| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <C0C2FD87.20C8F%ltr@isc.upenn.edu> Date: Sat Jun 24 19:35:57 2006 From: ltr at isc.upenn.edu (David Taylor) Subject: Amazon, MSN vulns and.. Yes, we know! Mostsites have vulnerabilities I surely didn't intend for this thread to end up going in the direction it did. I was basically just trying to say I am concerned with the numerous advisory/exploit release on the same day. No matter what the reason. And perhaps there still isn't a definition of 0-day that everyone agrees on. I basically understand it the way wikipedia has it listed. http://en.wikipedia.org/wiki/0-day Zero-day exploits are released on the same day the vulnerability ? and, sometimes, the vendor patch ? are released to the public. The term derives from the number of days between the public advisory and the release of the exploit. The term 'zero-day exploits' is sometimes (mis)used to indicate publicly known exploits for which no patches yet exist. If I see Secunia release an initial advisory which has a link to the exploit on the Milw0rm site I consider that a 0-day exploit. Maybe I am not looking at it correctly? In any case, I think MW may have taken my post as an attack on Milw0rm but that isn't how I meant it to be. On 6/24/06 2:13 PM, "Valdis.Kletnieks@...edu" <Valdis.Kletnieks@...edu> wrote: > On Sat, 24 Jun 2006 13:45:47 EDT, Jason said: >> You have a lot of nerve! It was not too long ago that I recall you being >> the clueless one on the FD list. > > Aye.. that he was, as we all were at one time (myself included, even if that > phase *did* predate the creation of FD by more than 2 decades). However, > Morning has had enough sense to pay attention and acquire at least some > clue... > > Having said that, I'll posit that Morning is right - Milw0rm is a site well > known enough that *by definition* an exploit showing up there moves it from > '0-day' to 'just another damned unpatched vuln'. After all, 0-day means "an > unknown exploit you can't defend against because you've never seen it". Which > is hardly the case for any Milw0rm exploit. > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ================================================== David Taylor //Sr. Information Security Specialist University of Pennsylvania Information Security Philadelphia PA USA (215) 898-1236 http://www.upenn.edu/computing/security/ ================================================== Penn Information Security RSS feed http://www.upenn.edu/computing/security/rss/rssfeed.xml Add link to your favorite RSS reader
Powered by blists - more mailing lists