Thursday, October 3, 2019

About Project Zero

Lorenzo Franceschi-Bicchierai (tweet):

Ever since Project Zero was announced in 2014, these hackers have taken apart software used by millions of people—and predominantly written by other company’s engineers—with a mission to “make zero-day hard.”


In five years, Project Zero researchers have helped find and fix more than 1,500 vulnerabilities in some of the world’s most popular software, according Project Zero’s own tally. In Apple products, Beer and his colleagues have found more than 300 bugs; in Microsoft’s products they found more than 500; in Adobe’s Flash, they found more than 200. Project Zero has also found critical issues in CloudFlare, several antivirus apps, and chat apps such as WhatsApp and FaceTime. A Project Zero researcher was also part of the group who found the infamous Spectre and Meltdown flaws in Intel chips.


For one, Project Zero has normalized something that years ago was more controversial: a strict 90-day deadline for companies that receive its bug reports to patch the vulnerabilities. If they don’t patch in that time frame, Google drops the bugs itself. […] According to its own tally, around 95 percent of bugs reported by Project Zero get patched within that deadline.


But some think Project Zero may actually be helping law enforcement and intelligence agencies learn from its research and help them develop what are known as N-day or 1-day exploits. These are hacks based on zero-days that have been disclosed—hence their name—but work until the user applies the patch. According to some critics, the idea here is that malicious hackers could lift the code published by Google researchers as part of their reports and build on it to target users who have yet to update their software.

Indeed, Apple and other vendors don’t always update old versions of their software, so some users can’t update. But I don’t think that’s a good reason not to publish the research.

See also: Fun with FaceTime.


1 Comment RSS · Twitter

Simona Cardenas

I've always wondered how Google got its legal counsel to sign off on Project Zero's code release strategy. Doesn't contributory negligence get apportioned? i.e., Couldn't a victim of an attack sue both the vendor and Google for shared responsibility for the attack, since Google supplied the code for the attack? (I'm not saying this is how things should be, but it seems to be how the legal system works.) Maybe Google's management was just bold enough to draw a line in the sand and take a stand on principle.

Leave a Comment