Google’s Project Zero – Targeting zero-day vulnerabilities

Graham Cluley

Google has announced that it is assembling a crack team of researchers, devoted to finding and reporting security holes in widely used software.

According to Google security engineer Chris Evans, the group – which has been dubbed “Project Zero” – aims to uncover unpatched security vulnerabilities before they are exploited in targeted internet attacks.

“Our objective is to significantly reduce the number of people harmed by targeted attacks. We’re hiring the best practically-minded security researchers and contributing 100% of their time toward improving security across the Internet.”

“We’re not placing any particular bounds on this project and will work to improve the security of any software depended upon by large numbers of people, paying careful attention to the techniques, targets and motivations of attackers. We’ll use standard approaches such as locating and reporting large numbers of vulnerabilities. In addition, we’ll be conducting new research into mitigations, exploitation, program analysis—and anything else that our researchers decide is a worthwhile investment.”

Clearly, this can’t be considered anything but good news for those individuals and organisations who might be at risk from targeted attacks. But it goes further than that.

In the past, zero-day vulnerabilities have been used to spy upon human rights activists or to conduct industrial espionage, but they have also been exploited to infect the computers of regular computer users by financially-motivated online criminals.

Simply visiting a boobytrapped webpage on a vulnerable computer could set into action a zero-day exploit which silently infects your computer. You wouldn’t necessarily know that anything untoward has happened.

I am encouraged by Google’s approach to disclosing the vulnerabilities. It says that it will responsibly report security bugs to the software vendor, not to third parties, and – once a patch is available – will provide a way for internet users to monitor how long it took a particular vendor to fix an issue, and other information.

To my mind that’s a better approach than that taken by some security researchers (including some, sadly, who work for Google) who have in the past publicised security holes before a patch which would protect users is available, giving malicious hackers an opportunity to exploit the vulnerability and cause damage.

My hope is that with the introduction of Project Zero, more researchers will embrace the idea of working with vendors for the greater good of the online community, rather than publicising flaws early in what can appear to be a selfish attempt to boost their profile.

Furthermore, Project Zero isn’t planning – as far as I can see – to sell details of the vulnerabilities and how to take advantage of them. That puts them at odds with other more controversial bug hunters who have made a habit of offering details of exploits to the highest bidder, and not necessarily sharing the information with the vendor whose software is at risk.

Inevitably this raises concerns that the likes of Google and Microsoft are never likely to be able to pay as much for a security vulnerability as the United States or Chinese intelligence agencies. After all, who else would have the funds to pay $500,000 for an a zero-day exploit in Apple iOS?

Project Zero would also appear to be taking a different route from that chosen by the National Security Agency (NSA). According to media reports, The White House appears to have given the green light to the NSA to exploit internet flaws if there is a “clear national security or law enforcement need”, rather than work on getting important security holes fixed for the benefit of all.

Famed iPhone and PlayStation hacker George Hotz (aka Geohot) has reportedly been taken on as an intern by the Project Zero team.

Will Project Zero make the internet a safer place? Only time will tell. But let’s hope it makes a positive difference to the security of applications and life that little bit safer for all of those of us who depend on the internet.

This article originally appeared on the Lumension blog.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.