July 16, 2014 at 13:42Google announces Project Zero
Many attentive readers and technical experts who monitor the released security bulletins of Microsoft and Adobe have paid attention to the Google Project Zero group in the Acknowledgments section for vulnerabilities. Such a section is present in each bulletin and lists the security-managers who discovered a closed vulnerability. The name Google Project Zero has been featured many times in these newsletters, however, no information has been disclosed about this group by Google itself. An exception was made yesterday, when the company officially announced a group of security resellers who search for vulnerabilities in third-party products to "make the Internet safer." The information was posted on the Google Securtiy Team blog and in the well-known electronic publicationWired .
The Project Zero group specializes in finding vulnerabilities in products of other companies, including products such as MS Windows and Adobe Flash Player. Using specialized tools, for example, fuzzers of software components, specialists discover certain vulnerabilities such as memory-corruption or buffer overflow.
Project Zero includes the well-known reseller Tavis Ormandy, who became widely known after he presented at BlackHat 2010 a detailed report on vulnerabilities in the well-known antivirus product. He was repeatedly mentioned in security bulletins, including those of Microsoft, and also disclosed the specifics of the vulnerabilities he discovered before the release of the corresponding fix.
After disclosing information about the cross-platform NT-LPE vulnerability CVE-2013-3660 before the release of the Microsoft patch, Google reduced the time allowed for companies to respond and release the patch for the discovered vulnerability.
As part of the initiatives declared by Project Zero, it is assumed that information about the detected vulnerabilities will be sent to the vendor to fix them and release an update. Information about vulnerabilities will be published on the corresponding web page and will be available after the release of the patch from the manufacturer. The format of the updated vulnerability database will look so that users will have the opportunity to track the time it took the vendor to fix the vulnerability, as well as view information about the exploitation of the vulnerability.
Project Zero is our contribution, to start the ball rolling. Our objective is to significantly reduce the number of people harmed by targeted attacks. We're hiring the best practically-minded security researchers and contributing 100% of their time toward improving security across the Internet.
The Project Zero group specializes in finding vulnerabilities in products of other companies, including products such as MS Windows and Adobe Flash Player. Using specialized tools, for example, fuzzers of software components, specialists discover certain vulnerabilities such as memory-corruption or buffer overflow.
Project Zero includes the well-known reseller Tavis Ormandy, who became widely known after he presented at BlackHat 2010 a detailed report on vulnerabilities in the well-known antivirus product. He was repeatedly mentioned in security bulletins, including those of Microsoft, and also disclosed the specifics of the vulnerabilities he discovered before the release of the corresponding fix.
After disclosing information about the cross-platform NT-LPE vulnerability CVE-2013-3660 before the release of the Microsoft patch, Google reduced the time allowed for companies to respond and release the patch for the discovered vulnerability.
Our standing recommendation is that companies should fix critical vulnerabilities within 60 days - or, if a fix is not possible, they should notify the public about the risk and offer workarounds. We encourage researchers to publish their findings if reported issues will take longer to patch. Based on our experience, however, we believe that more urgent action - within 7 days - is appropriate for critical vulnerabilities under active exploitation. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised.
... As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves.
Our recommendation [ regarding the timeframe for fixing the vulnerability ] to companies is that they should fix critical vulnerabilities within 60 days, otherwise companies should notify the public of emerging risks and suggest workarounds to solve the problem. We recommend that the reviewers publish the results of their research if the release of the correction takes more than this time. However, based on our experience, we believe that in case of critical vulnerabilities that are already at the stage of active exploitation, this correction period should not exceed 7 days. The reason for this special measure is the fact that the 0day vulnerability, which is not disclosed to the public, which is exploited every day, leads to the compromise of a large number of systems.
... As a result, if after 7 days the vulnerability remains not closed, we will support researchers who intend to publish details for the public, allowing, thus. users take their own steps to protect their systems.
As part of the initiatives declared by Project Zero, it is assumed that information about the detected vulnerabilities will be sent to the vendor to fix them and release an update. Information about vulnerabilities will be published on the corresponding web page and will be available after the release of the patch from the manufacturer. The format of the updated vulnerability database will look so that users will have the opportunity to track the time it took the vendor to fix the vulnerability, as well as view information about the exploitation of the vulnerability.