|
BugTraq
0day: PDF pwns Windows Sep 20 2007 01:21PM pdp (architect) (pdp gnucitizen googlemail com) (3 replies) Re: [Full-disclosure] 0day: PDF pwns Windows Sep 21 2007 07:53PM Thierry Zoller (Thierry Zoller lu) (2 replies) Re: [Full-disclosure] 0day: PDF pwns Windows Sep 21 2007 09:21PM Aaron Collins (collinsa ehawaii gov) Re: [Full-disclosure] 0day: PDF pwns Windows Sep 21 2007 09:21PM Kevin Finisterre (lists) (kf_lists digitalmunition com) Re: 0day: PDF pwns Windows Sep 20 2007 03:29PM Gadi Evron (ge linuxbox org) (1 replies) Re: 0day: PDF pwns Windows Sep 20 2007 11:16PM Crispin Cowan (crispin novell com) (2 replies) Re: 0day: PDF pwns Windows Sep 23 2007 05:34AM Crispin Cowan (crispin novell com) (2 replies) Re: 0day: PDF pwns Windows Sep 23 2007 11:52PM Chad Perrin (perrin apotheon com) (2 replies) Re: 0day: PDF pwns Windows Sep 24 2007 10:57PM Lamont Granquist (lamont scriptkiddie org) (1 replies) Re: 0day: PDF pwns Windows Sep 25 2007 05:57PM Roland Kuhn (rkuhn e18 physik tu-muenchen de) (1 replies) RE: 0day: PDF pwns Windows Sep 25 2007 06:39PM Thor (Hammer of God) (thor hammerofgod com) (2 replies) defining 0day Sep 25 2007 07:02PM Gadi Evron (ge linuxbox org) (3 replies) Re: defining 0day Sep 25 2007 08:40PM Charles Miller (cmiller pastiche org) (2 replies) Re: defining 0day Sep 26 2007 11:25PM Zow Terry Brugger (zow llnl gov) (1 replies) Re: defining 0day Sep 26 2007 11:10PM Chad Perrin (perrin apotheon com) (1 replies) Re: defining 0day Sep 25 2007 07:51PM Brian Loe (knobdy gmail com) (1 replies) Re: defining 0day Sep 25 2007 07:59PM Gadi Evron (ge linuxbox org) (1 replies) Re: defining 0day Sep 25 2007 08:15PM Brian Loe (knobdy gmail com) (1 replies) |
|
|
Privacy Statement |
>But then there is the important concept of the "private 0day", a new
>vulnerability that a malicious person has but has not used yet.
But the point is there is no such thing as a 0day *vulnerability"; there's
a 0day exploit, an exploit in the wild before the vulnerability id
discovered.
By claiming all "new" vulnerabilities are 0day the term becomes completely
meaningless; by your reasoning there is no such thing as a non-0day
vulnerabillity; well, the next they it's no longer a 0day vulnerability but
the funny thing is that everybody keeps calling it that.
When a vulnerability is discovered you cannot be sure no-one found it
before; the only thing you can ever be sure of whether at that point
an exploit was detected in the wild.
>I don't like this chain of logic. Whether a new vulnerability is an 0day
>or not depends entirely too much on the disclosure process, with funky
>race conditions in there.
But by your reasoning *all* vulnerabilities are 0day at some point; or
is the only exception those found by the vendor itself?
>Rather, I just treat "0day" as a synonym for "new vulnerability" and
>don't give a hoot about the alleged intentions of whoever discovered it.
>What makes it an "0" day is that whoever is announcing it is first to
>announce it in public. You could only invalidate the 0day claim by
>showing that the same vulnerability had previously been disclosed by
>someone else.
The point is that it is not supposed to be moniker for vulnerabilities;
it's a moniker for exploits. In any other context it does not make sense.
Specifically considering that "0-day exploit" is the only definition which
holds meaning with respect to a particular exploit over time. "An exploit
which existed before the vulnerability was publicly known".
But a "0 day vulnerability" is meaningless as a definition; it applies to
a vulnerability for exactly 24 hours and then is meaningless. ALL
vulnerabilities were discovered at some point and had their 24 hours of
"0 day fame" by your definition. It just does not make sense.
Casper
[ reply ]