Tuesday, February 9, 2010

0(mfg)day

The term 0day has lost any significance in meaning. The original meaning was that a public vulnerability disclosure was made and the same day someone produces a working exploit.



Now 0day can mean a lot of things. It usually means something to the effect of “an exploit for which there is no patch available” but depending on who you ask it might mean “an exploit that’s leet because I wrote it”.



I’d like to throw some terms out here that are much more sensible than 0day. The scary thing about 0day is that there’s isn’t a fix for it. Perhaps in one situation it’s because no one knows about the vulnerability. Maybe the exploit was discovered being used in the wild. In any case, the fear is not that some shadowy person or organization has an exploit that they aren’t sharing; the scary thing is that there’s no fix. It is an unpatched vulnerability. If last Wednesday there was an announcement on bugtraq of a vulnerability in Flash, and today you got hacked (because it’s not Adobe’s Patch October yet) you didn’t necessarily get hacked by 0day. You got hacked by an unpatched vulnerability. Maybe the exploit was created the day of the announcement, maybe it was created days later. It doesn’t matter. You got breached because there was no fix and you didn’t disable Flash.



The term unpatched vulnerability is being used here and there on the Internet already. A term that isn’t being used but really should be is proprietary exploit. At the time of this writing a google search for “proprietary exploit” (quotes included) returns 449 results. When people talk about 0day exploits because they want to sound cool, what they’re often thinking of are proprietary exploits. These are exploits that aren’t being shared. Maybe the vulnerability isn’t patched, maybe it’s not even publicly known. That’s really the essence of the threat with proprietary exploits: maybe people are breaching your systems using attacks your scanners can’t detect because no one even knows there’s a vulnerability. That’s why people use the term wanting to sound cool, “I’ve got 0day so you can’t keep me out.” Perhaps after some high-profile compromise (Google/Aurora) people will capture samples of the exploit code and figure out what the vulnerability is.



Anyway, the purpose of this is not to inspire fear for threats you can’t fully defend against. I’m just sick of the term 0day and the way it’s used by people who don’t know what they’re talking about. If you understand the difference, will you pick terms with less ambiguity and media baggage?

No comments:

Post a Comment