Full Disclosure mailing list archives
Re: 0day: PDF pwns Windows
From: Iggy E <iggy_e () yahoo com>
Date: Tue, 25 Sep 2007 09:15:57 -0700 (PDT)
Hi Crispin, I agree with almost everything you say until here: "I continue to dismiss the requirement that an 0day be found maliciously exploiting machines, because that requires inferring intent." IMO, everybody in this thread is taking this from an inside-to-outside approach, whereas a '0day' is the opposite. If I'm on a CERT team for a corporation then I don't give a flying F if somebody's concocted a cool exploit for a vulnerability that hasn't been patched; and moreover, I don't know about it. I only care if there's malicious code running around in the real world doing damage that has no patch for the vulnerability. That's when I have to take some action or be completely helpless and in my mind that's the only time I consider a '0day' to have any relevance. Let me repeat: if it's a theoretical exploit, or even if it's hit 100,000 machines but has not been reported and is not "being in the wild", then it has no relevance to me BECAUSE I DON'T KNOW THAT IT EXISTS and therefore to me it is not 0day. Only through normal channels doing my daily CERT work (dCERT, FrSIRT, Secunia, etc.) if I see an exploit on an unpatched vulnerability doing real damage is when I would ever consider the term '0day'. Very respectfully, Ignacio --- Crispin Cowan <crispin () novell com> wrote:
Casper.Dik () Sun COM wrote:But then there is the important concept of the "private 0day", anewvulnerability that a malicious person has but has not used yet.But the point is there is no such thing as a 0day*vulnerability"; there'sa 0day exploit, an exploit in the wild before the vulnerabilityiddiscovered.An excellent point. Sorry I overlooked that. Exploit development today is so fast that I tend to equate knowledge of a vulnerability with "... and can have an exploit by tomorrow afternoon."Rather, I just treat "0day" as a synonym for "new vulnerability"anddon't give a hoot about the alleged intentions of whoeverdiscovered it.What makes it an "0" day is that whoever is announcing it isfirst toannounce it in public. You could only invalidate the 0day claimbyshowing that the same vulnerability had previously beendisclosed bysomeone else.The point is that it is not supposed to be moniker forvulnerabilities;it's a moniker for exploits. In any other context it does notmake sense.Specifically considering that "0-day exploit" is the onlydefinition whichholds meaning with respect to a particular exploit over time."An exploitwhich existed before the vulnerability was publicly known".Yes, you are right. So "0day" is a class of exploits. Specifically, it is the class of exploits that are developed before the first available patch for the vulnerability in question. But that race condition of whether the patch or the exploit is partially ordered, because they could be developed independently. There is the special case where the person who first discovered the vulnerability also develops either a patch or an exploit, in which case it is totally ordered. But in the general case where one person discovers the vulnerability, and two other people independently develop an exploit and a patch, you can't tell who finished first. All you can do is detect who published first. So fair enough, an "0day exploit" is one that appears in public before the associated patch is published. A "private 0day exploit" (the case I was concerned with) would be where someone develops an exploit, but does not deploy or publish it, holding it in reserve to attack others at the time of their choosing. Presumably if such a person wanted to keep it for very long, they would have to base it on a vulnerability that they themselves discovered, and did not publish. I continue to dismiss the requirement that an 0day be found maliciously exploiting machines, because that requires inferring intent. IMHO, a POC exploit first posted to Bugtraq ahead of the patch counts as an 0day exploit, unless it has been so thoroughly obfuscated that the "proof" part of "proof of concept" is itself BS. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering http://novell.com AppArmor Chat: irc.oftc.net/#apparmor
____________________________________________________________________________________ Catch up on fall's hot new shows on Yahoo! TV. Watch previews, get listings, and more! http://tv.yahoo.com/collections/3658 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: 0day: PDF pwns Windows, (continued)
- Re: 0day: PDF pwns Windows Crispin Cowan (Sep 25)
- Re: 0day: PDF pwns Windows J. Oquendo (Sep 25)
- Re: 0day: PDF pwns Windows Jason (Sep 25)
- Re: 0day: PDF pwns Windows J. Oquendo (Sep 25)
- Re: 0day: PDF pwns Windows Valdis . Kletnieks (Sep 25)
- Re: 0day: PDF pwns Windows Gadi Evron (Sep 25)
- Re: 0day: PDF pwns Windows Jason (Sep 25)
- Re: 0day: PDF pwns Windows North, Quinn (Sep 25)
- Re: 0day: PDF pwns Windows Steven Adair (Sep 25)
- Re: 0day: PDF pwns Windows Gadi Evron (Sep 25)
- Re: 0day: PDF pwns Windows Iggy E (Sep 25)
- Re: 0day: PDF pwns Windows Geo. (Sep 21)
- Re: 0day: PDF pwns Windows silky (Sep 22)
- Re: 0day: PDF pwns Windows Eduardo Tongson (Sep 22)
- Re: 0day: PDF pwns Windows cocoruder . (Sep 25)
- Re: 0day: PDF pwns Windows h4h (Sep 21)
- Re: 0day: PDF pwns Windows Tremaine Lea (Sep 21)
- Re: 0day: PDF pwns Windows Gadi Evron (Sep 20)