On April 27, 2007, various Internet resources from the Republic of Estonia came under a series of DDOS or distributed denial of service attacks.

89% of browser plug-in vulnerabilities affected ActiveX components for Internet Explorer, an increase over the 58% in the previous period.

In the first half of 2007, 237 vulnerabilities affecting browser plug-ins were documented compared to 108 in all of 2006.

The rise in browser plug-in vulnerabilities is indicative of an increasing focus on client-side vulnerabilities by both security researchers and attackers.

The MPack malware kit automatically exploits various ActiveX vulnerabilities.

Recently, RealPlayer was subjected to a zero-day attack using an unpatched vulnerability affecting the latest versions of RealPlayer and RealPlayer 11 BETA. The issue affected an ActiveX object in the RealPlayer component ierpplug.dll.

Users should ensure that the security settings of their client browsers do not allow for scripting of ActiveX controls that are not marked safe for scripting. The browser should prompt for ActiveX controls and deny downloading unsigned ActiveX controls. As a general precaution users should avoid following links to unknown or untrusted sites and run client applications such as Web browsers with the minimal amount of privileges required for functionality. In addition, active scripting should be disabled to prevent the execution of script code and active content in the browser.

Vulnerabilities for Sale – Wabi Sabi Labi debuted and offered an auction-style system for selling vulnerability information to the highest bidder, sparking controversy and discussion about competing schools of thought in how to handle vulnerability information.

Symantec believes that paying for paying for software vulnerabilities or auctioning such information to the highest bidder places the vendor and its customers at possible risk.  Regardless of good intentions, when third parties have a monetary interest in such sensitive information, it introduces an opportunity to potentially abuse the system.

There are reputable companies with good intentions who pay researchers for their vulnerability data.  Companies, such as Tipping Point, have made a business of managing the responsible disclosure process with the affected vendor.

However, any payment for vulnerability research edges the industry onto a slippery slope.  Not all researchers will make smart choices, and money motivations may lead more researches to work with less responsible companies.