Google Project Zero - Eye Opener?

[SearchLight]

I have been reading several web articles about the best AV, and a an entity known as Google Project Zero has often been mentioned.

Some of their discoveries are listed here:

Issues - project-zero - Project Zero - Monorail

That being said, I searched for all the major AV vendors just to see who had the most, and least discovered vulnerabilities, so far.

I found the number for each, and the vendor responses when notified to be very educational.

I am not saying this should be used a guide in selecting your AV software but it is interesting to see which product had the most discovered vulnerabilities, and which had the least, and how the vendor may have responded when notified.

Having discovered this info, I will use the info to re-evaluate my current choices along with any info that I glean from the other well known review sites plus my own experiences.

Thoughts?

 

[ispx]

just the mention of google in it makes me raise my brow

 

[SearchLight]

You mean in a good helpful way, Google, or a bad self-serving way?

 

[ispx]

let me put up this way, i use nothing google, other than a tiny bit of you tube which too is rare. am sure you get the gist of it now

 

[Parsh]

just the mention of google in it makes me raise my brow

Project Zero has been digging deep into testing potential 0-day vulnerabilities for different modules of different end-user s/w since long.
Quite a few AV vendors have responded to them and a majority of reported issues have been considerable. Like Kaspersky's SSL certificate collision issue that K immediately acknowledged and worked on. Hey, remember Heartbleed?
It has also discovered flaws in Windows like remote code execution vulnerabilities ..

 

[ispx]

why not call themselves just project zero ? why the google affiliation ?

as for google, their play store is loaded with numerous vulnerabilities, they should fix them first.

 

[SearchLight]

Project Zero has been digging deep into testing potential 0-day vulnerabilities for different modules of different end-user s/w since long.
Quite a few AV vendors have responded to them and most of the issues were considerable. Like Kaspersky's SSL certificate collision issue that K immediately acknowledged and worked on. Hey, remember Heartbleed?
It has also discovered flaws in Windows like remote code execution vulnerabilities ..

I guess where I am going with this info is having come across this blog:
Eyes Above The Waves: Disable Your Antivirus Software (Except Microsoft's)

This is not to say I believe him, and start uninstalling my softwares but it raises the question of using two different software vendors together to protect my PC. For example, I am now using KAV and CF with cs settings. If I read the info listed on the Project Zero website correctly, Kaspersky seems to fix their vulnerabilities rapidly while the devs at Comodo seem to respond in disbelief with less urgency, and I am paraphrasing.

So the next question is whether it would be better to use a single suite by a well known developer who responds quickly to fixing vulnerabilities, or separates, knowing that the other dev is less responsive or timely, and thus possibly compromising my PC security?

 

[Parsh]

why not call themselves just project zero ? why the google affiliation ?
as for google, their play store is loaded with numerous vulnerabilities, they should fix them first.

Why not? They're being open by stating this. By talking about Play Store, you're just focusing on Google instead of their analysts working on the Project Zero in talks.
Sure they need to regulate Play Store better and one of their improvements is their 'Google Play Protect' feature in Google Security settings.

 

[enaph]

why not call themselves just project zero ? why the google affiliation ?

as for google, their play store is loaded with numerous vulnerabilities, they should fix them first.

Because Project Zero is the name of the team of security researchers employed by Google.
What's wrong with mentioning Google's name in it? Their doing good job and they are helping other companies by finding zero day vulnerabilities in their products.
It doesn't matter if it's Google, Microsoft or PizzaHut as long as their findings are helping in fight against cyber criminals.

 

[ispx]

@pablozi, @Parsh,

let me put up this way, i use nothing google, other than a tiny bit of you tube which too is rare. am sure you get the gist of it now

 

[Parsh]

I guess where I am going with this info is having come across this blog:
Eyes Above The Waves: Disable Your Antivirus Software (Except Microsoft's)

This is not to say I believe him, and start uninstalling my softwares but it raises the question of using two different software vendors together to protect my PC. For example, I am now using KAV and CF with cs settings. If I read the info listed on the Project Zero website correctly, Kaspersky seems to fix their vulnerabilities rapidly while the devs at Comodo seem to respond in disbelief with less urgency, and I am paraphrasing.

So the next question is whether it would be better to use a single suite by a well known developer who responds quickly to fixing vulnerabilities, or separates, knowing that the other dev is less responsive or timely, and thus possibly compromising my PC security?

This question has been raised since some time and is quite important to be considered. Many or most of the AV design teams are said to not follow the standard 'recommended' practices for the modules they implement and how they deliver them. Sometimes they have some limitations in order to be able to deliver things the way they wish to, but not always.

AV products poison the software ecosystem because their invasive and poorly-implemented code makes it difficult for browser vendors and other developers to improve their own security.

Agreeable in their perspective. They are not lying. Mostly such problems arise when different kinds of programs try to implement the same thing (say a security feature or a patch to fill loopholes or compatibility). Regarding the compatibility of AV products and other products, the conflicts found can be resolved only by setting standards among them (that ain't practical) or by mutual cooperation that can be difficult.

At best, there is negligible evidence that major non-MS AV products give a net improvement in security. More likely, they hurt security significantly

You know what to make of this statement!
This topic is debatable but solution probably lies in only the devs following the right practices. End-users giving up use of such products ain't the solution.
When it comes to using 2 such 3rd party programs together, it ultimately depends on the implementation of the two s/w and what feature they offer and how. Incompatibilities are not unusual and not all products that appear to be working fine together are 100% compatible and might not stay compatible throughout. Not much we can do except than to avoid the ones causing noted issues.

 

[Winter Soldier]

I remember a few months ago, GP Zero has made public a vulnerability of a Windows graphics library before that Microsoft had the patch to fix it...
So as happened in the past, vulnerabilities discovered by GP Zero, are made public after 90 days from the first notice to the company without an update has been released.
But in this way they fall in the game of malcoders, who have the time to develop exploits and malware that take advantage of the security flaws before that users have available a patch.

Now, in this case, it may be difficult for a hacker to take advantage of a flaw being able to read not protected memory...reading portions of memory (not protected and thus not inherent to the kernel) deallocated and not erased.
If the memory is deallocated, on any program, it is good rule to reset it.

Ok in this case, but I think making public some critical vulnerabilities before a patch is available... it is not a good move.

 

[Parsh]

So as happened in the past, vulnerabilities discovered by GP Zero, are made public after 90 days from the first notice to the company without an update has been released.
But in this way they fall in the game of malcoders, who have the time to develop exploits and malware that take advantage of the security flaws before that users have available a patch.
Ok in this case, but I think making public some critical vulnerabilities before a patch is available... it is not a good move.

That for sure can be a problem. Though 90 days might be a good time for the devs (only if the receipt of notice is confirmed), a non-readiness of any patches must be communicated and discussed logically rather than releasing the vulnerability without some understanding. Not sure how things exactly worked between them before the public release.

 

[Arequire]

It's good that Google's finding vulnerabilities in software but I'm not a fan of public disclosure before a patch has been developed and rolled out to consumers.
I don't buy the argument that developers would simply not patch the vulnerability if there wasn't a time limit on public disclosure.

 

[Parsh]

@pablozi, @Parsh,
let me put up this way, i use nothing google, other than a tiny bit of you tube which too is rare. am sure you get the gist of it now

Sure, preferences. For a large number of apps and services, Google allows you to opt out of data collection with complementary limitations. For the others, you'll have to avoid using the service.
The point was that Google tracking/dealing with your data hardly had anything to do with the topic relating to the analysis work/results of Project Zero.

 

[DeepWeb]

Wikileaks CIA Vault 7 leaks show that they hate proactive Comodo Firewall and Bitdefender because they will catch anything they send.

 

[SearchLight]

This was an definitely an eye opener for me in regard to AV standards and vulnerabilities.

That being said, I think I will move to a security suite by one of the big names, rather than use separate programs and components. While one software may have outstanding ratings, the other, for the less informed individual, may be known for its revealed vulnerabilities. Most reviews focus on strengths and weaknesses, and seem not to discuss this topic. Maybe, they should in the context of historical info, and maybe this would force accountability, and uniform standards.. Of course, you don't want this info to fall into the hands of a malware hacker before a patch becomes available as stated by Parsh above.

Maybe, a security suite by a known vendor with a history of rapidly fixing vulnerabilities, and also which may historically, have presented the least amount, might be the better way to go in terms of consistency, strong security, and compatibility. This is my own personal opinion. For those of you who are comfortable, and have more experience, using separate programs, continue. I think there is no right or wrong answer here.

As it has been said many times by others, no software can be 100% effective against all types of viruses and malware. Common sense practices also come into play.

As always, I appreciate your comments and support.

 

[Atlas147]

Google project zero is less of a rating website, but rather more technical. More bugs discovered doesn't equate to bad software. The AV can have a superb detection ratio and still have a ton of bugs. Vice versa, the software can have the worst detection but have zero bugs at all. You still have to consider other factors when deciding what software to use, especially when it comes to AVs.

As for it being tied to google, I think it's good that they are being up front with where their funding is coming from. It would be much worst if they hid the fact that they were being funded by google, and it came up as them trying to "protect themselves" or giving biased reviews to other software makers.

Not sure why the skepticism with google, they have been providing us with amazing tools like their search engines and youtube.

And for those who say you stay away from anything google I would like to remind you that VIRUSTOTAL is part of Google as well.

 

[Parsh]

While one software may have outstanding ratings, the other, for the less informed individual, may be known for its revealed vulnerabilities. Most reviews focus on strengths and weaknesses, and seem not to discuss this topic. Maybe, they should in the context of historical info, and maybe this would force accountability, and uniform standards..
Maybe, a security suite by a known vendor with a history of rapidly fixing vulnerabilities, and also which may historically, have presented the least amount, might be the better way to go in terms of consistency, strong security, and compatibility. This is my own personal opinion. For those of you who are comfortable, and have more experience, using separate programs, continue. I think there is no right or wrong answer here.

Considering the history of bugs/vulnerabilities and their record of fixing is good for educational purpose, however it may not be a deciding factor for most home users.
The criticality of the loopholes discovered and unaddressed will matter more for the small business and enterprise owners who're already tired of covering different vectors of protection to safeguard their business data from social engineering attacks to the sophisticated ones. I believe that perspectives and use-cases matter more than what is absolute right or wrong in this topic!

More bugs discovered doesn't equate to bad software. The AV can have a superb detection ratio and still have a ton of bugs. Vice versa, the software can have the worst detection but have zero bugs at all. You still have to consider other factors when deciding what software to use, especially when it comes to AVs.

Agree. However, it is the 'vulnerabilities' (especially the potential zero days) found in the AV suites and not 'bugs' in general being discussed w.r.t. Project Zero. Though this is unfortunate, if some vendors care less about fixing such reportings and the loopholes are made public before, you know what's going to be dirty.
For the factors to be considered for buying AVs, most individuals and companies hardly rely on such reveals (or not aware) and they usually go by the traditional reasons of choosing, good or bad.

 

[DeepWeb]

I don't like it just like I dislike the infosec community on Twitter. They all brag about finding vulnerabilities and literally developing hacking tools but nobody seems to provide a fix to the exploit they just discovered or the hacking tool they created. So what's the point? Just tell Microsoft in secret that you found something.

Imagine the equivalent of this in medical research. Someone creating and bragging about new diseases but won't bother to find a cure. This is just my opinion but I'm not a fan of it.