lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <58043.131.182.176.99.1190384680.squirrel@slashmail.org>
Date: Fri, 21 Sep 2007 10:24:40 -0400 (EDT)
From: "Steven Adair" <steven@...urityzone.org>
To: "Crispin Cowan" <crispin@...ell.com>
Cc: "Gadi Evron" <ge@...uxbox.org>,
	full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
	"pdp \" <pdp.gnucitizen@...glemail.com>"@slashmail.org
Subject: Re: [Full-disclosure] 0day: PDF pwns Windows

Not in my book.  I guess the people on this list are working off too many
different definitions of 0day.  0day to me is something for which there is
no patch/update at the time of the exploit being coded/used.  So if I code
an exploit for IE right now and they don't patch it until April September
2008, it's a 0day exploit for a year.  It's not necessarily new and it
doesn't have to be used maliciously.

If I code an exploit (for which there is no patch) and use it on my own
servers, does that mean it's not 0day?  I don't think so.  If my WordPress
blog gets owned by pwnpress, that's not 0day.. there's patches/updates for
everything on there.  It just makes me an idiot for not upgrading.  Now if
I get hit with some WP exploit that's not patched, then that's another
[0-day] story.

Steven
securityzone.org

> Gadi Evron wrote:
>> Impressive vulnerability, new. Not a 0day.
>>
>> Not to start an argument again, but fact is, people stop calling
>> everything a 0day unless it is, say WMF, ANI, etc. exploited in the
>> wild without being known.
>>
>> I don't like the mis-use of this buzzword.
> I respectfully disagree. By your definition, we have:
>
>     * "new vulnerability" is just what it sounds like
>     * "0day" is a "new vulnerability" that comes to public attention
>       because someone used it maliciously
>
> But then there is the important concept of the "private 0day", a new
> vulnerability that a malicious person has but has not used yet.
>
> Does it really matter how the new vulnerability came to light? Do you
> really want to get into arguments about whether the person who
> discovered it was malicious? Especially for "private 0days" where the
> discoverer may be sitting on his discovery for some time, waiting for
> the highest bider to buy his result. If he sells it to criminals, then
> it becomes an 0day, and if he sells it to a vulnerability marketing
> company, then it is something else.
>
> I don't like this chain of logic. Whether a new vulnerability is an 0day
> or not depends entirely too much on the disclosure process, with funky
> race conditions in there.
>
> Rather, I just treat "0day" as a synonym for "new vulnerability" and
> don't give a hoot about the alleged intentions of whoever discovered it.
> What makes it an "0" day is that whoever is announcing it is first to
> announce it in public. You could only invalidate the 0day claim by
> showing that the same vulnerability had previously been disclosed by
> someone else.
>
> Crispin
>
> --
> Crispin Cowan, Ph.D.               http://crispincowan.com/~crispin/
> Director of Software Engineering   http://novell.com
> 	AppArmor Chat: irc.oftc.net/#apparmor
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ