Not in my book. I guess the people on this list are working off too many
different definitions of 0day. 0day to me is something for which there is
no patch/update at the time of the exploit being coded/used. So if I code
an exploit for IE right now and they don't patch it until April September
2008, it's a 0day exploit for a year. It's not necessarily new and it
doesn't have to be used maliciously.
If I code an exploit (for which there is no patch) and use it on my own
servers, does that mean it's not 0day? I don't think so. If my WordPress
blog gets owned by pwnpress, that's not 0day.. there's patches/updates for
everything on there. It just makes me an idiot for not upgrading. Now if
I get hit with some WP exploit that's not patched, then that's another
[0-day] story.
Steven
securityzone.org