Skip to main content
  1. Home
  2. Computing
  3. Features

How Google’s ‘Project Zero’ task force races hackers to snuff out bugs

By
Zero Day Exploits | Spectre, Meltdown | Programming team discussing ideas
Programmers test for bugs before their code enters the wild, but the errors that slip through can become dangerous ‘zero-day’ exploits for hackers.

Programmers test for bugs before their code enters the wild, but the errors that slip through can become

dangerous ‘zero-day’ exploits for hackers.

(in)Secure is a weekly column that dives into the rapidly escalating topic of cybersecurity.

Recommended Videos

In 2016, Yahoo confirmed it was the victim of a massive cyberattack that put the personal information of 500 million email users at risk. It was one of the biggest thefts of online personal information in the history of the internet. Yet the hack didn’t happen in 2016 — it happened in 2014.

Many of the largest, most sophisticated cyberattacks utilize zero-day exploits.

Upon further investigation, U.S. Senator Mark Warner insisted Yahoo executives knew about the problem before the company was sold to Verizon. History repeated itself with the monumental Equifax breach, where executives sold two million dollars in stock just days after learning of the hack. The question of who knew what — and when they knew it — is of the utmost importance.

Project Zero was created by Google for situations just like this. It’s a cybersecurity task force that acts behind the scenes with the stated goal to “significantly reduce the number of people harmed by attacks.” They don’t do interviews or comment on their work. Instead, the group keeps a low profile. Its findings and impact on the industry, however, are anything but quiet.

The search for zero-day bugs

The beginnings of the group can be traced back to 2014, when the circle of cybersecurity professionals was officially formed inside the halls of Google. According to the group’s manifesto post, the task force was first put together to secure its own products.

Spectre Meltdown
Image used with permission by copyright holder

But in light of internet-wide security concerns like Heartbleed, and Edward Snowden’s government surveillance revelations, Google set a new target on zero-day vulnerabilities across the entire industry.

You may not have heard of a “zero-day” vulnerability, but the consequences of them make headlines. It’s a term used in the computer security industry about a bug or vulnerability that’s unknown to the maker of the software. Many of the largest cyberattacks fall into this category of zero-day exploits, often leaving companies, and those who use their products, blind-sided.

When a company finds a vulnerability that moment is known as “day zero” – and for the next 90 days, it’s a ticking time bomb.

This was Intel in July of 2017, when it was alerted of 20-year old bugs in x86 and ARM-based hardware that impact nearly every CPU in circulation. As told by Wired, it was first discovered by Project Zero’s 22-year old hacker, Jann Horn, while diving deep into Intel’s own documentation on its processors. The flaw wasn’t introduced in the company’s latest hardware. It’d been around for years, but no one had noticed – or, at least, no one willing to disclose the flaw publicly instead of using it to their advantage.

Google’s crack team of hackers aren’t the only ones on the hunt for zero-day vulnerabilities. An entire market is built around discovering them, including bug bounty programs implemented by large corporations — and the black-market buying and selling of zero-day vulnerabilities. Even the NSA has been criticized for participating in purchasing zero-day vulnerabilities and stockpiling them for the development of cyberweapons. That’s why Project Zero’s approach to ethics is as important as its ability to spot bugs.

The day-zero countdown clock

Project Zero follows “responsible disclosure,” which has become an industry standard for keeping the public safe from zero-day bugs. After all, releasing vulnerabilities to the public would only help cybercriminals exploit them. Project Zero’s way of side-stepping this is to report the vulnerabilities to manufacturers privately, giving them 90 days to address the bug before it’s made public. The day a company finds out about a vulnerability is known as “day zero” – and for the next 90 days, it’s a ticking time bomb.

The countdown-clock nature of responsible disclosure pushes companies to quickly and effectively deal with the problem before things go public. It’s the reason Intel is being questioned for the way it reacted to the Spectre and Meltdown discoveries. The company never released information to its industry partners or federal government, making its public disclosure in January that much more painful. What if Intel wasn’t on the clock? When would it disclose the problem? Would it ever? We’ll never know for sure, but the company’s delay wasn’t a good look.

Meltdown and Spectre exploit critical vulnerabilities in modern processors. Programs can utilize the exploit to

retrieve valuable sensitive data being processed by the computer. The above gif shows an example of Meltdown stealing data via memory dump.

When the timeline expires, Project Zero publishes the vulnerability as promised, even if it’s not fixed. The task force has found multiple, hackable problems within the Edge web browser, and Microsoft has been slow to act. Thanks to Project Zero’s approach to responsible disclosure, we know about those vulnerabilities now. Microsoft’s security flaws are out in public, for everyone to see – and those read about it may choose to avoid Edge. That kind of public pressure encourages companies to make cybersecurity, and the privacy of its users, a priority.

Project Zero can’t solve malware on its own, of course. This is only Google’s way of “getting the ball rolling” and “doing their part.” There will always be more vulnerabilities, as well as institutions and criminals looking to exploit them for their own agenda. Still, it’s nice to know that as this issue becomes more public, someone is out there hunting for bugs with our security in mind.

Topics
Luke Larsen
Luke Larsen
Senior Editor, Computing
Luke Larsen is the Senior editor of computing, managing all content covering laptops, monitors, PC hardware, Macs, and more.
Ghost of Tsushima is a great PC port with one big problem
Jin riding through a field of flowers.

After nearly four years, Ghost of Tsushima is finally available on PC. The new release includes the base game, the Legends mode, and the Iki Island expansion, as well as a suite of the latest technologies from Nvidia, AMD, and Intel. From a performance perspective, Ghost of Tsushima runs well and looks beautiful, but it has one big problem.

Sony's recent push to PC has locked players in over 170 countries out from experiencing Ghost of Tsushima, despite initially offering the game in those locations for preorder. That shouldn't distract from the excellent PC port Ghost of Tsushima is, however.
Best settings for Ghost of Tsushima on PC

Read more
Best Verizon Fios new customer deals: Get 2GB/s internet in your home
Fios TV Package

Whether you surf the web for work or you subscribe to one of the best live TV streaming services, the experience can be made better with blazing fast internet. Fiber optic internet service is the future, and with Verizon Fios you can get some of the fastest internet service around. This service would pair well with any of the best TVs and home theater setups, but it’s also something to consider if you're into online gamine or do work that requires large file uploads and downloads. We’re currently seeing some of the lowest prices on Fios home internet deals we’ve ever seen, with Verizon putting some super impressive deals out there. We’ve rounded up all of the best Verizon Fios deals available right now, including Verizon new customer deals, and they include low monthly costs, waived setup charges, and a number of freebies like Target gift cards.
2 Gigabit Verizon Fios connection -- $85 per month + free extras
One of the fastest internet speeds you can get, and the fastest speed that Verizon offers, this is the sort of subscription you should grab if all the members of your family are essentially watching 4k content all the time. It's also great for those who want to host their own media server to share with friends or family while not impacting anybody else in the home. You also get a lot of great freebies included here, such as the choice of either a $300 Target gift card or a $350 value Samsung Chromebook Go, which is admittedly an entry-level device, but it's not bad to use for just streaming content. On top of that, you can choose between 2TB of Verizon cloud storage and 12 months of Disney+ with no ads or a MoCA Ethernet Adapter for gaming and a $50 Xbox eGift Card. You could also get both of these if you add an extra $10/month, although it's probably not worth it at that point.

1 Gigabit Verizon Fios connection -- $65 per month + free extras
If the super-fast speeds aren't necessarily needed, especially if you're in a smaller household without too many folks watching content, then the 1 Gigabit version is the way to go. It is $20 cheaper, so it's a lot of money that you're saving over the course of the year, and you still get quite a few extra benefits, even at this level. You get to choose either a $200 Target gift card or the same sort of Samsung Chromebook Go that's worth $350 that's great for streaming content. You also get a similar choice as the 2 Gigabit connection, which includes either 2TB of Verizon cloud storage and six months of Disney+ without ads, or a MoCA Ethernet Adapter for gaming and a $50 Xbox eGift Card.

Read more
Best color laser printers for 2024: tested and reviewed
The Color LaserJet Pro 4301fdw has good photo print quality on glossy paper.

The best color laser printers are a great investment, saving you quite a bit of time and money. Given the high cost of replacing cartridges in inkjet printers, you'll find color laser printers surprisingly affordable. Laser printers use toner, which lasts a long time, delivering a low cost per page for monochrome documents and fast color prints. The best color laser printers offer quick performance and reliability to help keep your home office or small business productive.

If you need to scan documents for record-keeping and photo capture or want the convenience of a color copier, an all-in-one color laser printer is an essential tool for your small business or personal use. For a small added cost, you get expanded capabilities. That's why every model on this list is an all-in-one from the best printer brands.

Read more