With all of the zero-day exploits popping up lately, such as the GameOver Zeus malware and Heartbleed bug a few months ago, it only makes sense to step up research on how and why it occurs. Google is doing just that with its new research program, rightfully dubbed Project Zero.Zero-day vulnerabilities are classified as vulnerabilities against which no vendor has released a patch, making them highly dangerous and easily exploitable. These vulnerabilities target both corporate and consumer users alike, and are generally able to avoid detection by the general public until the patch has been released. Zero-day attacks are mostly unexpected, and are often used in targeted attacks to execute malicious code.
Google might already have a bounty system in place for those who find exploits in their products, but this initiative takes things a step further. The idea behind Project Zero is to fund research for any popular software on which many people depend upon, and ways to limit the damage and exploitation of these programs in the event of a zero-day attack.
Additionally, Google has created an external database which will hold the research results. Rather than immediately let the public know about exploitations and vulnerabilities, Google waits until the problem becomes public or has been patched. This is presumably to prevent hackers from knowing about the flaw and exploiting it, and gives third-party developers a chance to patch it before causing a big fuss over nothing.
The interesting thing about this endeavor is that it is open to the general public, but it has not been explained how researchers can sign up for the project. Discussions concerning vulnerabilities and exploitations will be available to the general public post-patching, including how long it took the vendor to fix the problem (if it were fixed at all).
This is good news for those who praise Google’s role in finding vulnerabilities in software. The search-engine giant has an impressive track record of research into Microsoft and Apple’s software vulnerabilities, and they often credit Google for reporting vulnerabilities directly to them. Similar to Google, Microsoft also has a program for research, but unlike the “bug bounty” feature of Google’s Project Zero, Microsoft doesn’t reward those who notify them of product vulnerabilities.
If you are ever concerned about the status of your network’s security, contact Setton Consulting at 212-796-6061. We’ll work with you to keep your systems up-to-date and as safe as can be from the latest security threats and vulnerabilities.