Re: 0day: PDF pwns Windows

Chad Perrin wrote:
> On Sat, Sep 22, 2007 at 10:34:07PM -0700, Crispin Cowan wrote:
>
>> A "private 0day exploit" (the case I was concerned with) would be where
>> someone develops an exploit, but does not deploy or publish it, holding
>> it in reserve to attack others at the time of their choosing. Presumably
>> if such a person wanted to keep it for very long, they would have to
>> base it on a vulnerability that they themselves discovered, and did not
>> publish.
>>
> In the case of that "private zero day exploit", then, nobody will ever
> know about it except the person that has it waiting in reserve -- and if
> someone else discovers and patches the vulnerability before the exploit
> is ever used, it never becomes a "public" zero day exploit. In other
> words, you can always posit that there's sort of a Heisenbergian state of
> potential private zero day exploitedness, but in real, practical terms
> there's no zero day anything unless it's public.
>
> The moment you have an opportunity to measure it, the waveforms collapse.
>

Its a little less abstract than that. Consider that the United States government might want to worry about whether some foreign nation is banking a large pool of private 0day exploits in preparation for war. Such a nation might farm these private 0day exploits by employing a pool of vulnerability researchers and exploit developers, and just not published the results.

This is a perfectly viable way to produce what amounts to Internet munitions. The recent incident of Estonia Under *Russian Cyber Attack*? <http://www.internetnews.com/security/article.php/3678606> is an example of such a network brush war in which possession of such an arsenal would be very useful.

Crispin

-- 
Crispin Cowan, Ph.D.               
http://crispincowan.com/~crispin/
Director of Software Engineering   
http://novell.com
	AppArmor Chat: irc.oftc.net/#apparmor