Re: On the "0-day" term
Steven M. Christey wrote:
Hey Steve! :)
It's not necessarily that 0-days are a myth, it's that people have
been using the term "0-day" to mean two separate things:
0days are not a myth on their own.
They are live and kickin`! :)
- in-the-wild hacks of live systems using vulnerabilities previously
unkown to the public and the vendor;
- release of exploit information for vulnerabilities previously
unkown to the public and the vendor, for which there are no known
in-the-wild hacks of live systems at the time of disclosure (though
such hacks seem to occur very soon afterward)
I don't know, last year I read an article about 0days being released
vulnerabilities where the patch is not applied yet. Uh huh.
Does anyone still think bad guys don't exploit (to whatever goals) a
0day if it is out there?
The answer seems obvious, but...
It's not entirely clear to me how many in-the-wild 0-days exist and
are actively exploited. Just because some "white hat" finds something
does not mean that we should ALWAYS assume that the "black hats"
already know about it. The converse is also true, of course; see the
On this point I disagree. We have to assume the worst, especially where
we are specifically vulnerable. And as today we mostly rely on software
security on-top of software security for our defense - we HAVE to assume
the worst... we just don't have to hype it, and possibly, we can call it
what it really is.
recent WMF issue.
The goal of said 0day may be for specific attacks against specific
targets. I don't see why anyone would waste their secret & strong
resource on the wild west of the net - we don't often find 0days, right?
Microsoft's or SecurityFocus's sites don't go down that often, right?
WMF was an exploit of opportunity, i.e.: what is our window of
opportunity to infect users with spyware before we are found out?
In this case it was about 2 weeks.
This came to show that spyware manufacturers either did their own R&D or
bought 0days. This is not the first time, either.
Certainly, at least a couple in-the-wild 0-days are publicized a year,
and maybe more in the coming year, given the precedents of the past 6
months or so, as the honeymonkeys project and Websense have shown.
One would hope that there is some critical mass (i.e. number of
compromised systems) beyond which any in-the-wild 0-day would become
publicly known. This cricital mass would depend on the diligence of
the incident response community and the amount of coordination -
direct or indirect - with the vulnerability research community.
Critical mass could also be one well-placed machine. Point is we need to
differentiate between, but not limited to:
1. Vulns that were already disclosed to the vendor or CC's.
2. Vulns that are publicly announce OR released by advisory or similar.
and
3. Vulns that no one knows exist, whether being exploited wildly, kept
in a bunker or used on special targets.
It's time we stopped guessing and starting regulating these terms, not
because we can tell people how to use the term '0day' but rather what it
might mean. Makes lives so much easier.
In some of the above cases I will be proud to yell: "THERE ARE NO
0DAYS", while I know that's obviously false in other cases.
The problem with this email, as well as any other to follow is that they
are all full of opinions. We have to stop being an opinion-lead industry
where opinions constitute 90% (didn't make any specific calculation,
that's my opinion) of how we do things professionally.
- Steve
I really hope this is not to become another long debate on religious
terminology.. what have I done?!
Gadi.