Re: [Full-disclosure] 0day: PDF pwns Windows



Gadi Evron wrote:
Impressive vulnerability, new. Not a 0day.

Not to start an argument again, but fact is, people stop calling
everything a 0day unless it is, say WMF, ANI, etc. exploited in the
wild without being known.

I don't like the mis-use of this buzzword.
I respectfully disagree. By your definition, we have:

* "new vulnerability" is just what it sounds like
* "0day" is a "new vulnerability" that comes to public attention
because someone used it maliciously

But then there is the important concept of the "private 0day", a new
vulnerability that a malicious person has but has not used yet.

Does it really matter how the new vulnerability came to light? Do you
really want to get into arguments about whether the person who
discovered it was malicious? Especially for "private 0days" where the
discoverer may be sitting on his discovery for some time, waiting for
the highest bider to buy his result. If he sells it to criminals, then
it becomes an 0day, and if he sells it to a vulnerability marketing
company, then it is something else.

I don't like this chain of logic. Whether a new vulnerability is an 0day
or not depends entirely too much on the disclosure process, with funky
race conditions in there.

Rather, I just treat "0day" as a synonym for "new vulnerability" and
don't give a hoot about the alleged intentions of whoever discovered it.
What makes it an "0" day is that whoever is announcing it is first to
announce it in public. You could only invalidate the 0day claim by
showing that the same vulnerability had previously been disclosed by
someone else.

Crispin

--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering http://novell.com
AppArmor Chat: irc.oftc.net/#apparmor


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: 0day: PDF pwns Windows
    ... vulnerability that a malicious person has but has not used yet. ... discoverer may be sitting on his discovery for some time, ... If he sells it to criminals, ... or not depends entirely too much on the disclosure process, ...
    (Bugtraq)
  • Public disclosure of discovered vulnerabilities (was: Hyper-Threading Considered Harmful)
    ... vulnerability, different users have different options available. ... but increase the risk to others. ... disclosure can also decrease risk by causing users to take appropriate ... necessary for the discoverer to treat all parties the same way. ...
    (sci.crypt)
  • Re: [Full-disclosure] 0day: PDF pwns Windows
    ... vulnerability that a malicious person has but has not used yet. ... discoverer may be sitting on his discovery for some time, ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html ... Hosted and sponsored by Secunia - http://secunia.com/ ...
    (Full-Disclosure)
  • Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
    ... I definitely would patch my computer if I discovered that somebody could upload files to my computer, even thought if couldn't 'probe' them. ... with such files that could result in exploiting a vulnerability in any ... of the used software (and this is something the "discoverer" failed to ...
    (Full-Disclosure)
  • Re: [Full-disclosure] 0day: PDF pwns Windows
    ... vulnerability that a malicious person has but has not used yet. ... discoverer may be sitting on his discovery for some time, ... If he sells it to criminals, ... or not depends entirely too much on the disclosure process, ...
    (Bugtraq)