[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] 0-day "vulnerability"

0-day is a scene word. Connotations are inferred, you're more precise 
definition is pretty much what people already assume.

Desensitization to security is a serious issue also. Look at homeland 
security's warning level system. Look at the news of deaths in Iraq and 
Afghanistan. It's boring as looking up at the blue sky.

--- On Thu, 10/28/10, Thor (Hammer of God) <thor@xxxxxxxxxxxxxxx> wrote:

From: Thor (Hammer of God) <thor@xxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] 0-day "vulnerability"
To: "Curt Purdy" <infosysec@xxxxxxxxx>, "Thor (Hammer of God)" 
<thor@xxxxxxxxxxxxxxx>
Cc: "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>, 
"full-disclosure-bounces@xxxxxxxxxxxxxxxxx" 
<full-disclosure-bounces@xxxxxxxxxxxxxxxxx>
Date: Thursday, October 28, 2010, 5:14 PM

I would further define it as "code that can be run on a machine remotely 
without any human interaction."   What I think would be ultimately effective is 
if researches and those who make disclosure announcements quit trying to make 
their discoveries or processes "cool" and just stick to the facts.  Vendors 
want to downplay vulnerabilities, disclosures want it to sound as bad as it can 
be.  That's why we have people describing a user following a link in an email 
to download something from their site to be subsequently executed as "Remote 
Code Execution" that is "Moderately Critical" as if there are actually varying 
degrees of "Critical."  

The same holds true for quantifying "likelihood of exploitation" as "high" 
based on what researchers call "extremely common deployment environments in 
many businesses" when they are actually inferring what they THINK is common 
based on what two of their 5-10 workstation clients are doing  with XP 
peer-to-peer configurations.  

I think that the only people really paying any attention to this are other 
researchers, who basically ignore what other people call something - this 
doesn't really benefit the "user."  People want the "vulnerability" they 
"discover" to be awesome and cool and critical because it substantiates their 
egos.  For now, preceding anything with "0-day" is a way of invoking fear and 
urgency as if it represents some immanent disaster, but soon people will become 
desensitized to that as well.

t

>-----Original Message-----
>From: Curt Purdy [mailto:infosysec@xxxxxxxxx]
>Sent: Thursday, October 28, 2010 9:51 AM
>To: Thor (Hammer of God)
>Cc: w0lfd33m@xxxxxxxxx; full-disclosure-bounces@xxxxxxxxxxxxxxxxx; full-
>disclosure@xxxxxxxxxxxxxxxxx
>Subject: Re: [Full-disclosure] 0-day "vulnerability"
>
>Right as usual t-man, but while we are doing F&Ws job for them, "Remote
>code execution" is: any program you can run on a machine you can't touch (for
>further explanation, "man touch").
>
>Curt
>
>
>
>On Thu, Oct 28, 2010 at 12:35 PM, Thor (Hammer of God)
><thor@xxxxxxxxxxxxxxx> wrote:
>> None of this really matters.  People will call it whatever they want
>to.  Generally, all software has some sort of vulnerability.  If they want to 
>call
>the process of that vulnerability being communicated for the first time "0 day
>vulnerability" then so what.
>>
>> The industry can't (and won't) even come up with what "Remote Code
>Execution" really means, so trying to standardize disclosure nomenclature is a
>waste of time IMO.
>> t
>>
>>>-----Original Message-----
>>>From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
>>>[mailto:full-disclosure- bounces@xxxxxxxxxxxxxxxxx] On Behalf Of
>>>w0lfd33m@xxxxxxxxx
>>>Sent: Thursday, October 28, 2010 9:25 AM
>>>To: Curt Purdy; full-disclosure-bounces@xxxxxxxxxxxxxxxxx; full-
>>>disclosure@xxxxxxxxxxxxxxxxx
>>>Subject: Re: [Full-disclosure] 0-day "vulnerability"
>>>
>>>Yep. Totally agree. Vulnerability exists in the system since it has
>>>been developed. It is just the matter when it has been disclosed or being
>exploited.
>>>
>>>I would suggest " 0 day disclosure" instead of "0 day vulnerability"
>>>:)
>>>
>>>
>>>------Original Message------
>>>From: Curt Purdy
>>>Sender: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
>>>To: full-disclosure@xxxxxxxxxxxxxxxxx
>>>Subject: [Full-disclosure] 0-day "vulnerability"
>>>Sent: Oct 28, 2010 8:48 PM
>>>
>>>Sorry to rant, but I have seen this term used once too many times to
>>>sit idly by. And used today by what I once thought was a respectable
>>>infosec publication (that will remain nameless) while referring to the
>>>current Firefox vulnerability (that did, by the way, once have a 0-day
>>>sploit)  Also, by definition, a 0-day no longer exists the moment it
>>>is announced ;)
>>>
>>>For once and for all: There is no such thing as a "zero-day vulnerability"
>>>(quoted), only a 0-day exploit...
>>>
>>>Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA
>>>
>>>_______________________________________________
>>>Full-Disclosure - We believe in it.
>>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>
>>>Sent from BlackBerry(r) on Airtel
>>>_______________________________________________
>>>Full-Disclosure - We believe in it.
>>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>Hosted and sponsored by Secunia - http://secunia.com/
>>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



      
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/