Google's Project Zero

The security team at Google is good. Really good. Sometimes they find bugs in our programs that hackers could exploit. We fix these as fast as we can. Sometimes they find bugs in programs written by other companies. Google Security warns these other companies in private, then gives them 90 days to fix the bugs before they tell the world. If the 90 days passes and the company has still not fixed the bug or told their customers yet, then Google Security makes the vulnerability publicly known. This is called "disclosure." Disclosure is done because if Google could find the bug, then someone else can too. As painful as it seems, disclosure is the right thing to do for users' safety.

There is a security bug in Windows 8.1. It was discovered and communicated to Redmond Sept. 30, 2014. As of January 5th, it's still not fixed. This one is not a very scary bug for most users, but it should be fixed. So Google disclosed it.

Imagine bank robbers have a plan to rob a bank after hours. Their plan consists of two parts:

  1. sneak into the bank after it closes.
  2. fake the regional manager's bank ID card and finger print to get into the vault.

This bug lets the robbers do step 2) very easily. The reason that it's not that scary is because, well, you have bigger problems: namely the 5 or 6 bank robbers running around your bank after hours. In this analogy, the bank is your computer systems, and the robbers are the hackers. The vault is whatever private data you don't want them to get (credit card info, unreleased movies, torture reports, etc).


Google's official position on disclosure

The actual Windows 8.1 bug report and sample exploit sent to MSFT Sept 30, 2014:

Share this article.