1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Over 95% of the 1,600 vulnerabilities discovered by Google's Project Zero were fixed within...

By mongeese · 7 replies
Aug 4, 2019
Post New Reply
  1. Every major tech company, from Microsoft to Apple to Intel, has received a bug report from Project Zero containing the following statement: “This bug is subject to a 90-day disclosure deadline. After 90 days elapse or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.” From then on, the company can choose to fix the bug with Project Zero’s assistance, by themselves, or not at all – in which case the bug report is published immediately.

    Each bug report contains almost everything Project Zero can collect on the vulnerability, from how it was first found to proof-of-concept code that exploits it to demonstrate the issue.

    As of July 30, Project Zero has published the bug reports of 1,585 fixed vulnerabilities and 66 unfixed ones. 1,411 of the 1,585 were published within 90 days and an additional 174 were issued within a 14-day grace period Project Zero permits when they believe the company is close to completing a fix. Only two exceeded that, Specter & Meltdown, and task_t, both of which, when exploited, enabled programs access to the operating system’s highest secrets.

    Project Zero acknowledges that releasing the bug report prior to a fix is somewhat harmful, but that’s the point: it scares companies into actually fixing it, which they say they wouldn’t do if they expected the bug report to remain hidden.

    “If you assume that only the vendor and the reporter have knowledge of the vulnerability, then the issue can be fixed without urgency. However, we increasingly have evidence that attackers are finding (or acquiring) many of the same vulnerabilities that defensive security researchers are reporting. We can't know for sure when a security bug we have reported has previously been found by an attacker, but we know that it happens regularly enough to factor into our disclosure policy.

    Essentially, disclosure deadlines are a way for security researchers to set expectations and provide a clear incentive for vendors and open source projects to improve their vulnerability remediation efforts. We tried to calibrate our disclosure timeframes to be ambitious, fair, and realistically achievable.”

    Project Zero has a clear line of evidence for this. One study analyzed more than 4,300 vulnerabilities and found that 15% to 20% of vulnerabilities are discovered independently at least twice within a year. For Android, for example, 14% of vulnerabilities are rediscovered within 60 days and 20% within 90, for Chrome there’s 13% rediscovery within 60 days. This suggests that although a security researcher might be ahead of the curve, there’s a reasonable chance that whatever they discover will be found by attackers soon after.

    But isn’t it dangerous publishing a bug report before a patch?

    “The answer is counterintuitive at first: disclosing a small number of unfixed vulnerabilities doesn't meaningfully increase or decrease attacker capability. Our ‘deadline-based’ disclosures have a neutral short-term effect on attacker capability.

    We certainly know that there are groups and individuals that are waiting to use public attacks to harm users (like exploit kit authors), but we also know that the cost of turning a typical Project Zero vulnerability report into a practical real-world attack is non-trivial.”

    Project Zero doesn’t publish a step by step guide hacking guide, they publish what they describe as “only one part of an exploit chain.” In theory, an attacker would require significant resources and skills to turn these vulnerabilities into a reliable exploit, and Project Zero argues that an attacker capable of this could have done so even if they hadn’t exposed the bug. Perhaps attackers are just too lazy to start by themselves because as a 2017 study found, the median time from vulnerability to “fully functioning exploit” is 22 days.

    That’s just one issue, it’s a big one, but most companies squeeze within the 90 days anyway. The second criticism many researchers have is Project Zero’s policy of publishing the bug report after a patch is issued, mainly because patches tend to be imperfect, and because the same vulnerability is liable to crop up in other locations. Project Zero believes this is advantageous for defenders, enabling them to better understand vulnerabilities, and of little consequence to attackers who would be able to reverse-engineer the exploit from the patch anyway.

    “Attackers have a clear incentive to spend time analyzing security patches in order to learn about vulnerabilities (both through source code review and binary reverse engineering), and they'll quickly establish the full details even if the vendor and researcher attempt to withhold technical data.

    Since the utility of information about vulnerabilities is very different for defenders vs attackers, we don't expect that defenders can typically afford to do the same depth of analysis as attackers.

    The information that we release can commonly be used by defenders to immediately improve defenses, testing the accuracy of bug fixes, and can always be used to make informed decisions about patch adoption or short-term mitigations.”

    Sometimes, in war, risks must be taken to achieve overall success. And make no mistake, the battle between security researchers and hackers is real, with serious, real-life implications. Thus far Project Zero have operated successfully with no significant consequences of their aggressive policy, and they’ll no doubt continue in a similar fashion unless it causes a drastic issue. Let’s hope that doesn’t happen.

    Permalink to story.

     
  2. Lew Zealand

    Lew Zealand TS Guru Posts: 837   +731

    But, but, Spectre Meltdown! Vulnerabilities! Intel sux! Wooo!
     
  3. pit1209

    pit1209 TS Booster Posts: 68   +83

    Do not try to cover the sun with one finger. They are two of the most serious vulnerabilities ever and can be exploitable even though it could be difficult but it just needs to happen once.
     
    Evernessince likes this.
  4. Lew Zealand

    Lew Zealand TS Guru Posts: 837   +731

    There are so many other ways to compromise a computer that these vulnerabilities, while real and potentially dangerous, are too inconvenient to exploit. So the exploiters will continue to use the various other easier and successfully proven methods. IOW, why do things the hard way when you can do them the easy way?
     
  5. toooooot

    toooooot TS Evangelist Posts: 955   +454

    My favorite are through emails and using harmful websites. Applications are endless, and they dont require advanced skills.
     
  6. realestmfever

    realestmfever TS Rookie Posts: 17   +11

    Who made those logos?
     
  7. Nobina

    Nobina TS Evangelist Posts: 2,045   +1,562

    Probably someone who likes to fantasize about hacking.
     
  8. gamerk2

    gamerk2 TS Maniac Posts: 296   +185

    Because both Specter and Meltdown leak more information then other methods, and at least on unpatched systems can't really be blocked by the OS.
     

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...