Project Zero is Google’s division that is made up of a team of security analysts. The remit of the team is to find zero-day vulnerabilities. Google opened the division in 2015 and warns software providers of any vulnerabilities found in their products. The team is full-time and dedicated to looking for vulnerabilities in Google’s software and beyond. Project Zero gives companies 90 days to patch the problem. If a fix has not been made available within the limit, the team publicly announces it. Google says the system is created to develop responsibility amongst software makers. A new IE and Edge vulnerability has been named CVE-2017-0037. The team says this vulnerability is a confusion flaw in the module in IE and Microsoft Edge. It could allow arbitrary code to be executed. Google Project Zero informed Microsoft of the problem on November 25th. However, the company did not release a fix, so the vulnerability was revealed publicly on February 25. Microsoft has yet to respond, but it will be interesting to see if the company is readying a fix.
Google Project Zero and Microsoft
This is the second vulnerability found in Microsoft services in the space of a week. Google Project Zero reported on a problem in Windows 10, located in the gdi32.dll file. Again, Microsoft was informed 90 days ago, in November, but did not issue a fix. The company has yet to respond. While the technical details are simply too boring for a casual read, those interested enough to trudge through programming jargon can read the full report here.