Skip to main content

How Google’s ‘Project Zero’ task force races hackers to snuff out bugs

Zero Day Exploits | Spectre, Meltdown | Programming team discussing ideas
Programmers test for bugs before their code enters the wild, but the errors that slip through can become dangerous ‘zero-day’ exploits for hackers.

Programmers test for bugs before their code enters the wild, but the errors that slip through can become

dangerous ‘zero-day’ exploits for hackers.

(in)Secure is a weekly column that dives into the rapidly escalating topic of cybersecurity.

In 2016, Yahoo confirmed it was the victim of a massive cyberattack that put the personal information of 500 million email users at risk. It was one of the biggest thefts of online personal information in the history of the internet. Yet the hack didn’t happen in 2016 — it happened in 2014.

Many of the largest, most sophisticated cyberattacks utilize zero-day exploits.

Upon further investigation, U.S. Senator Mark Warner insisted Yahoo executives knew about the problem before the company was sold to Verizon. History repeated itself with the monumental Equifax breach, where executives sold two million dollars in stock just days after learning of the hack. The question of who knew what — and when they knew it — is of the utmost importance.

Project Zero was created by Google for situations just like this. It’s a cybersecurity task force that acts behind the scenes with the stated goal to “significantly reduce the number of people harmed by attacks.” They don’t do interviews or comment on their work. Instead, the group keeps a low profile. Its findings and impact on the industry, however, are anything but quiet.

The search for zero-day bugs

The beginnings of the group can be traced back to 2014, when the circle of cybersecurity professionals was officially formed inside the halls of Google. According to the group’s manifesto post, the task force was first put together to secure its own products.

Spectre Meltdown
Image used with permission by copyright holder

But in light of internet-wide security concerns like Heartbleed, and Edward Snowden’s government surveillance revelations, Google set a new target on zero-day vulnerabilities across the entire industry.

You may not have heard of a “zero-day” vulnerability, but the consequences of them make headlines. It’s a term used in the computer security industry about a bug or vulnerability that’s unknown to the maker of the software. Many of the largest cyberattacks fall into this category of zero-day exploits, often leaving companies, and those who use their products, blind-sided.

When a company finds a vulnerability that moment is known as “day zero” – and for the next 90 days, it’s a ticking time bomb.

This was Intel in July of 2017, when it was alerted of 20-year old bugs in x86 and ARM-based hardware that impact nearly every CPU in circulation. As told by Wired, it was first discovered by Project Zero’s 22-year old hacker, Jann Horn, while diving deep into Intel’s own documentation on its processors. The flaw wasn’t introduced in the company’s latest hardware. It’d been around for years, but no one had noticed – or, at least, no one willing to disclose the flaw publicly instead of using it to their advantage.

Google’s crack team of hackers aren’t the only ones on the hunt for zero-day vulnerabilities. An entire market is built around discovering them, including bug bounty programs implemented by large corporations — and the black-market buying and selling of zero-day vulnerabilities. Even the NSA has been criticized for participating in purchasing zero-day vulnerabilities and stockpiling them for the development of cyberweapons. That’s why Project Zero’s approach to ethics is as important as its ability to spot bugs.

The day-zero countdown clock

Project Zero follows “responsible disclosure,” which has become an industry standard for keeping the public safe from zero-day bugs. After all, releasing vulnerabilities to the public would only help cybercriminals exploit them. Project Zero’s way of side-stepping this is to report the vulnerabilities to manufacturers privately, giving them 90 days to address the bug before it’s made public. The day a company finds out about a vulnerability is known as “day zero” – and for the next 90 days, it’s a ticking time bomb.

The countdown-clock nature of responsible disclosure pushes companies to quickly and effectively deal with the problem before things go public. It’s the reason Intel is being questioned for the way it reacted to the Spectre and Meltdown discoveries. The company never released information to its industry partners or federal government, making its public disclosure in January that much more painful. What if Intel wasn’t on the clock? When would it disclose the problem? Would it ever? We’ll never know for sure, but the company’s delay wasn’t a good look.

Meltdown and Spectre exploit critical vulnerabilities in modern processors. Programs can utilize the exploit to

retrieve valuable sensitive data being processed by the computer. The above gif shows an example of Meltdown stealing data via memory dump.

When the timeline expires, Project Zero publishes the vulnerability as promised, even if it’s not fixed. The task force has found multiple, hackable problems within the Edge web browser, and Microsoft has been slow to act. Thanks to Project Zero’s approach to responsible disclosure, we know about those vulnerabilities now. Microsoft’s security flaws are out in public, for everyone to see – and those read about it may choose to avoid Edge. That kind of public pressure encourages companies to make cybersecurity, and the privacy of its users, a priority.

Project Zero can’t solve malware on its own, of course. This is only Google’s way of “getting the ball rolling” and “doing their part.” There will always be more vulnerabilities, as well as institutions and criminals looking to exploit them for their own agenda. Still, it’s nice to know that as this issue becomes more public, someone is out there hunting for bugs with our security in mind.

Luke Larsen
Luke Larsen is the Senior editor of computing, managing all content covering laptops, monitors, PC hardware, Macs, and more.
This HP 2-in-1 laptop is discounted from $800 to $450
HP Pavilion x360 laptop in laptop mode.

Can't decide between tablet or a laptop? This deal on an affordable 2-in-1 laptop from the HP Memorial Day sale is really worthy of a look. It has a discount of $350 for the sale, taking its price from $800 to $450. That makes this one of the best 2-in-1 laptops you can buy at the moment if you're on a budget. To go see this tablet laptop hybrid yourself, and take advantage of the great discount, tap the button below to find it on the HP website. Feel free to keep reading, as well, as we will break down all the details of the HP Pavilion x360 Convertible as well as examine why you will want to buy it.

Why you should buy the HP Pavilion x360 Convertible
At its base, the HP Pavilion x360 Convertible starts with an Intel Core i5 processor, 8GB of RAM, 256GB of storage, and 15.6 inch edge-to-edge 768 touchscreen. Note that all of these are upgradeable, with clearly displayed price changes for each upgrade. We won't go into the specifics of each upgrade, but it is worth noting that you can upgrade two or more of these categories without exceeding the $350 you're saving off of the original model. For example, going from 8GB of RAM to 16GB will only run you $90. Getting 1080p? Just $30.

Read more
Great for browsing, this Dell laptop is discounted to $300
Someone using the Dell Inspiron 15 on their lap.

If you want a super cheap laptop with a full keyboard, surprisingly good Wi-Fi, and impressive storage you're usually going to have a hard time finding one. But with this Dell Memorial Day deal you can easily. The Dell Inspiron 15 is usually $380, but has been marked down to $300 at this time, saving you $80. It's stats are surprisingly good for the price and it could easily be one of the best Dell student laptops for the upcoming summer mini-term, should you be attending. Check it out yourself by tapping the button below or keep reading for our analysis.

Why you should buy the Dell Inspiron 15
When you want to evaluate cheap laptops, you should start with the stat line (RAM, storage, etc.) to see if it is stomacheable and then progress onto the finer details that make that laptop special. And, here, the base stat line is quite incredible for a work, study, or browser computer. It comes with a 12th Gen Intel Core i3 processor, Intel graphics, 8GB of RAM, and 512GB of SSD storage. You even get a 15.6 inch, 1080p at 120Hz anti-glare backlit screen. While it isn't a touchscreen, comparing this mentally to tablets of a similar cost in terms of what you would expect is a useful mental exercise. The storage, while not super expansive, is above average in quality and should work nicely for a non-gaming laptop.

Read more
Google’s AI Overviews are already off the rails
AI Overviews being shown in Google Search.

Google AI Overviews were announced a couple weeks ago at Google I/O, and they've already proven to be rather controversial. The aim to provide high-quality answers to your questions summarized from the web, but a recent X (formerly Twitter) thread suggests that it might not be pulling from the most accurate sources.

When prompting Google for an answer to the issue of "cheese not sticking to pizza," the AI Overview reportedly claims that adding nontoxic glue to your pizza to prevent the cheese from sliding off. The exact words the AI overview gave are as follows: "You can also add about 1/8 cup of non-toxic glue to the sauce to give it more tackiness." Where did the Google AI overview get the info as a source? It got it from an 11-year-old Reddit comment from this thread, in what was clearly a joke.

Read more