​Google's Project Zero plans to plug zero-day attacks

A security initiative from Google hopes to identify and put a stop to previously unknown, unpatched bugs that threaten the Web at large.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Seth Rosenblatt
3 min read

Zero-day exploits are big business, even for the good guys. At CanSecWest's Pwn2Own contest earlier this year in Vancouver, Canada, the Keen Team from China unfurls a victory banner as they knock over Apple Safari. Seth Rosenblatt/CNET

Google's latest attempt to improve Web security isn't a fix for Android or Chrome, but a Web-wide initiative called Project Zero to document and stop the latest zero-day threats before they can be exploited.

Zero-day attacks are unpatched, previously unknown programming flaws. They can appear in Web sites as well as software -- basically, anything written with programming code.

As Google security engineer Chris Evans said in his blog post Tuesday announcing Project Zero, zero-days have been used to attacks human rights activists and conduct industrial espionage, but also to monitor communications, gain access to consumer credit card information, and steal databases filled with the personal details of Web sites large and small.

Project Zero is a two-pronged attack against zero-days. It creates within Google a team of elite security researchers who have a broad mandate to go bug-hunting. Evans told CNET that Project Zero differs from other zero-day projects, such as Hewlett-Packard's Zero-Day Initiative (ZDI), because it provides full-time positions to "the best security researchers in the world."

"Project Zero researchers will be hunting and eliminating vulnerabilities, but also doing more than that," he said. "Researchers will have [license] to investigate whatever defensive or analysis technologies they think can bring security wins to the table."

Project Zero also will create a public database of zero-day bugs that will be first reported only to the software vendor, without contacting third parties. The project hopes to notify vendors in "as close to real-time as possible," Evans said, and to work with them to get a patch ready. Only once a patch has been made available will Google report the bug, a standard practice in the bug-hunting world known as "responsible disclosure."

"Our objective is to significantly reduce the number of people harmed by targeted attacks," said Evans. "We're hiring the best practically minded security researchers and contributing 100 percent of their time toward improving security across the Internet."

Project Zero's origins, he said, lie in the kind of part-time security research that Google employees conduct that led to the co-discovery of the Heartbleed bug. Its effect can already be felt, Evans said, and pointed to an Apple bug fix that Project Zero contributed to.

"But, it's early days yet," he said. "We expect the database to be much more populated with fixed issues by the end of the year."

Evans added that Project Zero also will be taking aim at some long-standing difficulties in bug tracking. Security researchers will be able to use the Project Zero database to monitor vendor time-to-fix performance, track discussions about exploitability, read up on historical exploits, and trace crashes.

Project Zero is not the first attempt from the tech industry to get a better grip on the incessant zero-day problem. ZDI has been offering monetary rewards for verifiable zero-day exploits since 2005, and runs an annual contest for researchers to prove exploits under a time deadline.

"Google's entry into the vulnerability research space reinforces the importance of this type of research across the industry and further validates vulnerability research as an ethical career choice for hackers," said Brian Gorenc, the Zero-Day Initiative's manager at HP Security Research.

Gorenc said that ZDI's network spans almost 3,000 independent researchers, and has helped find and fix more than 1,700 zero-day vulnerabilities in its nearly 10-year existence. According to research firm Frost and Sullivan, ZDI reported more than half of all critical- or high-level zero-days found in 2013. It's not entirely clear at the moment how Project Zero will differ from it, or what role new, consumer-level anti-exploit tools will play in stopping zero-days.

Update at 12:29 p.m. PT with comment from Google.

Update at 11:06 a.m. PT with comment from Zero-Day Initiative.