upvote

points

by da_chicken19 hours ago |
comments
upvoteby nerdsniper19 hours ago|
next
[-]
It seems to have lost its meaning after getting popularized following Stuxnet coverage.
reply
upvoteby da_chicken18 hours ago|
parent|
[-]
No, I think it was since Code Red.

I understand why it's poorly understood. It's a snappy term, and people assume it means "bad" and nothing else because that's all you can get from the context. However, since most people also don't know the difference between a vulnerability and an exploit, they won't understand the definition of a zero-day when they read it.

But I'm still going to complain if a security vulnerability research company is using the term incorrectly in their own press copy. It makes them look amateurish.

reply
upvoteby NooneAtAll317 hours ago|
parent|
next
[-]
> the difference between a vulnerability and an exploit

is it the difference between a knife and a stab wound?

reply
upvoteby da_chicken15 hours ago|
parent|
[-]
No, that's the difference between exploit (knife) and either the incident or impact (wound). The vulnerability would be a gap in armor.

The vulnerability is the exposed weakness. Vulnerabilities get fixes, and they exist without anybody knowing about them. Vulnerabilities get CVEs assigned to them.

The exploit is the means of attack. It's the specific actions or calls that let you take advantage of a vulnerability. It could be a worm, or botnet scripts, or specifically crafted data[0]. A proof of concept is not an exploit itself, but it demonstrates that the vulnerability can be exploited.

An example of a vulnerability might be a gate where the gap between the door and the jam are too wide. The exploit is a coat hanger used to lift the inside latch from outside the gate. That results in unprivileged access.

And zero-day specifically compares when the white hats (vendors, system owners) and the black hats learn about the existence of a vulnerability. If white hats learn that a vulnerability exists by being subject to an in-the-wild black hat exploit of it, then it's a true zero-day.

[0]: https://xkcd.com/327/

reply
upvoteby jungfty16 hours ago|
parent|
prev|
[-]
[dead]
reply
upvoteby journal12 hours ago|
prev|
[-]
Explain what it means along with your statement. Maybe I have the wrong definition too.
reply
upvoteby perlgeek12 hours ago|
parent|
[-]
(not op)

If a security bug is exploited in the wild, it's an n-day if it's been first exploited n days after the publication of the bug, and a zero-day if it's been exploited before or on the day of the publication.

When a bug is not yet exploited in the wild, it's just a discovery of a bug, not a zero-day.

reply
upvoteby dingaling6 hours ago|
parent|
next
[-]
Even that's revisionist.

Originally a zero-day exploit was one that was found by crackers on the first day of release of a software product. Like finding a licence crack for a new Microsoft program on the day it went on sale.

There used to be fierce competition to find such an exploit within those 24 hours, and great kudos for those who did.

Nowadays a zero-day can apparently be found years after release, which makes no sense.

reply
upvoteby AlienRobot8 hours ago|
parent|
prev|
[-]
Does "publication" refer to the software or to something documenting the existence of the bug? Because I thought zero-day meant the bug was exploited the same day the software containing the bug was released, but your phrasing sounds like if you exploit a bug before the maintainers know about it then it's a negative day.
reply