RE: [Full-disclosure] 0day: PDF pwns Windows

 Name calling and arguing about semantics is about as useful and enjoyable as a fart in an elevator.

Sheesh. I thought it was just the Quake players that got in to e-peen pissing contests.

And yes, I'm top-posting!

-----Original Message-----
From: Chad Perrin [mailto:perrin@apotheon.com] Sent: Thursday, September 20, 2007 11:10 AM To: bugtraq@securityfocus.com
Subject: Re: [Full-disclosure] 0day: PDF pwns Windows

On Thu, Sep 20, 2007 at 06:34:03PM -0400, Joey Mengele wrote:
> Dear Fatboy,
>
> Let's put aside for a minute the fact that you have no idea what you
> are talking about and let's also, for the benefit of this very
> valuable debate, assume your definition is correct. First, please
> prove this bug was never used in the wild. After that, please prove
> your credibility in the realm of defining words related to illegal
> computer hacking. Thanks.

Tell me something -- what do *you* think "zero day" means that differentiates it from "not zero day"? I keep seeing people use the term "zero day" (or "0day" or however you want to spell it) without any regard for how this is meant to differentiate it from some alternative to "zero day", and I have to wonder what these people think the term means. Do you just regard it as a way to make discovery of a vulnerability as more "important" or "exciting"? Why exactly use the term if it has no meaning other than "look at this!"?

There is no such thing as a "zero day vulnerability". A "zero day exploit" is an exploit that has been used to compromise systems by the "bad guys" before the "good guys" discovered it or, arguably, an exploit being used by the "bad guys" before the "good guys" have developed a patch for it. It's not a proof of concept that no "bad guy" has any use for, and it's not a vulnerability that someone outside of a vendor discovered before the vendor announced its discovery. If you have a definition of the term "zero day" in a computer security context that contradicts mine, I'd love to read your reasoning and see your sources. After all, I can't learn anything new if I ignore things that I don't already know.

--
CCD CopyWrite Chad Perrin [ 
http://ccd.apotheon.org ] MacUser, Nov.
1990: "There comes a time in the history of any project when it becomes
necessary to shoot the engineers and begin production."

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek