On the "0-day" term
In the "Internet Explorer drag&drop 0day" thread, Gadi Evron said:
>In my opinion, this comes to prove 0days are USUALLY a "myth" (WMF
>being a good example of a real 0day),
It's not necessarily that 0-days are a myth, it's that people have
been using the term "0-day" to mean two separate things:
- in-the-wild hacks of live systems using vulnerabilities previously
unkown to the public and the vendor;
- release of exploit information for vulnerabilities previously
unkown to the public and the vendor, for which there are no known
in-the-wild hacks of live systems at the time of disclosure (though
such hacks seem to occur very soon afterward)
>Does anyone still think bad guys don't exploit (to whatever goals) a
>0day if it is out there?
The answer seems obvious, but...
It's not entirely clear to me how many in-the-wild 0-days exist and
are actively exploited. Just because some "white hat" finds something
does not mean that we should ALWAYS assume that the "black hats"
already know about it. The converse is also true, of course; see the
recent WMF issue.
Certainly, at least a couple in-the-wild 0-days are publicized a year,
and maybe more in the coming year, given the precedents of the past 6
months or so, as the honeymonkeys project and Websense have shown.
One would hope that there is some critical mass (i.e. number of
compromised systems) beyond which any in-the-wild 0-day would become
publicly known. This cricital mass would depend on the diligence of
the incident response community and the amount of coordination -
direct or indirect - with the vulnerability research community.
- Steve