Google announces Project Zero
Many attentive readers and technical experts who follow the security bulletins of Microsoft and Adobe that have been released have turned their attention to the Google Project Zero group in the “Acknowledgments” section for finding vulnerabilities. Such a section is present in each bulletin and it lists the security re-writers who have discovered a closed vulnerability. The name of the Google Project Zero has been featured on these bulletins many times, however, no information about this group has been disclosed by Google itself. An exception was made yesterday, when the company officially announced a group of security writers who are looking for vulnerabilities in third-party products in order to "make the Internet safer." The information was posted on the Google blog Securtiy Team and in the well-known electronic edition of Wired .
The Project Zero group specializes in finding vulnerabilities in products of other companies, including products such as MS Windows and Adobe Flash Player. Using specialized tools, for example, fuzzers of software components, specialists detect these or other vulnerabilities such as memory-corruption or buffer overflow.
')
Project Zero includes the well-known Tavis Ormandy publisher, which became widely known after submitting a detailed vulnerability report to a well-known anti-virus product at the BlackHat 2010 conference. He was repeatedly mentioned in security bulletins, including Microsoft, and also disclosed the specifics of the vulnerabilities found by him before the release of the corresponding patch.
After disclosing information about the cross-platform NT-LPE vulnerability CVE-2013-3660 before the release of Microsoft patch, Google reduced the time allowed for companies to react and issue a patch for the detected vulnerability.
In the framework of initiatives declared by Project Zero, it is assumed that information about the detected vulnerabilities will be sent to the vendor for their correction and release of the update. Information about vulnerabilities will be published on the relevant web page and will be available after the release of the patch from the manufacturer. The format of the updated vulnerability base will look like in such a way that users will be able to track the time it took the vendor to fix the vulnerability, as well as view information about the exploitation of the vulnerability.
Project Zero is our contribution to start the ball rolling. Our objective is to significantly reduce the number of people harmed by targeted attacks. Security researchers and contributors 100% of the time.
The Project Zero group specializes in finding vulnerabilities in products of other companies, including products such as MS Windows and Adobe Flash Player. Using specialized tools, for example, fuzzers of software components, specialists detect these or other vulnerabilities such as memory-corruption or buffer overflow.
')
Project Zero includes the well-known Tavis Ormandy publisher, which became widely known after submitting a detailed vulnerability report to a well-known anti-virus product at the BlackHat 2010 conference. He was repeatedly mentioned in security bulletins, including Microsoft, and also disclosed the specifics of the vulnerabilities found by him before the release of the corresponding patch.
After disclosing information about the cross-platform NT-LPE vulnerability CVE-2013-3660 before the release of Microsoft patch, Google reduced the time allowed for companies to react and issue a patch for the detected vulnerability.
If you are not going to be able to fix it, it’s not possible. If you want to get a patch, you’ll see it. Based on our experience, however, we’ve taken action for a period of 7 days. Designed for each day, he actively researched the vulnerability of the computer and more computers will be compromised.
... As a result, after all, we can support researchers.
Our recommendation [ regarding the timing of fixing vulnerabilities ] to companies is that they should fix critical vulnerabilities within 60 days, otherwise companies should be notified of emerging risks to the public and suggest workarounds for solving the problem. We recommend that the supervisors publish the results of their research, if the release of the patch takes longer than this. However, based on our experience, we believe that in the case of critical vulnerabilities that are already at the stage of active operation, this repair period should not exceed 7 days. The reason for such a special measure is the fact that the vulnerability that is not disclosed to the public 0day, which is exploited every day, leads to the compromise of a large number of systems.
... As a result, if after 7 days the vulnerability is not closed, we will support researchers who intend to publish details to the public, allowing so on. users to take their own steps to protect their systems.
In the framework of initiatives declared by Project Zero, it is assumed that information about the detected vulnerabilities will be sent to the vendor for their correction and release of the update. Information about vulnerabilities will be published on the relevant web page and will be available after the release of the patch from the manufacturer. The format of the updated vulnerability base will look like in such a way that users will be able to track the time it took the vendor to fix the vulnerability, as well as view information about the exploitation of the vulnerability.
Source: https://habr.com/ru/post/230055/
All Articles