Re: 0-day "vulnerability"

[Curt Purdy <infosysec () gmail com>]

Along the same lines, from DHS to Symantec, the threat level is always
"Elevated". So yellow is now the new green. I think ISS (IBM now) is
one of the few that leave their alert level at "1" until there is
really a "2-4" situation to deal with. I don't need more stress in my
day than the crackers already provide...

Of course, I know keeping things in perspective are hard these days,
i.e. I was reading the Washington Post on the Metro this morning,
looking at a map of the four stations that al-Qaeda planned to bomb,
as I passed all four of them. I would say my PTL (Personal Threat
Level) is red.

BTW Hammer, I think of is an OK middle name, but I think your last
name is a little presumptuous ;)

Curt



On Thu, Oct 28, 2010 at 1:14 PM, Thor (Hammer of God)
<thor () hammerofgod com> wrote:
> I would further define it as "code that can be run on a machine remotely without any human interaction."   What I 
> think would be ultimately effective is if researches and those who make disclosure announcements quit trying to make 
> their discoveries or processes "cool" and just stick to the facts.  Vendors want to downplay vulnerabilities, 
> disclosures want it to sound as bad as it can be.  That's why we have people describing a user following a link in an 
> email to download something from their site to be subsequently executed as "Remote Code Execution" that is 
> "Moderately Critical" as if there are actually varying degrees of "Critical."
>
> The same holds true for quantifying "likelihood of exploitation" as "high" based on what researchers call "extremely 
> common deployment environments in many businesses" when they are actually inferring what they THINK is common based 
> on what two of their 5-10 workstation clients are doing  with XP peer-to-peer configurations.
>
> I think that the only people really paying any attention to this are other researchers, who basically ignore what 
> other people call something - this doesn't really benefit the "user."  People want the "vulnerability" they 
> "discover" to be awesome and cool and critical because it substantiates their egos.  For now, preceding anything with 
> "0-day" is a way of invoking fear and urgency as if it represents some immanent disaster, but soon people will become 
> desensitized to that as well.
>
> t
>
> > -----Original Message-----
> > From: Curt Purdy [mailto:infosysec () gmail com]
> > Sent: Thursday, October 28, 2010 9:51 AM
> > To: Thor (Hammer of God)
> > Cc: w0lfd33m () gmail com; full-disclosure-bounces () lists grok org uk; full-
> > disclosure () lists grok org uk
> > Subject: Re: [Full-disclosure] 0-day "vulnerability"
> >
> > Right as usual t-man, but while we are doing F&Ws job for them, "Remote
> > code execution" is: any program you can run on a machine you can't touch (for
> > further explanation, "man touch").
> >
> > Curt
> >
> >
> >
> > On Thu, Oct 28, 2010 at 12:35 PM, Thor (Hammer of God)
> > <thor () hammerofgod com> wrote:
> > > None of this really matters.  People will call it whatever they want
> > to.  Generally, all software has some sort of vulnerability.  If they want to call
> > the process of that vulnerability being communicated for the first time "0 day
> > vulnerability" then so what.
> > > The industry can't (and won't) even come up with what "Remote Code
> > Execution" really means, so trying to standardize disclosure nomenclature is a
> > waste of time IMO.
> > > t
> > >
> > > > -----Original Message-----
> > > > From: full-disclosure-bounces () lists grok org uk
> > > > [mailto:full-disclosure- bounces () lists grok org uk] On Behalf Of
> > > > w0lfd33m () gmail com
> > > > Sent: Thursday, October 28, 2010 9:25 AM
> > > > To: Curt Purdy; full-disclosure-bounces () lists grok org uk; full-
> > > > disclosure () lists grok org uk
> > > > Subject: Re: [Full-disclosure] 0-day "vulnerability"
> > > >
> > > > Yep. Totally agree. Vulnerability exists in the system since it has
> > > > been developed. It is just the matter when it has been disclosed or being
> > exploited.
> > > > I would suggest " 0 day disclosure" instead of "0 day vulnerability"
> > > > :)
> > > >
> > > >
> > > > ------Original Message------
> > > > From: Curt Purdy
> > > > Sender: full-disclosure-bounces () lists grok org uk
> > > > To: full-disclosure () lists grok org uk
> > > > Subject: [Full-disclosure] 0-day "vulnerability"
> > > > Sent: Oct 28, 2010 8:48 PM
> > > >
> > > > Sorry to rant, but I have seen this term used once too many times to
> > > > sit idly by. And used today by what I once thought was a respectable
> > > > infosec publication (that will remain nameless) while referring to the
> > > > current Firefox vulnerability (that did, by the way, once have a 0-day
> > > > sploit)  Also, by definition, a 0-day no longer exists the moment it
> > > > is announced ;)
> > > >
> > > > For once and for all: There is no such thing as a "zero-day vulnerability"
> > > > (quoted), only a 0-day exploit...
> > > >
> > > > Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA
> > > >
> > > > _______________________________________________
> > > > Full-Disclosure - We believe in it.
> > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > > Hosted and sponsored by Secunia - http://secunia.com/
> > > >
> > > >
> > > > Sent from BlackBerry(r) on Airtel
> > > > _______________________________________________
> > > > Full-Disclosure - We believe in it.
> > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > > Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/