Zero-day vulnerabilities are a type of computer program vulnerability unknown to the people who’d most want to close that vulnerability. Remember back in November when somebody tweeted that anybody could log in to a MacBook running MacOS High Sierra by merely typing root as the username? That was a zero-day vulnerability because it existed in the programming and Apple didn’t know about it. These types of weakness are called zero-day because they day that the interested party (in the above example, Apple) learns about and closes the vulnerability is called Day Zero.
Scary concept. There are software vulnerabilities out there that even the big players like Apple don’t know about and they leave users wide open. To counter the scary threat posed by Zero-day vulnerabilities, back in July 2014, Google announced Project Zero. Project Zero is a full-time team dedicated to finding zero-day vulnerabilities. One of the amazing things about Google’s Project Zero is that it doesn’t only search for vulnerabilities in Google software, it is looking out for all of us.
Back in January Google’s Project Zero discovered a vulnerability in Microsoft’s newest desktop operating system Windows 10 S. In a blog post, Project Zero said that the vulnerability represents a medium security flaw:
“This issue only affects systems with Device Guard enabled (such as Windows 10S) and only serves as a way of getting persistent code execution on such a machine. It’s not an issue which can be exploited remotely, nor is it a privilege escalation. An attacker would have to already have code running on the machine to install the registry entries necessary to exploit this issue, although this could be through an RCE such as a vulnerability in Edge. There’s at least two know DG bypasses in the .NET framework that are not fixed, and are still usable even on Windows 10S (e.g. https://tyranidslair.blogspot.co.uk/2017/08/dg-on-windows-10-s-abusing-installutil.html) so this issue isn’t as serious as it might have been if all known avenues for bypass were fixed.”
The reason this is coming out now is that Project Zero has a 90-day action period. When it discovers a vulnerability, it notifies the interested party, but will then release news of the vulnerability publicly if an action hasn’t been taken to close it in 90 days. Microsoft is not happy about Google’s disclosure of the vulnerability as they told the search giant in February that they were working on the vulnerability but that it wouldn’t be ready in time to meet Project Zero’s 90-day deadline. This wasn’t enough for Google, however, as Microsoft hasn’t given a solid release date for the next big Windows update.
This isn’t the first time that Google and Microsoft have squared off over the work of Project Zero. According to Windows Central, the same happened back in 2015 and 2016 and most recently occurred in February this year when Google released details of vulnerabilities in Windows 10 and Microsoft Edge.
What are your thoughts on this issue? Is Project Zero providing a public service by rooting out unknown security issues and notifying the software developers or is it reckless to release details of such issues before they’ve been dealt with? How does this compare to Microsoft’s recent release Windows Defender for Chrome, a Chrome extension designed to close up security vulnerabilities in Google Chrome? Let us know in the comments below.