Google Project Zero Focuses on Internet Security
Months after reporting its first vulnerabilities, Google officially acknowledges the existence of a shadowy security group known as Project Zero.
Google is no stranger to the world of security, though not all of its efforts are well known. The search giant revealed a formerly secret effort with the announcement this week of the Google Project Zero initiative.
"Our objective is to significantly reduce the number of people harmed by targeted attacks," Chris Evans, researcher herder at Google wrote in a blog post. "We're hiring the best practically-minded security researchers and contributing 100 percent of their time toward improving security across the Internet."
According to Evans, every bug discovered by Google Project Zero will be filed in an external database. That database does not yet include any flaws reported by Project Zero, however.
Though Google only officially announced Project Zero this week, the effort has been under way for months and has already reported multiple flaws to multiple vendors. Google Project Zero was an active participant at the HP Zero Day Initiative-sponsored Pwn2Own hacking event in March. Google's Project Zero researchers participated in the Pwn4Fun element of the contest, which enabled HP and Google security researchers to compete for charity.
Google Project Zero researcher Ian Beer is credited with the discovery of three vulnerabilities at Pwn4Fun, including ZDI-14-090, ZDI-14-121 and ZDI-14-120, all of which impact Apple OS X. None of those issues are identified in the new Google Project Zero external database.
Brian Gorenc, manager, Zero Day Initiative at HP Security Research, has worked with Google Project Zero researchers, and he is supportive of the initiative.
"Google’s efforts with Project Zero reinforce how important vulnerability research is for the industry," Gorenc said. "We’re pleased to see some great researchers on board with Project Zero, including George Hotz and Ian Beers who are previous winners from HP’s Pwn2Own contest. We look forward to driving discovery and remediation of zero-day vulnerabilities and working with others in the industry who are aligned with that goal."
Google researcher Tavis Ormandy is also associated with Project Zero. On June 17, Microsoft credited Ormandy with the discovery of a denial of service issue in the Microsoft Malware Protection Engine. Even more recently, on June 30, Google Project Zero researcher Ian Beer is credited with the discovery of nine vulnerabilities that impact Apple's Mac OS X and iOS operating systems.
Though Google Project Zero has largely focused on Apple security thus far, Evans noted that Google is not placing any boundaries on the project. The overall goal is to help improve security that will impact lots of people.
"In addition, we'll be conducting new research into mitigations, exploitation, program analysis—and anything else that our researchers decide is a worthwhile investment," Evans said.
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.
By Jeff Goldman
May 16, 2014
The well-crafted attack uses a data Uniform Resource Identifier scheme, according to Bitdefender.