Google's Project Zero doing more harm than good, argue security experts
The decision by Google's Project Zero to expose security flaws in Apple and Microsoft systems was irresponsible and benefited hackers more than end users, according to security experts.
Project Zero is a security initiative launched by Google in July 2014 with the apparent intention of speeding up companies' patch release schedules.
The team of researchers does this by initially disclosing flaws privately to the firms responsible and giving them 90 days to release a fix before making the research public.
The controversy around Project Zero began in December when Google publically disclosed an obscure flaw in Windows 8.1's NtApphelpCacheControl that could theoretically be exploited, with difficulty, by hackers.
The move caused ripples in the security community as Microsoft claims that it had responded to Google's private disclosure in September and asked the firm to delay the public report so that it could release a fix as a part of the January security update, which it did.
The controversy then escalated when Project Zero publically revealed three flaws in Apple's Mac OS X operating system, similarly claiming that the firm had failed to meet its 90-day patch deadline.
Lamar Bailer, director of security research and development at Tripwire, told V3 that the disclosures are irresponsible as the bugs were so minor that hackers would probably not have noticed them without Google's help.
"From an end user standpoint Google is being extremely irresponsible. They are leaving Apple users (Microsoft users previously) with no way to protect themselves while giving attackers all they need to exploit these vulnerable systems that cannot be patched," he said.
"Maybe Google's goal was to speed up the process to get security issues fixed by creating this accelerated timeline, but it is failing miserably."
Tripwire researcher Craig Young agreed, arguing that Project Zero should focus on more dangerous bugs if it is to be of any use.
"Not all of what Google released the other day [with the Apple disclosure] is even a zero-day. At least one issue is fixed in Yosemite," he said.
"[Regarding Microsoft], a skilled researcher would still be needed to get much use out of these issues. It is also worth noting that the attacker must already get the victim to execute their attack code.
"These Google releases don't concern me as an Apple and Windows user so I'm going back to bed. Wake me up when they release a fully functional remote root exploit."
Not everyone was quite so harsh, though. F-Secure researcher Timo Hirvonen was more forgiving of Project Zero, telling V3 the 90-day deadline is a good incentive for security professionals, but must be applied with care.
"Google's Project Zero is a group of very talented vulnerability researchers. I think their policy of automatically disclosing vulnerabilities after 90 days is a strong incentive for vendors to quickly patch the vulnerabilities reported to them," he said.
"We don't know if Project Zero has made any exceptions to its 90-day rule. But being strict with its 90-day rule earlier this month when Microsoft had a patch scheduled seemed unnecessarily aggressive."
Lancope chief technology officer T K Keanini agreed, arguing that Project Zero has its heart in the right place and will have some security benefits.
"This is like when a friend leans over and privately lets you know your zipper is down," he said.
"All vulnerabilities can be leveraged so I think all vulnerabilities are dangerous. Some more than others, of course, but not treating them as dangerous is bad practice."
However, Mark Kraynak, chief privacy officer at Imperva, highlighted Google's recent decision to stop providing security patches to the WebView extension used in early Android versions as evidence of Project Zero's hypocritical behaviour.
"It's a bit ironic that Google would make the claim that patching is too hard when in the last few weeks Google released major vulnerabilities in Apple and Microsoft products despite those vendors saying much the same thing about those vulnerabilities and asking for more time to patch," he said.
News that Google is cutting WebView support for early Android versions, which according to developer stats still run on over 930 million devices, broke on 12 January when security experts spotted the covert move.
Google's head of Android security, Adrian Ludwig, moved to justify the decision in a post on Google+, claiming the patching process is too costly and time consuming.
V3 contacted Google for comments on the issues raised by the security community but the firm declined to comment.
The researchers' comments come during a heated debate about patching and disclosure best practice. Microsoft announced plans to stop providing free Patch Tuesday notices to non-premier customers on 9 January.
The move divided the security community and led some to accuse Microsoft of money grabbing.
Google's Project Zero doing more harm than good, argue security experts
Reviewed by Unknown
on
1/29/2015
Rating:
No comments:
Post Your Comment Here Please