Do Project Zero's blog posts not focus on Google products purposefully, or is that just a perceived bias?
I understand and appreciate the work Project Zero does; it makes us all safer when these bugs are found, and fixed. It just seems like the only project zero blog posts that make the front page are aimed at Microsoft or Apple.
Having done a bunch of fuzzing myself, my guess would be Google is picking up their problems before they get to a release in the main, and most people don't discuss bugs they find in internal testing.
"We’re not placing any particular bounds on this project and will work to improve the security of any software depended upon by large numbers of people, paying careful attention to the techniques, targets and motivations of attackers"
SVG's SMIL bites again (the bug used to write the exploit). This ancient animation system is incredibly hard to implement without security bugs due how GC interacts with the SVG SMIL DOM apis (animVal, baseVal, etc). SMIL is one of the reasons Chromium implemented C++ garbage collection.
With finite engineering resources, there's always a tradeoff between maintaining backwards compatibility and making forward progress. I think SMIL would be something better left behind.
Do you imagine that Apple has finite engineering resources? The last I heard was it is the richest company on earth. They’re just satisfied with the status quo in which Google does all of their security work and nobody cares because of decades-old misperceptions about Mac vs Windows malware safety.
Money alone doesn't create more qualified engineering applicants. They may be able to use money to poach those resources but the candidate pool for this sort of work is extremely finite.
9 comments
[ 3.2 ms ] story [ 35.9 ms ] threadI understand and appreciate the work Project Zero does; it makes us all safer when these bugs are found, and fixed. It just seems like the only project zero blog posts that make the front page are aimed at Microsoft or Apple.
(IE Google bugs have the same disclosure rules/timelines/etc)
"We’re not placing any particular bounds on this project and will work to improve the security of any software depended upon by large numbers of people, paying careful attention to the techniques, targets and motivations of attackers"
--- [1] https://googleprojectzero.blogspot.com/2014/07/announcing-pr...
You can also see in the dom fuzzing blog post this page links to (https://googleprojectzero.blogspot.com/2017/09/the-great-dom...), that they fuzzed chrome as well and found bugs.
But they really just don't publish that many blog posts in the relative scheme of things, relative to the number of issues they find/report.
They find and report (publicly) plenty of Google product issues.
So i'm not sure you can really draw anything just from the small sample of blog posts they do write.
With finite engineering resources, there's always a tradeoff between maintaining backwards compatibility and making forward progress. I think SMIL would be something better left behind.