<<< Date Index >>>     <<< Thread Index >>>

Re: [Full-disclosure] 0day: PDF pwns Windows

Not in my book.  I guess the people on this list are working off too many
different definitions of 0day.  0day to me is something for which there is
no patch/update at the time of the exploit being coded/used.  So if I code
an exploit for IE right now and they don't patch it until April September
2008, it's a 0day exploit for a year.  It's not necessarily new and it
doesn't have to be used maliciously.

If I code an exploit (for which there is no patch) and use it on my own
servers, does that mean it's not 0day?  I don't think so.  If my WordPress
blog gets owned by pwnpress, that's not 0day.. there's patches/updates for
everything on there.  It just makes me an idiot for not upgrading.  Now if
I get hit with some WP exploit that's not patched, then that's another
[0-day] story.

Steven
securityzone.org

> Gadi Evron wrote:
>> Impressive vulnerability, new. Not a 0day.
>>
>> Not to start an argument again, but fact is, people stop calling
>> everything a 0day unless it is, say WMF, ANI, etc. exploited in the
>> wild without being known.
>>
>> I don't like the mis-use of this buzzword.
> I respectfully disagree. By your definition, we have:
>
>     * "new vulnerability" is just what it sounds like
>     * "0day" is a "new vulnerability" that comes to public attention
>       because someone used it maliciously
>
> But then there is the important concept of the "private 0day", a new
> vulnerability that a malicious person has but has not used yet.
>
> Does it really matter how the new vulnerability came to light? Do you
> really want to get into arguments about whether the person who
> discovered it was malicious? Especially for "private 0days" where the
> discoverer may be sitting on his discovery for some time, waiting for
> the highest bider to buy his result. If he sells it to criminals, then
> it becomes an 0day, and if he sells it to a vulnerability marketing
> company, then it is something else.
>
> I don't like this chain of logic. Whether a new vulnerability is an 0day
> or not depends entirely too much on the disclosure process, with funky
> race conditions in there.
>
> Rather, I just treat "0day" as a synonym for "new vulnerability" and
> don't give a hoot about the alleged intentions of whoever discovered it.
> What makes it an "0" day is that whoever is announcing it is first to
> announce it in public. You could only invalidate the 0day claim by
> showing that the same vulnerability had previously been disclosed by
> someone else.
>
> Crispin
>
> --
> Crispin Cowan, Ph.D.               http://crispincowan.com/~crispin/
> Director of Software Engineering   http://novell.com
>       AppArmor Chat: irc.oftc.net/#apparmor
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>