lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue Feb 14 06:18:34 2006
From: coley at mitre.org (Steven M. Christey)
Subject: On the "0-day" term


In the "Internet Explorer drag&drop 0day" thread, Gadi Evron said:

>In my opinion, this comes to prove 0days are USUALLY a "myth" (WMF
>being a good example of a real 0day),

It's not necessarily that 0-days are a myth, it's that people have
been using the term "0-day" to mean two separate things:

 - in-the-wild hacks of live systems using vulnerabilities previously
   unkown to the public and the vendor;

 - release of exploit information for vulnerabilities previously
   unkown to the public and the vendor, for which there are no known
   in-the-wild hacks of live systems at the time of disclosure (though
   such hacks seem to occur very soon afterward)


>Does anyone still think bad guys don't exploit (to whatever goals) a
>0day if it is out there?

The answer seems obvious, but...

It's not entirely clear to me how many in-the-wild 0-days exist and
are actively exploited.  Just because some "white hat" finds something
does not mean that we should ALWAYS assume that the "black hats"
already know about it.  The converse is also true, of course; see the
recent WMF issue.

Certainly, at least a couple in-the-wild 0-days are publicized a year,
and maybe more in the coming year, given the precedents of the past 6
months or so, as the honeymonkeys project and Websense have shown.

One would hope that there is some critical mass (i.e. number of
compromised systems) beyond which any in-the-wild 0-day would become
publicly known.  This cricital mass would depend on the diligence of
the incident response community and the amount of coordination -
direct or indirect - with the vulnerability research community.

- Steve

Powered by blists - more mailing lists