Re: [Full-disclosure] 0day: PDF pwns Windows
- From: Crispin Cowan <crispin@xxxxxxxxxx>
- Date: Sat, 22 Sep 2007 22:34:07 -0700
An excellent point. Sorry I overlooked that. Exploit development todayBut then there is the important concept of the "private 0day", a newBut the point is there is no such thing as a 0day *vulnerability"; there's
vulnerability that a malicious person has but has not used yet.
a 0day exploit, an exploit in the wild before the vulnerability id
is so fast that I tend to equate knowledge of a vulnerability with "...
and can have an exploit by tomorrow afternoon."
Yes, you are right. So "0day" is a class of exploits. Specifically, itRather, I just treat "0day" as a synonym for "new vulnerability" andThe point is that it is not supposed to be moniker for vulnerabilities;
don't give a hoot about the alleged intentions of whoever discovered it.
What makes it an "0" day is that whoever is announcing it is first to
announce it in public. You could only invalidate the 0day claim by
showing that the same vulnerability had previously been disclosed by
it's a moniker for exploits. In any other context it does not make sense.
Specifically considering that "0-day exploit" is the only definition which
holds meaning with respect to a particular exploit over time. "An exploit
which existed before the vulnerability was publicly known".
is the class of exploits that are developed before the first available
patch for the vulnerability in question.
But that race condition of whether the patch or the exploit is partially
ordered, because they could be developed independently. There is the
special case where the person who first discovered the vulnerability
also develops either a patch or an exploit, in which case it is totally
ordered. But in the general case where one person discovers the
vulnerability, and two other people independently develop an exploit and
a patch, you can't tell who finished first. All you can do is detect who
So fair enough, an "0day exploit" is one that appears in public before
the associated patch is published.
A "private 0day exploit" (the case I was concerned with) would be where
someone develops an exploit, but does not deploy or publish it, holding
it in reserve to attack others at the time of their choosing. Presumably
if such a person wanted to keep it for very long, they would have to
base it on a vulnerability that they themselves discovered, and did not
I continue to dismiss the requirement that an 0day be found maliciously
exploiting machines, because that requires inferring intent. IMHO, a POC
exploit first posted to Bugtraq ahead of the patch counts as an 0day
exploit, unless it has been so thoroughly obfuscated that the "proof"
part of "proof of concept" is itself BS.
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering http://novell.com
AppArmor Chat: irc.oftc.net/#apparmor
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Prev by Date: Re: [Full-disclosure] Greek Web Election System Sucks - Remote File Inclusion?
- Next by Date: [Full-disclosure] Fwd: [funsec] Keep Gadi Evron off Bugtraq
- Previous by thread: Re: [Full-disclosure] 0day: PDF pwns Windows
- Next by thread: Re: [Full-disclosure] 0day: PDF pwns Windows