<<< Date Index >>>     <<< Thread Index >>>

RE: 0day: PDF pwns Windows



Minor point:

No need to limit such accumulations to nation-states though. People interested
in fiddling with other peoples' computers have come up with attacks that don't
get instantly published at least since the 1970s, and have had more-or-less 
private
channels to communicate them. The motives these days, if you believe the press,
may be more around money than simple mischief, but the practice of not 
disclosing
bugs and exploits to the world has been with us a long time. Such exploits are 
0day
exploits until someone gets wind of them who will do something to defend against
them. This can be a vendor, someone who publishes workarounds for admins, or 
whatnot,
the key point being that the "0day" issue is one that pretty much all systems of
the target type will be vulnerable to.

Once an exploit is widely used, it is likely to be noticed and cease to be 
effective
everywhere too. The recent stories about targetted attacks are I expect partly
devised to keep exploits working longer by avoiding this.

BTW the older use for "0day" to refer to warez that were newly cracked is 
similar in
that again the term refers to the fact that the vendor has not yet had time to 
do anything
to react to the crack or disallow use of the software.

Glenn Everhart


-----Original Message-----
From: Crispin Cowan [mailto:crispin@xxxxxxxxxx]
Sent: Monday, September 24, 2007 5:59 PM
To: Chad Perrin
Cc: Casper.Dik@xxxxxxx; Gadi Evron; pdp (architect);
bugtraq@xxxxxxxxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: 0day: PDF pwns Windows


Chad Perrin wrote:
> On Sat, Sep 22, 2007 at 10:34:07PM -0700, Crispin Cowan wrote:
>   
>> A "private 0day exploit" (the case I was concerned with) would be where
>> someone develops an exploit, but does not deploy or publish it, holding
>> it in reserve to attack others at the time of their choosing. Presumably
>> if such a person wanted to keep it for very long, they would have to
>> base it on a vulnerability that they themselves discovered, and did not
>> publish.
>>     
> In the case of that "private zero day exploit", then, nobody will ever
> know about it except the person that has it waiting in reserve -- and if
> someone else discovers and patches the vulnerability before the exploit
> is ever used, it never becomes a "public" zero day exploit.  In other
> words, you can always posit that there's sort of a Heisenbergian state of
> potential private zero day exploitedness, but in real, practical terms
> there's no zero day anything unless it's public.
>
> The moment you have an opportunity to measure it, the waveforms collapse.
>   
Its a little less abstract than that. Consider that the United States
government might want to worry about whether some foreign nation is
banking a large pool of private 0day exploits in preparation for war.
Such a nation might farm these private 0day exploits by employing a pool
of vulnerability researchers and exploit developers, and just not
published the results.

This is a perfectly viable way to produce what amounts to Internet
munitions. The recent incident of Estonia Under *Russian Cyber Attack*?
<http://www.internetnews.com/security/article.php/3678606> is an example
of such a network brush war in which possession of such an arsenal would
be very useful.

Crispin

-- 
Crispin Cowan, Ph.D.               http://crispincowan.com/~crispin/
Director of Software Engineering   http://novell.com
        AppArmor Chat: irc.oftc.net/#apparmor



-----------------------------------------
This transmission may contain information that is privileged,
confidential, legally privileged, and/or exempt from disclosure
under applicable law.  If you are not the intended recipient, you
are hereby notified that any disclosure, copying, distribution, or
use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED.  Although this transmission and
any attachments are believed to be free of any virus or other
defect that might affect any computer system into which it is
received and opened, it is the responsibility of the recipient to
ensure that it is virus free and no responsibility is accepted by
JPMorgan Chase & Co., its subsidiaries and affiliates, as
applicable, for any loss or damage arising in any way from its use.
 If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format. Thank you.