Re: 0day: PDF pwns Windows

To: Gadi Evron <ge@xxxxxxxxxxxx>
Subject: Re: 0day: PDF pwns Windows
From: Crispin Cowan <crispin@xxxxxxxxxx>
Date: Thu, 20 Sep 2007 16:16:06 -0700
Cc: "pdp (architect)" <pdp.gnucitizen@xxxxxxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
In-reply-to: <Pine.LNX.4.62.0709201027590.8741@xxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <6905b1570709200621l2424978cr85de6a4c6939c283@xxxxxxxxxxxxxx> <Pine.LNX.4.62.0709201027590.8741@xxxxxxxxxxxx>
User-agent: Thunderbird 1.5.0.12 (X11/20060911)

Gadi Evron wrote:
> Impressive vulnerability, new. Not a 0day.
>
> Not to start an argument again, but fact is, people stop calling
> everything a 0day unless it is, say WMF, ANI, etc. exploited in the
> wild without being known.
>
> I don't like the mis-use of this buzzword.
I respectfully disagree. By your definition, we have:

    * "new vulnerability" is just what it sounds like
    * "0day" is a "new vulnerability" that comes to public attention
      because someone used it maliciously

But then there is the important concept of the "private 0day", a new
vulnerability that a malicious person has but has not used yet.

Does it really matter how the new vulnerability came to light? Do you
really want to get into arguments about whether the person who
discovered it was malicious? Especially for "private 0days" where the
discoverer may be sitting on his discovery for some time, waiting for
the highest bider to buy his result. If he sells it to criminals, then
it becomes an 0day, and if he sells it to a vulnerability marketing
company, then it is something else.

I don't like this chain of logic. Whether a new vulnerability is an 0day
or not depends entirely too much on the disclosure process, with funky
race conditions in there.

Rather, I just treat "0day" as a synonym for "new vulnerability" and
don't give a hoot about the alleged intentions of whoever discovered it.
What makes it an "0" day is that whoever is announcing it is first to
announce it in public. You could only invalidate the 0day claim by
showing that the same vulnerability had previously been disclosed by
someone else.

Crispin

-- 
Crispin Cowan, Ph.D.               http://crispincowan.com/~crispin/
Director of Software Engineering   http://novell.com
        AppArmor Chat: irc.oftc.net/#apparmor

Follow-Ups:
- Re: 0day: PDF pwns Windows
  - From: Crispin Cowan
- Re: 0day: PDF pwns Windows
  - From: Casper . Dik
- Re: [Full-disclosure] 0day: PDF pwns Windows
  - From: coderman
- Re: [Full-disclosure] 0day: PDF pwns Windows
  - From: Steven Adair

References:
- 0day: PDF pwns Windows
  - From: pdp (architect)
- Re: 0day: PDF pwns Windows
  - From: Gadi Evron

Prev by Date: Re: [irc-security] Multiple vulnerabilities in ircu
Next by Date: [SECURITY] [DSA 1376-1] New kdebase packages fix authentication bypass
Previous by thread: Re: 0day: PDF pwns Windows
Next by thread: Re: [Full-disclosure] 0day: PDF pwns Windows
Index(es):
- Date
- Thread