Re: 0day: PDF pwns Windows

>But then there is the important concept of the "private 0day", a new
>vulnerability that a malicious person has but has not used yet.

But the point is there is no such thing as a 0day *vulnerability"; there's a 0day exploit, an exploit in the wild before the vulnerability id discovered.

By claiming all "new" vulnerabilities are 0day the term becomes completely meaningless; by your reasoning there is no such thing as a non-0day vulnerabillity; well, the next they it's no longer a 0day vulnerability but the funny thing is that everybody keeps calling it that.

When a vulnerability is discovered you cannot be sure no-one found it before; the only thing you can ever be sure of whether at that point an exploit was detected in the wild.

>I don't like this chain of logic. Whether a new vulnerability is an 0day
>or not depends entirely too much on the disclosure process, with funky
>race conditions in there.

But by your reasoning *all* vulnerabilities are 0day at some point; or is the only exception those found by the vendor itself?

>Rather, I just treat "0day" as a synonym for "new vulnerability" and
>don't give a hoot about the alleged intentions of whoever discovered it.
>What makes it an "0" day is that whoever is announcing it is first to
>announce it in public. You could only invalidate the 0day claim by
>showing that the same vulnerability had previously been disclosed by
>someone else.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The point is that it is not supposed to be moniker for vulnerabilities; it's a moniker for exploits. In any other context it does not make sense.

Specifically considering that "0-day exploit" is the only definition which holds meaning with respect to a particular exploit over time. "An exploit which existed before the vulnerability was publicly known".

But a "0 day vulnerability" is meaningless as a definition; it applies to a vulnerability for exactly 24 hours and then is meaningless. ALL vulnerabilities were discovered at some point and had their 24 hours of "0 day fame" by your definition. It just does not make sense.

Casper Received on Fri Sep 21 15:28:29 2007