Re: 0day: PDF pwns Windows

Gadi Evron wrote:
> Impressive vulnerability, new. Not a 0day.
>
> Not to start an argument again, but fact is, people stop calling
> everything a 0day unless it is, say WMF, ANI, etc. exploited in the
> wild without being known.
>
> I don't like the mis-use of this buzzword.
I respectfully disagree. By your definition, we have:

• "new vulnerability" is just what it sounds like
• "0day" is a "new vulnerability" that comes to public attention because someone used it maliciously

But then there is the important concept of the "private 0day", a new vulnerability that a malicious person has but has not used yet.

Does it really matter how the new vulnerability came to light? Do you really want to get into arguments about whether the person who discovered it was malicious? Especially for "private 0days" where the discoverer may be sitting on his discovery for some time, waiting for the highest bider to buy his result. If he sells it to criminals, then it becomes an 0day, and if he sells it to a vulnerability marketing company, then it is something else.

I don't like this chain of logic. Whether a new vulnerability is an 0day or not depends entirely too much on the disclosure process, with funky race conditions in there.

Rather, I just treat "0day" as a synonym for "new vulnerability" and don't give a hoot about the alleged intentions of whoever discovered it. What makes it an "0" day is that whoever is announcing it is first to announce it in public. You could only invalidate the 0day claim by showing that the same vulnerability had previously been disclosed by someone else.

Crispin

-- 
Crispin Cowan, Ph.D.               
http://crispincowan.com/~crispin/
Director of Software Engineering   
http://novell.com
	AppArmor Chat: irc.oftc.net/#apparmor