.
It may seem unnecessary to talk about the importance of security in the digital world for most people, but that same majority doesn’t know much about what to do and how to interpret the information that exists about it.
Aiming to shed some light on the subject, based on concrete data from a work carried out by Google, today we will present them and comment on the possible conclusions and, above all, that users must adopt to protect themselves as much as possible from the many existing threats. .
To start the discussion about it, it is necessary to understand first what is the basis on which we will base our approach and that it is a project maintained by Google.
What is Google’s Project Zero?
Born in 2014 and made up of a team of Google researchers, the Project Zero search to find so-called zero-day vulnerabilities.
Also referred to in Portuguese as zero-day vulnerabilities by IT personnel, this type of bug is named for the type of system vulnerability, whose respective people are not aware of its existence.
Although more broadly associated with software, they can also be related to hardware.
Particularly, the use of the term zero-day or zero-day is adopted due to the seriousness of the problem and because it has severe consequences, it requires immediate resolution, that is, there is “zero-day” to treat it.
There are two possible conditions for this type of vulnerability:
- Those that have been identified by an expert or researcher in the area, but that are not yet public and developer knowledge and, therefore, have not yet been exploited by hackers, more specifically crackers or black hat hackers;
- Those that are discovered precisely because they are being exploited by digital criminals and who were the first to have their knowledge of their existence.
While either condition poses risks to users of the systems involved, it is reasonably evident that the second case is more urgent as there are already victims.
It was the case of the bug known as heard and that it was related to the OpenSSL cryptographic software library, which impacted information that should, under normal conditions, be protected by the SSL/TLS encryption used to secure the Internet and its many protocols.
SSL/TLS is the mechanism that makes communication on the Internet indecipherable, whether browsing when accessing a website, accessing email messages and even using some virtual private networks (VPNs).
The seriousness of the problem has even made companies like Facebook, Microsoft, Intel, Amazon, Dell and Google itself join the Linux Foundation around open source projects of the type, in order to improve them in terms of security.
To cite another example of the second condition, WannaCry ransomware exploited a flaw in the Windows operating system, affecting hundreds of thousands of computers worldwide and representing one of the largest known actions of its kind.
The Project Zero team has fronts studying the main systems used, which range from operating systems, browsers, various programs and services, and its scope of action is focused on the first condition, that is, discovering what developers are not yet aware of and report to them, so that they produce the fix and release the corresponding patch/update/update to users.
Google is not the “good guy” in the story – as will be seen later – and that is why it maintains the project, but because its own employees make use of many of the systems studied, as well as the impacts on their users, they can also produce losses to the company, even if indirect.
Similar initiatives and with obvious and different motivations exist by antivirus companies, such as Norton, McAfee and Kaspersky, just to name a few of the best known.
Now that you know a little about Project Zero’s work and some of the practical effects that both it and other similar groups have, you might be wondering, but what other consequences does this have for me as a user?
Which system does Google point out as the most secure?
Even if not literally, a post on the project’s blog, entitled “A walk through Project Zero metrics” (originally “A walk through Project Zero metrics”), from February 2022, realizes that among the most used systems, the safest is Linux!
That’s right! The data confirm a frequent statement present in the lists of myths and truths about Linux.
And when we talk about more secure system, we mean between various types of software and not just operating systems, which is the category in which it is classifiable.
There are also other operating systems, such as Windows and Android, but there are web browsers, cloud computing services, productivity software, frameworks, among others.
The data present in the publication correspond to the period between January 2019 and December 2021, in which a total of 376 failures exploitables have been identified and reported to the respective developers.
Most (93.4%) of these bugs among all the software manufacturers listed in the study were fixed, but what stands out is the number of them per company and the time required to create and release an update that corrected the problem. .
In the case of Linux vulnerabilities, it is less than a third of what was observed in the case of Microsoft, but remembering that the study does not reveal company-specific products and Bill Gates’ company has more than just Windows.
Even when the number of failures is higher than the products of other companies, such as Samsung and Oracle, for example, the correction time is the shortest.
It is agreed in this type of matter, that upon receipt of a report of this type, the developer has 90 days to release a correction patch and make them available to users and possibly an additional grace period of 14 days, for different reasons.
The first period is called the deadline and the second the grace period.
In the case of problems related to the Linux Foundation, 96% were resolved within the deadline (90 days), being in absolute numbers, 24 bugs out of 25. Microsoft had a percentage of 76% (61 out of 80) and Apple 87% (73 out of 84), which surprises those who defend that Apple’s systems are more secure.
But it’s not just. The average time in days to release the corrections (25 days) is 57% of the time spent by the runner-up, Google itself (44 days). Next comes Mozilla (46 days), Adobe (65 days), Apple (69 days), Samsung (72 days), Microsoft (83 days) and Oracle (109 days).
For the Web Kit in particular, which is the engine (engine) using in the Safari browser, the time elapsed between the bug report and the release of the fix, is almost 72.7 days, while in Chrome and Firefox it is 29.9 and 37 days. .8 days, respectively.
Firefox had only 8 crashes reported, Webkit 27 and Chrome 40.
How important is Project Zero work to the end user?
In addition to being a job that makes it more difficult for cyber criminals to find and exploit security vulnerabilities, making the digital world safer, there are other lessons to be learned and conclusions from.
- Beware of Marketing – It is not the role of Marketing to lie or create unrealistic images in the minds of users, but it often praises the positive points and leaves aside what is not so much. Some of the brands present in the study have a concept in the minds of consumers that does not match the practice, at least when it comes to safety;
- Paradigms – users need to overcome paradigms, these old established habits and unique ways of doing things. Adopting new alternatives may require some effort and having to leave the comfort zone, but it ends up paying off when you win in an aspect as relevant as safety;
- Information – staying informed in terms of security has long ceased to be just a necessity for IT professionals. Even updated and reliable information is one of the most essential instruments to strengthen security in the digital environment, after all, many of the frauds practiced are based not only on possible weaknesses in the systems, but also on the lack of knowledge of users, as usually occurs in phishing. and in spoofing;
- Updates – the mechanisms for updating devices, systems and everything that is used are essential. Activating automatic updates and proceeding with manual updates, when there is no such option, is a crucial factor to reduce the probability of being affected, such as a theme or plugin from the CMS on your website;
- Piracy – among the main ones of pirated software, is that many of them do not accept updates. Thus, in addition to the possible malware that some contain, updates that would correct other flaws will not be possible;
- Anti-Malware Solutions – The popular anti-virus software is indispensable, but its use does not guarantee user immunity against the universe of existing vulnerabilities. Many users neglect security measures because they believe that when using an antivirus, they are safe. Only the aforementioned information is the solution to the question;
- Cross-platform – the study demonstrates that different platforms have different problems. More than that, they all do. In other words, there is no point in having a secure website creation CMS if the administration and access to the same CMS is done using an insecure device. And vice versa.
Conclusion
Study little known by the end user, contains data that reveal the behavior of software developers when it comes to security.
.
