Not in my book. I guess the people on this list are working off too many different definitions of 0day. 0day to me is something for which there is no patch/update at the time of the exploit being coded/used. So if I code an exploit for IE right now and they don't patch it until April September 2008, it's a 0day exploit for a year. It's not necessarily new and it doesn't have to be used maliciously. If I code an exploit (for which there is no patch) and use it on my own servers, does that mean it's not 0day? I don't think so. If my WordPress blog gets owned by pwnpress, that's not 0day.. there's patches/updates for everything on there. It just makes me an idiot for not upgrading. Now if I get hit with some WP exploit that's not patched, then that's another [0-day] story. Steven securityzone.org > Gadi Evron wrote: >> Impressive vulnerability, new. Not a 0day. >> >> Not to start an argument again, but fact is, people stop calling >> everything a 0day unless it is, say WMF, ANI, etc. exploited in the >> wild without being known. >> >> I don't like the mis-use of this buzzword. > I respectfully disagree. By your definition, we have: > > * "new vulnerability" is just what it sounds like > * "0day" is a "new vulnerability" that comes to public attention > because someone used it maliciously > > But then there is the important concept of the "private 0day", a new > vulnerability that a malicious person has but has not used yet. > > Does it really matter how the new vulnerability came to light? Do you > really want to get into arguments about whether the person who > discovered it was malicious? Especially for "private 0days" where the > discoverer may be sitting on his discovery for some time, waiting for > the highest bider to buy his result. If he sells it to criminals, then > it becomes an 0day, and if he sells it to a vulnerability marketing > company, then it is something else. > > I don't like this chain of logic. Whether a new vulnerability is an 0day > or not depends entirely too much on the disclosure process, with funky > race conditions in there. > > Rather, I just treat "0day" as a synonym for "new vulnerability" and > don't give a hoot about the alleged intentions of whoever discovered it. > What makes it an "0" day is that whoever is announcing it is first to > announce it in public. You could only invalidate the 0day claim by > showing that the same vulnerability had previously been disclosed by > someone else. > > Crispin > > -- > Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ > Director of Software Engineering http://novell.com > AppArmor Chat: irc.oftc.net/#apparmor > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
