Project Zero at Google

Project Zero is the name of a team of security analysts employed by Google, tasked with finding zero-day vulnerabilities in commercial software. This means bugs in other people’s software that can lead to security problems. They have no interest in everyday bugs that affect people’s work but not security.

After finding a number of flaws in software used by many end-users while researching other problems, Google decided to form a full-time team dedicated to finding such vulnerabilities, not only in Google software but any software used by its users. It’s establishment fits into the larger trend of Google’s counter-surveillance initiatives in the wake of the 2013 global surveillance disclosures by Edward Snowden.

Responsible Disclosure

When serious security bugs are found in software, should the world be informed or just the software maker?

Bugs found by the Project Zero team are reported to the manufacturer and only made publicly visible once a patch has been released or if 90 days have passed without a patch being released.

This is Google’s way of implementing responsible disclosure, giving software companies 90 days to fix a problem before informing the public so that users themselves can take necessary steps to avoid attacks.

Notable Discoveries

On 30 September 2014 Google detected a security flaw within Windows 8.1 which allows a normal user to gain administrative access. Microsoft was notified of the problem immediately but did not fix the problem within 90 days, so the information about the bug was made publicly available on 29 December 2014. Releasing the bug to the public brought a response from Microsoft that they were working on the problem.

On 19 February 2017 Google discovered a flaw within Cloudflare, which caused their edge servers to run past the end of a buffer and return memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data.

On 27 March 2017 Project Zero discovered a vulnerability in the popular password manager LastPass and four days later LastPass announced they had fixed the problem.

Project Zero was involved in discovering the Meltdown and Spectre vulnerabilities affecting many modern CPUs, which were discovered in mid-2017 and disclosed in early January 2018.

Keep up the good work!

Do leave a comment on this post – click on the post title then scroll down to leave your comment.

Fightback Ninja Signature

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.