Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: 0-day "vulnerability"
From: Marsh Ray <marsh () extendedsubset com>
Date: Fri, 29 Oct 2010 14:25:44 -0500

On 10/29/2010 12:56 PM, Tyler Borland wrote:
I think it's getting ridiculous.  Who cares about bureaucratical terms?

I agree that the term "0-day" does not have universal agreement on its 
meaning, so its use can be a sign of having too few sources of 
information. But still, I think it can be useful. For example:

"The Stuxnet developers clearly had resources at their disposal because 
they were willing to burn four Windows 0-days and two code signing certs 
for the attack."

In that case we know what "0-day" means: an exploit the attacker can use 
at his option without any advance warning to the defender. A sneak 
attack, "unfair" to the defender (to the extent he was hoping the 
attacker to play fair).

I find more and more 'researchers' trying to just be auditors and
categorize exploits and try to follow some kind of universal naming
convention for exploits that doesn't exist and shouldn't exist.

I find myself using the technical term "pwned" quite regularly in 
professional discussions. It conveys a certain meaning that I don't is 
captured as well by any other terms.

To me it conveys:

1. There is a significant vulnerability present in the target system

2. The attacker has already exploited this vulnerability, or is presumed 
to have the ability to exploit it

3. A successful exploit represents a near-total compromise of a critical 
protected resource, or it can likely be leveraged into it.

4. A successful exploit invalidates such fundamental assumptions of the 
system's security model that it's probably not useful to try to reason 
about distinctions in "degrees of pwnage".

5. The fact that the spell-checker doesn't recognize the term, even 
though it has been in usage for many years now, should serve as a 
reminder that the attacker specializes in putting systems in ambiguous 
situations and causing them fail in unanticipated ways.

6. The speaker is not going to sugar coat the truth in politically-
(or even grammatically-) correct terminology.

rather see information on exploits and interesting ways to use them than
saying it's one type or the other.

This 'scene' is not about politics and terminology for me.

I think once you have more than a handful of different and interesting 
things, a terminology must emerge in order to be able to discuss them.

But whether or not the terminology which emerges is descriptive, 
clearly-defined, agreed-upon, or the subject is becoming overly 
political, are all another matter!

- Marsh

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]