel flaw, a restriction bypass vulnerability, can only be locally exploited by an attacker.
"Attackers can use this issue to gain access to restricted files, potentially obtaining sensitive information that may aid in further attacks," the organization said in its security advisory. "It can help attacker to bypass restrictions such as mod_security , Safemod and disable functions."
"Month of bug" campaigns have been used in the past to get software makers to move quickly in patching their products and get vendors to change their policies for vulnerability handling and disclosure. The last such campaign took place last year by Aviv Raff, who documented API flaws in the social networking platform Twitter. Raff also worked with Metasploit creator H.D. Moore on the "Month of Browser Bugs" project in 2006. A vulnerability researcher known as LMH followed the bug campaign, launching a Month of Kernel and Month of Apple bugs.
Charlie Miller, a noted security researcher who works as a principal analyst at Baltimore-based security consultancy, Independent Security Evaluators, said it is debatable if "month of" campaigns really establish change at software vendors.
"If you can find so many problems with a product that you can release one a day for a month, there are some serious issues," Miller said.
Miller said Abysssec's campaign is different because it focuses on multiple vendors and a variety of different products. The goal may not be to get software makers to do a better job, he said.
"The only thing I can see is it is a tool to highlight the skills of the Abysssec guys, which is fine, but I don't think there is a general security principal they are trying to make, or at least I don't get it," Miller said.