Google's Project Zero ruffles feathers at Microsoft
Is "play nice" part of "don't be evil?" If so, then Google might have crossed its own friendly line in the sand. Google's "Project Zero" team is drawing heat from Microsoft after recently publishing two Windows vulnerabilities alongside proofs of concept and sample code.
As per its standard procedure, Project Zero alerted Microsoft to the existence of the bugs 90 days before making their findings generally available. The first bug was "derestricted" on Dec. 29, and revealed an elevation of privilege issue.
Microsoft issued a statement assuring Windows users that the bug could only be exploited by someone with valid logon credentials and local access. The company said it was working on a fix, and urged users to keep their firewalls on and their antivirus software up-to-date.
The second bug release was particularly significant in that Microsoft had asked for more time before Project Zero publicly disclosed its findings. In reply, the team responded that the 90 day deadline was "fixed for all vendors and bug classes and so cannot be extended." Microsoft moved the date for the fix up a month and still missed the deadline by two days.
In frustration Chris Betz, the Senior Director of the Microsoft Security Response Center, published a blog post titled A Call for Better Coordinated Vulnerability Disclosure, in which he suggested that publishing the bug two days before the patch arrived was less adherence to procedure and more of a "Gotcha!" on Google's part.
Whatever their intention, Project Zero has been the subject of some debate since it was announced last summer. A sort of "A Team" of white-hat hackers, Project Zero's stated goal is to "significantly reduce the number of people harmed by targeted attacks." As demonstrated, the pursuit of this mission is not limited to Google's own software — in fact, the project really doesn't seem to have many boundaries at all.
The plan seems to be 1) get a bunch of talented security researchers in one room, and 2) set them loose on the world. And while the project's handler, Chris Evans, points out that the project is "primarily altruistic," others (like Chester Wisniewski in this article) point out that publishing code and POCs doesn't necessarily serve the public interest.
Whatever one thinks of their procedure, it's hard to argue with the results. Free of charge, Project Zero has found exploits in Safari, OS X, iOS and Adobe Flash, most of which have gotten patched in a timely manner. Chris Evans has stated that they are committed to transparency, and their work is filed in an external database (the two Windows exploits mentioned above are 118 and 123 on the list, respectively).
They PZ gang have also stated their intention to include the wider public in their work and maintain a blog to that end. In the initial announcement Evans wrote, "We believe that most security researchers do what they do because they love what they do. What we offer that we think is new is a place to do what you love — but in the open and without distraction."
In short, Google organized a group of white-hats who are passionate about their work, hired them to make the general internet safer, and named them "Project Zero." I don't know whether it will ultimately be deemed a successful experiment in security, but if not, then there are always the movie rights.