It’s called Project Zero. Sounds like a new sci-fi pic or a top secret government project, doesn’t it? Nope, this Project Zero is a new initiative from Google, and rival companies Apple and Microsoft are wishing it would be kept as secretive as Area 51.
Project Zero takes its name from the black sheep of the vulnerability family – the zero-day vulnerability – those security holes that are exposed before developers are made aware of them. The PZ Squad is comprised of an elite team of Google hackers and programmers who make it their mission (and they’ve already chosen to accept it) to scrutinize developers’ software for security flaws.
Win/win, right? Not so fast. See, Google is essentially issuing an ultimatum to rival fellow tech companies: do something about the security flaws in your software within 90 days or we’ll make them public. While 90 days sounds reasonable, Microsoft, Apple and others are not so thrilled.
In a recent Bloomberg report, the mega companies headquartered in Redmond, WA and Cupertino, CA declined to comment. However, John Dickson, a principal with software security company Denim Group Ltd. in San Antonio, chimed in on their behalf.
“I’m not sure who made Google the official referee of the marketplace for vulnerability notification,” said Dickson. He believes pressuring companies to fix flaws is a good idea, but “what noble motives they had in mind could be called into question given the fact that they essentially outed vulnerabilities for two of their biggest rivals.”
Risk Based Security, whose corporate mission is to equip clients with the technology to turn security breach data and vulnerability intelligence into information, analyzed some of the data from Project Zero. In their analysis, 39 vulnerabilities in Apple products were identified and 20 were found in Microsoft products. Their team also found 37 flaws in Adobe Systems Inc. software and 22 in the FreeType software development library for rendering fonts. The firm’s report regarding Google’s initiative is worth the read.
Unless you work for a large software developer, you’re probably of the mindset that Google is doing a good deed here. As consumers who rely heavily on software, apps and the cloud in almost every aspect of our lives, having developers and app makers’ feet dangling close to the proverbial fire can only be a good thing. And hopefully companies will comply, working with Google to fix their vulnerabilities sooner rather than later to reduce the impact for their customers.
Before we put this to bed and call it a non-issue, we’ve got to look at the downside. Project Zero’s naysayers will tell us that our online security is at greater risk because security holes are revealed before they can be plugged.
For example, last month Apple took issue with Google’s publicizing flaws of its OS X operating system. According to a person familiar with the request who wasn’t authorized to speak publicly, Apple requested that Google hold off about a week before spilling the beans on the three flaws discovered. Google refused and publicized the details. A similar situation went down with Microsoft, who requested two additional days to fix a Windows flaw. “Nuh-uh,” said Google, and went public with the details. (Google later relaxed its policy slightly.)
It all boils down to Google’s ultimate motives: are they doing this in the spirit of achieving security nirvana or are they simply trying to get a leg up on their competitors? We’ll never know, but it’s a good bet that both objectives are commandeering this ship.
We can analyze this thing to death and never get close to the truth. At worst, it’s one step forward for security and one step back for competition. Either way, it shines more light on the importance of safe computing, and that’s the important takeaway.