Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: 0-day "vulnerability"
From: Curt Purdy <infosysec () gmail com>
Date: Thu, 28 Oct 2010 14:05:47 -0400

Along the same lines, from DHS to Symantec, the threat level is always
"Elevated". So yellow is now the new green. I think ISS (IBM now) is
one of the few that leave their alert level at "1" until there is
really a "2-4" situation to deal with. I don't need more stress in my
day than the crackers already provide...

Of course, I know keeping things in perspective are hard these days,
i.e. I was reading the Washington Post on the Metro this morning,
looking at a map of the four stations that al-Qaeda planned to bomb,
as I passed all four of them. I would say my PTL (Personal Threat
Level) is red.

BTW Hammer, I think of is an OK middle name, but I think your last
name is a little presumptuous ;)

Curt



On Thu, Oct 28, 2010 at 1:14 PM, Thor (Hammer of God)
<thor () hammerofgod com> wrote:
I would further define it as "code that can be run on a machine remotely without any human interaction."   What I 
think would be ultimately effective is if researches and those who make disclosure announcements quit trying to make 
their discoveries or processes "cool" and just stick to the facts.  Vendors want to downplay vulnerabilities, 
disclosures want it to sound as bad as it can be.  That's why we have people describing a user following a link in an 
email to download something from their site to be subsequently executed as "Remote Code Execution" that is 
"Moderately Critical" as if there are actually varying degrees of "Critical."

The same holds true for quantifying "likelihood of exploitation" as "high" based on what researchers call "extremely 
common deployment environments in many businesses" when they are actually inferring what they THINK is common based 
on what two of their 5-10 workstation clients are doing  with XP peer-to-peer configurations.

I think that the only people really paying any attention to this are other researchers, who basically ignore what 
other people call something - this doesn't really benefit the "user."  People want the "vulnerability" they 
"discover" to be awesome and cool and critical because it substantiates their egos.  For now, preceding anything with 
"0-day" is a way of invoking fear and urgency as if it represents some immanent disaster, but soon people will become 
desensitized to that as well.

t

-----Original Message-----
From: Curt Purdy [mailto:infosysec () gmail com]
Sent: Thursday, October 28, 2010 9:51 AM
To: Thor (Hammer of God)
Cc: w0lfd33m () gmail com; full-disclosure-bounces () lists grok org uk; full-
disclosure () lists grok org uk
Subject: Re: [Full-disclosure] 0-day "vulnerability"

Right as usual t-man, but while we are doing F&Ws job for them, "Remote
code execution" is: any program you can run on a machine you can't touch (for
further explanation, "man touch").

Curt



On Thu, Oct 28, 2010 at 12:35 PM, Thor (Hammer of God)
<thor () hammerofgod com> wrote:
None of this really matters.  People will call it whatever they want
to.  Generally, all software has some sort of vulnerability.  If they want to call
the process of that vulnerability being communicated for the first time "0 day
vulnerability" then so what.

The industry can't (and won't) even come up with what "Remote Code
Execution" really means, so trying to standardize disclosure nomenclature is a
waste of time IMO.
t

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure- bounces () lists grok org uk] On Behalf Of
w0lfd33m () gmail com
Sent: Thursday, October 28, 2010 9:25 AM
To: Curt Purdy; full-disclosure-bounces () lists grok org uk; full-
disclosure () lists grok org uk
Subject: Re: [Full-disclosure] 0-day "vulnerability"

Yep. Totally agree. Vulnerability exists in the system since it has
been developed. It is just the matter when it has been disclosed or being
exploited.

I would suggest " 0 day disclosure" instead of "0 day vulnerability"
:)


------Original Message------
From: Curt Purdy
Sender: full-disclosure-bounces () lists grok org uk
To: full-disclosure () lists grok org uk
Subject: [Full-disclosure] 0-day "vulnerability"
Sent: Oct 28, 2010 8:48 PM

Sorry to rant, but I have seen this term used once too many times to
sit idly by. And used today by what I once thought was a respectable
infosec publication (that will remain nameless) while referring to the
current Firefox vulnerability (that did, by the way, once have a 0-day
sploit)  Also, by definition, a 0-day no longer exists the moment it
is announced ;)

For once and for all: There is no such thing as a "zero-day vulnerability"
(quoted), only a 0-day exploit...

Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Sent from BlackBerry(r) on Airtel
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault