lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <200709211834.l8LIYpBD029429@dm-holland-01.uk.sun.com>
Date: Fri, 21 Sep 2007 20:34:51 +0200
From: Casper.Dik@....COM
To: Crispin Cowan <crispin@...ell.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
	"pdp \(architect\)" <pdp.gnucitizen@...glemail.com>,
	Gadi Evron <ge@...uxbox.org>
Subject: Re: 0day: PDF pwns Windows


>But then there is the important concept of the "private 0day", a new
>vulnerability that a malicious person has but has not used yet.

But the point is there is no such thing as a 0day *vulnerability"; there's
a 0day exploit, an exploit in the wild before the vulnerability id
discovered.

By claiming all "new" vulnerabilities are 0day the term becomes completely
meaningless; by your reasoning there is no such thing as a non-0day 
vulnerabillity; well, the next they it's no longer a 0day vulnerability but
the funny thing is that everybody keeps calling it that.

When a vulnerability is discovered you cannot be sure no-one found it
before; the only thing you can ever be sure of whether at that point
an exploit was detected in the wild.


>I don't like this chain of logic. Whether a new vulnerability is an 0day
>or not depends entirely too much on the disclosure process, with funky
>race conditions in there.

But by your reasoning *all* vulnerabilities are 0day at some point; or
is the only exception those found by the vendor itself?

>Rather, I just treat "0day" as a synonym for "new vulnerability" and
>don't give a hoot about the alleged intentions of whoever discovered it.
>What makes it an "0" day is that whoever is announcing it is first to
>announce it in public. You could only invalidate the 0day claim by
>showing that the same vulnerability had previously been disclosed by
>someone else.


The point is that it is not supposed to be moniker for vulnerabilities;
it's a moniker for exploits.  In any other context it does not make sense.

Specifically considering that "0-day exploit" is the only definition which
holds meaning with respect to a particular exploit over time.  "An exploit
which existed before the vulnerability was publicly known".

But a "0 day vulnerability" is meaningless as a definition; it applies to
a vulnerability for exactly 24 hours and then is meaningless.  ALL 
vulnerabilities were discovered at some point and had their 24 hours of
"0 day fame" by your definition.  It just does not make sense.

Casper

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ