"Google Says It's Too Easy for Hackers to Find New Security Flaws"

New research from Maddie Stone, a researcher who is part of the Google security team called Project Zero, brings further attention to the ease at which hackers keep exploiting zero-day security flaws. It is easy for hackers to exploit zero-day vulnerabilities because of companies' inadequate actions to address weaknesses and loopholes. The research by Stone highlights multiple examples of this problem, some of which cover the issues that Google has faced with its Chrome browser. The problem is common across the industry, with the deployment of incomplete patches that allow hackers to make slight changes to their code to make an exploit work again. Google's Project Zero team is dedicated to tracking, analyzing, and learning from zero-day flaws. So far, Google's team has publicly tracked more than 150 major zero-day bugs. In 2020, Stone's team detected 24 zero-day vulnerabilities that were being exploited in the wild, some of which were extremely similar to ones that have been disclosed before. Three of the vulnerabilities were not properly fixed after they were reported to the vendor, meaning that only a few changes would need to be made to the hacker's code for the attack to continue working. Stone points out that most security teams at software companies lack the time and resources needed to properly fix bugs. She also says that flawed priorities and incentives often prevent security teams from addressing deeper issues at the root of many security flaws. Tech companies must increase investment in correct and comprehensive patches. They are encouraged to give engineers more time to fully investigate the root cause of vulnerabilities to eliminate entire classes of security bugs and exploits. This article continues to discuss attackers' repeated exploitation of the same types of software vulnerabilities and what companies need to do to fix these bugs at a deeper level. 

MIT Technology Review reports "Google Says It's Too Easy for Hackers to Find New Security Flaws"

 

Submitted by Anonymous on