[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <58043.131.182.176.99.1190384680.squirrel@slashmail.org>
Date: Fri, 21 Sep 2007 10:24:40 -0400 (EDT)
From: "Steven Adair" <steven@...urityzone.org>
To: "Crispin Cowan" <crispin@...ell.com>
Cc: "pdp " <pdp.gnucitizen@...glemail.com>,
"@slashmail.org, full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, Gadi Evron <ge@...uxbox.org>"@lists.grok.org.uk
Subject: Re: 0day: PDF pwns Windows
Not in my book. I guess the people on this list are working off too many
different definitions of 0day. 0day to me is something for which there is
no patch/update at the time of the exploit being coded/used. So if I code
an exploit for IE right now and they don't patch it until April September
2008, it's a 0day exploit for a year. It's not necessarily new and it
doesn't have to be used maliciously.
If I code an exploit (for which there is no patch) and use it on my own
servers, does that mean it's not 0day? I don't think so. If my WordPress
blog gets owned by pwnpress, that's not 0day.. there's patches/updates for
everything on there. It just makes me an idiot for not upgrading. Now if
I get hit with some WP exploit that's not patched, then that's another
[0-day] story.
Steven
securityzone.org
> Gadi Evron wrote:
>> Impressive vulnerability, new. Not a 0day.
>>
>> Not to start an argument again, but fact is, people stop calling
>> everything a 0day unless it is, say WMF, ANI, etc. exploited in the
>> wild without being known.
>>
>> I don't like the mis-use of this buzzword.
> I respectfully disagree. By your definition, we have:
>
> * "new vulnerability" is just what it sounds like
> * "0day" is a "new vulnerability" that comes to public attention
> because someone used it maliciously
>
> But then there is the important concept of the "private 0day", a new
> vulnerability that a malicious person has but has not used yet.
>
> Does it really matter how the new vulnerability came to light? Do you
> really want to get into arguments about whether the person who
> discovered it was malicious? Especially for "private 0days" where the
> discoverer may be sitting on his discovery for some time, waiting for
> the highest bider to buy his result. If he sells it to criminals, then
> it becomes an 0day, and if he sells it to a vulnerability marketing
> company, then it is something else.
>
> I don't like this chain of logic. Whether a new vulnerability is an 0day
> or not depends entirely too much on the disclosure process, with funky
> race conditions in there.
>
> Rather, I just treat "0day" as a synonym for "new vulnerability" and
> don't give a hoot about the alleged intentions of whoever discovered it.
> What makes it an "0" day is that whoever is announcing it is first to
> announce it in public. You could only invalidate the 0day claim by
> showing that the same vulnerability had previously been disclosed by
> someone else.
>
> Crispin
>
> --
> Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
> Director of Software Engineering http://novell.com
> AppArmor Chat: irc.oftc.net/#apparmor
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists