lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <46F2FF36.100@novell.com>
Date: Thu, 20 Sep 2007 16:16:06 -0700
From: Crispin Cowan <crispin@...ell.com>
To: Gadi Evron <ge@...uxbox.org>
Cc: "pdp (architect)" <pdp.gnucitizen@...glemail.com>,
	bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Re: 0day: PDF pwns Windows

Gadi Evron wrote:
> Impressive vulnerability, new. Not a 0day.
>
> Not to start an argument again, but fact is, people stop calling
> everything a 0day unless it is, say WMF, ANI, etc. exploited in the
> wild without being known.
>
> I don't like the mis-use of this buzzword.
I respectfully disagree. By your definition, we have:

    * "new vulnerability" is just what it sounds like
    * "0day" is a "new vulnerability" that comes to public attention
      because someone used it maliciously

But then there is the important concept of the "private 0day", a new
vulnerability that a malicious person has but has not used yet.

Does it really matter how the new vulnerability came to light? Do you
really want to get into arguments about whether the person who
discovered it was malicious? Especially for "private 0days" where the
discoverer may be sitting on his discovery for some time, waiting for
the highest bider to buy his result. If he sells it to criminals, then
it becomes an 0day, and if he sells it to a vulnerability marketing
company, then it is something else.

I don't like this chain of logic. Whether a new vulnerability is an 0day
or not depends entirely too much on the disclosure process, with funky
race conditions in there.

Rather, I just treat "0day" as a synonym for "new vulnerability" and
don't give a hoot about the alleged intentions of whoever discovered it.
What makes it an "0" day is that whoever is announcing it is first to
announce it in public. You could only invalidate the 0day claim by
showing that the same vulnerability had previously been disclosed by
someone else.

Crispin

-- 
Crispin Cowan, Ph.D.               http://crispincowan.com/~crispin/
Director of Software Engineering   http://novell.com
	AppArmor Chat: irc.oftc.net/#apparmor


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ