RE: 0day: PDF pwns Windows

From: <Glenn.Everhart(at)chase.com>
Date: Tue Sep 25 2007 - 08:53:26 EDT

Minor point:

No need to limit such accumulations to nation-states though. People interested in fiddling with other peoples' computers have come up with attacks that don't get instantly published at least since the 1970s, and have had more-or-less private channels to communicate them. The motives these days, if you believe the press, may be more around money than simple mischief, but the practice of not disclosing bugs and exploits to the world has been with us a long time. Such exploits are 0day exploits until someone gets wind of them who will do something to defend against them. This can be a vendor, someone who publishes workarounds for admins, or whatnot, the key point being that the "0day" issue is one that pretty much all systems of the target type will be vulnerable to.

Once an exploit is widely used, it is likely to be noticed and cease to be effective everywhere too. The recent stories about targetted attacks are I expect partly devised to keep exploits working longer by avoiding this.

BTW the older use for "0day" to refer to warez that were newly cracked is similar in that again the term refers to the fact that the vendor has not yet had time to do anything to react to the crack or disallow use of the software.

Glenn Everhart

-----Original Message-----
From: Crispin Cowan [mailto:crispin@novell.com] Sent: Monday, September 24, 2007 5:59 PM To: Chad Perrin
Cc: Casper.Dik@Sun.COM; Gadi Evron; pdp (architect); bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk Subject: Re: 0day: PDF pwns Windows

Chad Perrin wrote:
> On Sat, Sep 22, 2007 at 10:34:07PM -0700, Crispin Cowan wrote:
>
>> A "private 0day exploit" (the case I was concerned with) would be where
>> someone develops an exploit, but does not deploy or publish it, holding
>> it in reserve to attack others at the time of their choosing. Presumably
>> if such a person wanted to keep it for very long, they would have to
>> base it on a vulnerability that they themselves discovered, and did not
>> publish.
>>
> In the case of that "private zero day exploit", then, nobody will ever
> know about it except the person that has it waiting in reserve -- and if
> someone else discovers and patches the vulnerability before the exploit
> is ever used, it never becomes a "public" zero day exploit. In other
> words, you can always posit that there's sort of a Heisenbergian state of
> potential private zero day exploitedness, but in real, practical terms
> there's no zero day anything unless it's public.
>
> The moment you have an opportunity to measure it, the waveforms collapse.
>

Its a little less abstract than that. Consider that the United States government might want to worry about whether some foreign nation is banking a large pool of private 0day exploits in preparation for war. Such a nation might farm these private 0day exploits by employing a pool of vulnerability researchers and exploit developers, and just not published the results.

This is a perfectly viable way to produce what amounts to Internet munitions. The recent incident of Estonia Under *Russian Cyber Attack*? <http://www.internetnews.com/security/article.php/3678606> is an example of such a network brush war in which possession of such an arsenal would be very useful.

Crispin

--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering http://novell.com

        AppArmor Chat: irc.oftc.net/#apparmor

---

This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase & Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use.  If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. Received on Tue Sep 25 11:41:49 2007