| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 2 May 2008 16:22:47 -0400 From: "Exibar" <exibar@...lair.com> To: "Douglas K. Fischer" <fischerdk@...oki.com>, "n3td3v" <xploitable@...il.com> Cc: n3td3v <n3td3v@...glegroups.com>, full-disclosure@...ts.grok.org.uk, Gadi Evron <ge@...uxbox.org> Subject: Re: defining 0day Exactly. Zero Day Exploit: A brand new exploit. For a brand new vulnerability that isn't known either public or private (private = vendor only). The Exploit itself is also brand new, never before known either public or private. Exibar ----- Original Message ----- From: "Douglas K. Fischer" <fischerdk@...oki.com> To: "n3td3v" <xploitable@...il.com> Cc: "n3td3v" <n3td3v@...glegroups.com>; <full-disclosure@...ts.grok.org.uk>; "Gadi Evron" <ge@...uxbox.org> Sent: Friday, May 02, 2008 3:10 PM Subject: Re: [Full-disclosure] defining 0day > -------- Original Message -------- > Subject: Re: [Full-disclosure] defining 0day > From: n3td3v <xploitable@...il.com> > To: Gadi Evron <ge@...uxbox.org>, full-disclosure@...ts.grok.org.uk, > n3td3v <n3td3v@...glegroups.com> > Date: 04/19/2008 18:44 >> On Tue, Sep 25, 2007 at 8:02 PM, Gadi Evron <ge@...uxbox.org> wrote: >> >>> Okay. I think we exhausted the different views, and maybe we are now >>> able >>> to come to a conlusion on what we WANT 0day to mean. >>> >>> What do you, as professional, believe 0day should mean, regardless of >>> previous definitions? >>> >>> Obviously, the term has become charged in the past couple of years with >>> the >>> targeted office vulnerabilities attacks, WMF, ANI, etc. >>> >>> We require a term to address these, just as much as we do "unpatched >>> vulnerability" or "fully disclosed vulnerability". >>> >>> What other such descriptions should we consider before proceeding? >>> non-disclosure? >>> >>> Gadi. >>> >>> >> >> I just caught a news article that summed up nicely what 0day means... >> >> "A zero-day flaw is a software vulnerability that has become public >> knowledge but for which no patch is available. It is particularly >> dangerous since users are exposed from day zero until the day a vendor >> prepares a patch and notifies users it is ready." >> >> http://www.pcworld.com/businesscenter/article/144803/chinese_blogs_detail_zeroday_flaw_in_microsoft_works.html >> >> Regards, >> >> n3td3v >> > I would actually add one more criteria. Not only would a 0day have no > patch available, but the vulnerability being exploited would not have > been previously announced. In other words, the very first exposure in > the wild of a 0day would be active exploitation of an "as of yet > unknown" (except of course by the exploit author) vulnerability. This > makes a true 0day all the more potent. > > Cheers, > > Doug > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists