Re: On the "0-day" term

[Gadi Evron <ge () linuxbox org>]

Steven M. Christey wrote:

Hey Steve! :)

> It's not necessarily that 0-days are a myth, it's that people have
> been using the term "0-day" to mean two separate things:

0days are not a myth on their own.
They are live and kickin`! :)

>  - in-the-wild hacks of live systems using vulnerabilities previously
>    unkown to the public and the vendor;
>
>  - release of exploit information for vulnerabilities previously
>    unkown to the public and the vendor, for which there are no known
>    in-the-wild hacks of live systems at the time of disclosure (though
>    such hacks seem to occur very soon afterward)

I don't know, last year I read an article about 0days being released 
vulnerabilities where the patch is not applied yet. Uh huh.

> > Does anyone still think bad guys don't exploit (to whatever goals) a
> > 0day if it is out there?
>
>
> The answer seems obvious, but...
>
> It's not entirely clear to me how many in-the-wild 0-days exist and
> are actively exploited.  Just because some "white hat" finds something
> does not mean that we should ALWAYS assume that the "black hats"
> already know about it.  The converse is also true, of course; see the

On this point I disagree. We have to assume the worst, especially where 
we are specifically vulnerable. And as today we mostly rely on software 
security on-top of software security for our defense - we HAVE to assume 
the worst... we just don't have to hype it, and possibly, we can call it 
what it really is.

> recent WMF issue.

The goal of said 0day may be for specific attacks against specific 
targets. I don't see why anyone would waste their secret & strong 
resource on the wild west of the net - we don't often find 0days, right? 
Microsoft's or SecurityFocus's sites don't go down that often, right?

WMF was an exploit of opportunity, i.e.: what is our window of 
opportunity to infect users with spyware before we are found out?
In this case it was about 2 weeks.

This came to show that spyware manufacturers either did their own R&D or 
bought 0days. This is not the first time, either.

> Certainly, at least a couple in-the-wild 0-days are publicized a year,
> and maybe more in the coming year, given the precedents of the past 6
> months or so, as the honeymonkeys project and Websense have shown.
>
> One would hope that there is some critical mass (i.e. number of
> compromised systems) beyond which any in-the-wild 0-day would become
> publicly known.  This cricital mass would depend on the diligence of
> the incident response community and the amount of coordination -
> direct or indirect - with the vulnerability research community.

Critical mass could also be one well-placed machine. Point is we need to 
differentiate between, but not limited to:
1. Vulns that were already disclosed to the vendor or CC's.
2. Vulns that are publicly announce OR released by advisory or similar.
and
3. Vulns that no one knows exist, whether being exploited wildly, kept 
in a bunker or used on special targets.

It's time we stopped guessing and starting regulating these terms, not 
because we can tell people how to use the term '0day' but rather what it 
might mean. Makes lives so much easier.

In some of the above cases I will be proud to yell: "THERE ARE NO 
0DAYS", while I know that's obviously false in other cases.

The problem with this email, as well as any other to follow is that they 
are all full of opinions. We have to stop being an opinion-lead industry 
where opinions constitute 90% (didn't make any specific calculation, 
that's my opinion) of how we do things professionally.

> - Steve

I really hope this is not to become another long debate on religious 
terminology.. what have I done?!

        Gadi.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/