January 21, 2007

MO?B (Month of ??? Bugs)

Probably you`ve followed MOBB project launched by H.D.Moor and other Metasploit members and I believe that was an interesting and fresh idea in community , to focus on a specific class of applications and vulnerabilities and making vendors securing their buggy development life-cycles , while keeping the joy of Full-Discloser policy .

After H.D some other researchers followed this new way and we saw MOKB by info-pull guys , as second successful attempt . Argeniss co. tried to be third in this game , by offering WOOB but for some reasons it never began . I`m not going to explain why this project stopped . MOAB began once again by support of info-pull geeks as fourth effort and it`s still undergoing . Finally we`ve MOWAB ahead as fifth child of Moor`s idea . Although MOWAB seems not so scheduled MO*B like others but we still hope to see cool outputs from SNOSOFT crew.

After 5 of them been announced and released , I guess still many people have not realized the goal behind of these Months . As a simple sentence we may explain them "30 days dedicated to publish 30 advisories serially about specific range of applications " . But is it all about hunting 30 PoC included bugs packing and releasing ? I think the true goal behind every Month is to research and develop new technologies and methodologies for auditing specific group of codes/applications . Moor was fair successful proving this , by developing and releasing new fuzzers and codes as GENERAL web-browser auditing tools . while MOBB finished we`re not left with only 30 bugs but tons of new tricks to audit , hunt and exploit flaws in a web-browser software . moving to MOKB we can see this again , but much more limited than MOBB . As a result of MOKB we have single and case-specific file-system fuzzer beside 30 hunted flaws , most of them not even demonstrated to show techniques behind finding and exploiting them. not much long-term usable output . MOKB finished and we got 30 hunted bugs , but no methodology nor demonstrated technique about how to continue if you want more than 30 flaws . Finally we are following MOAB , showing us how to exploit every single flaw , which means experiencing at least few new sample of less-explained techniques on exploiting flaws. even if no new technique is demonstrated , we still have 30 real-world samples on how to break latest Mac OS-X which is under focus these days .
So now I know why some of these Months become popular and some of them just simply finish. If we learn new things we`ll call them interesting and if it's just 30 blindly hunted flaws (although some of them may be cool ) we will forget that Month as soon as next one begin.
We can talk about Months of Bugs from another point of view too . skipping technical details behind any of them and talking as a end-user of software , every Month of Bug can move our daily used codes , softwares and OS more close to a secure one . At least low hanging fruits may get hunted during the month and we can sleep well at night ,dreaming not every kid and his pet can find the flaw and abuse it against us...

Now fill in the blank :
-Next Month of Bugs will be about ..... ?


No comments:

Post a Comment