He continued: “You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications. Yet in sophisticated attacks, we see the use of “zero-day” vulnerabilities to target, for example, human rights activists or to conduct industrial espionage. This needs to stop. We think more can be done to tackle this problem.”
eWeek reported last week the Project Zero team already found and fixed some bugs in Apple’s recent iOS updates. The team is also credited with the discovery of a vulnerability at Intel.
“We’re not placing any particular bounds on this project and will work to improve the security of any software depended upon by large numbers of people, paying careful attention to the techniques, targets and motivations of attackers,” Evans said.
Zero-day vulnerabilities are vulnerabilities against which no vendor has released a patch. These types of attacks are dangerous because they often go unnoticed. According to Symantec: “The unexpected nature of zero-day threats is a serious concern, especially because they may be used in targeted attacks and in the propagation of malicious code.”
The information security firm’s latest Internet Security Threat Report said 23 zero-day vulnerabilities were discovered in cyber attacks in 2013—the highest number since the Symantec began tracking zero-day vulnerabilities in 2006.
