Google’s Project Zero team, which seeks out day zero bugs in software operated by Google, Microsoft and Apple, is going to continue publishing security flaws in software managed by Apple and Microsoft. The company has already been doing this, at least since June when the team was formed, according to Bloomberg, but the tactic may ruffle some feathers at its competitors.
Google’s Project Zero team gives Microsoft and Apple 90 days to fix their holes before it goes public with the code, but it isn’t at all lenient on that policy, even if the errors could actually affect consumers. A hacker who doesn’t know about the security flaws, for example, can then take advantage of them until they are indeed fixed. Recently, Google published code on a zero day flaw found in Microsoft’s software, even though Microsoft’s patch was due a day or two later. Bloomberg describes a similar incident in January where Apple had a patch ready to roll out in one week, but Google wouldn’t play ball.
It might seem like Google is doing this simply to put down its competitors, but the company is sort of acting as the software security police — trying to make sure that holes, which might otherwise go unnoticed or unpatched, are fixed. Is threatening and actually publishing those security flaws the right way to do it, though? That’s up to the industry to decide, but Microsoft thinks there’s a more productive way.
“You should be able to use the Web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications,” Google said when the team was formed. “Our objective is to significantly reduce the number of people harmed by targeted attacks.”
Will Google ever work hand-in-hand with Microsoft and Apple to solve the problem behind closed doors? It seems unlikely, given that it hasn’t bent to extension requests in the past. Maybe this will force Apple and Microsoft to be more proactive in finding bugs on their own.