Month of Kernel Bugs (MoKB)
Posted by jericho
First it was the Month of Browser Bugs (MoBB), now it is the Month of Kernel Bugs (MoKB). When I first read about it, I immediately thought of thirty odd entries about Linux Kernel Local DoS conditions. My pessimism is born out of the numerous local DoS attacks against the Linux Kernel. Microsoft fans use this to say that Linux has so many more bugs than Microsoft, but i’m sure if we documented every way to make any version of Windows blue screen, we’d be cutting ourselves.
Fortunately, the MoKB has started out very well by offering vulnerabilities in Mac OS X Kernel Wireless Drivers, Linux, FreeBSD, Solaris, and Windows. Only 11 days in, and all of that! The folks putting this together are doing an outstanding job putting this together, researching the vulnerabilities and presenting them.
In the months and years to come, what else will we see? What would you like to see the most.. Month of Bugs.
A lot of the local DoS attacks against the linux kernel are really local root attacks. It’s just that the kernel developers apparently don’t want to call it that unless someone gives them an exploit, or exploitability is painfully obvious (straight stacksmash for example).
it would be fun a month of networking equipment bugs. I’m sure there are a lot of them (remember the Greece telecom scandal?) and I’m tired of not being able to evaluate the best vendor of network equipment because there’s little info available. just a thought.
Personally, i’d like to see a Month of Security Product Bugs (MoSPB). It never stops amusing me how people load up on security devices and software that adds a whole new layer of vulnerabilities to their defenses.
I would love to see the MoSPB as well as a Month of Database Bugs (MoDBB).
Ask and you shall receive!
From: Cesar To: full-disclosure@lists.grok.org.uk Date: Mon, 20 Nov 2006 13:25:31 -0800 (PST) Subject: [Full-disclosure] The Week of Oracle Database Bugs
Not a month, but all Oracle 0-day to be released.
Courtesy of Dan Geer:
OK, here’s the way to make this interesting.
Three teams. Each is welcome to say “We are the best of our kind.” Start each team on their area of expertise, MSFT, Oracle, Linux. Each team has to put a 0day on the table each day by midnight local time. Miss a day and you’re out. Last team standing gets the glory and the vendor they specialize in gets the shame. Two for the price of one. And we run a betting pool on the side with daily odds.
Mr. Geer, is a wise man and an avid pig farmer but I had no idea he was a gambler. So who’s gonna be the bookie? In all seriousness I still would like someone to take a stab at MySQL/PostGres as every dude and his donkey is running it on their website or shared hosting environment, I think it would have far more impact.