lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 24 Sep 2007 11:11:33 -0700 (PDT)
From: Lamont Granquist <lamont@...iptkiddie.org>
To: bugtraq@...urityfocus.com
Subject: Re: Re: 0day: PDF pwns Windows


I was under the impression that "0day" came from the hacking/cracking 
community and was synonymous with the concept of "private 0day" that has 
been used in this thread.

So, a hacker/cracker would have a variety of tools at their disposal 
including many exploits that were known to security professionals, 
vendors, and the public for various lengths of time, but also the "0day" 
exploits for which no vulnerable machines should be patched against.  As 
soon as the vulnerability is published, it no longer becomes a "0day" 
since even in the absence of vendor patches, admins could take actions to 
audit and protect their systems.

Under this definition, "0day" exploits should be not publically disclosed 
and to be pedantic should be actively being used to break into systems. 
Exploits generated by the grey-hat community, not used for malicious 
reasons, and published before vendor patches exist would not have gone 
through the "0day" stage.  Neither would exploits generated for publically 
known vulnerabilities before the vendor patches were released would be 
considered "0day" since the vulnerability was publically known and again 
there could be workarounds encountered by the hacker/cracker that would 
prevent gaining access.

It seems that the definition of the term has morphed in the past 10+ years 
though...

On Sat, 22 Sep 2007 johanfunsale@...oo.com wrote:
> I think we're missing the point.  To my very limited knowledge, a zero 
> day vulnerability is a vulnerability that is released into the wild 
> before the vendor has notified its customers thereof, i.e. the person 
> who discovered the vulnerability decides to release it to parties other 
> than the vendor in question.
>
> This will most likely lead to a zero day exploit, which is an exploit 
> that "exploits" the vulnerability before the vendor releases a patch for 
> that vulnerability.
>
> This is just my view, but if it makes sense, use it as your own.
>
> Regards,
> Johan
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ