Do we really need to keep using "zero-day" term?

[VIrus Guy]

I understand the term "zero-day" to mean that what-ever it is, it is in
effect right now (not X days from now).

Does anyone know the history of the usage of that term? When did it
start to be used?

What are examples of a "non zero-day" thing? (by thing, I could mean a
vulnerability or an exploit).

When was the last "non-zero-day" vulnerability or exploit?

This was the story that sparked my question:

=====================
Adobe confirms new zero-day Flash bug

http://www.computerworld.com/s/article/9224303/Adobe_confirms_new_zero_day_Flash_bug
=====================

So here's a side question:

How can a bug be called "zero-day?

Is there an example of a bug or vulnerability that is, say , 5-day? Or
10-day? Or 30-day?

How can a piece of code (like flash) be anything other than "zero-day"?
Isin't it like saying:

"well, we know that flash has a bug or vulnerability, but
because of the peculiarities of its coding it won't actually
become exploitable until X days from now"

Is such a phenomena possible?

If not, then why refer to a bug as "X day" in the first place?

 

[FromTheRafters]

I understand the term "zero-day" to mean that what-ever it is, it is in
effect right now (not X days from now).

Does anyone know the history of the usage of that term? When did it
start to be used?

What are examples of a "non zero-day" thing? (by thing, I could mean a
vulnerability or an exploit).

When was the last "non-zero-day" vulnerability or exploit?

This was the story that sparked my question:

=====================
Adobe confirms new zero-day Flash bug

http://www.computerworld.com/s/article/9224303/Adobe_confirms_new_zero_day_Flash_bug
=====================

So here's a side question:

How can a bug be called "zero-day?

Is there an example of a bug or vulnerability that is, say , 5-day? Or
10-day? Or 30-day?

How can a piece of code (like flash) be anything other than "zero-day"?
Isin't it like saying:

"well, we know that flash has a bug or vulnerability, but
because of the peculiarities of its coding it won't actually
become exploitable until X days from now"

Is such a phenomena possible?

If not, then why refer to a bug as "X day" in the first place?

Usually, zero-day just means it hasn't been addressed with a patch yet -
IOW it is *still* an exploitable vulnerability as of the time of writing.

Could be 'zero-year' or zero-decade' with some vulnerabilities having
been exploited for years before being addressed.

 

[kurt wismer]

I understand the term "zero-day" to mean that what-ever it is, it is in
effect right now (not X days from now).

umm, nope. as i understand it, the X-day term bled into the security
lexicon from the warez scene, where for example you might find a BBS
(yeah, this is back in the really old days) that would only accept
uploads of 3-day warez or less (ie. it was officially released at most
3 days ago). the X-day terminology may originally come from something
even before the warez scene but that would be before my time.

in security, a 0-day bug is one that's released before a patch for the
bug is available. a bug that is released *after* the patch is made
available never gets called a 0-day (although they technically all
start out as 0-days). in fact, after patches are released i'm pretty
sure we no longer say they are 0-days, we say they were 0-days.

the adoption of the term hasn't been perfect, i've never heard of a 1-
day, 2-day, 3-day, etc. vulnerability, but the general meaning of 0-
day as something that is 'as new as it gets' is carried through to the
adoptive field.

 

[Dustin]

I understand the term "zero-day" to mean that what-ever it is, it is
in effect right now (not X days from now).

Sort of.

Does anyone know the history of the usage of that term? When did it
start to be used?

The warez scene, back when BBSes were the rage. It meant new software upto
3 days old. You had to have status to get in that early.

If not, then why refer to a bug as "X day" in the first place?

 

[David H. Lipman]

Sort of.


The warez scene, back when BBSes were the rage. It meant new software upto
3 days old. You had to have status to get in that early.



If not, then why refer to a bug as "X day" in the first place?

 

[Bear]

I understand the term "zero-day" to mean that what-ever it is, it is in
effect right now (not X days from now).

Does anyone know the history of the usage of that term? When did it
start to be used?

What are examples of a "non zero-day" thing? (by thing, I could mean a
vulnerability or an exploit).

When was the last "non-zero-day" vulnerability or exploit?

This was the story that sparked my question:

=====================
Adobe confirms new zero-day Flash bug

http://www.computerworld.com/s/article/9224303/Adobe_confirms_new_zero_day_Flash_bug
=====================

So here's a side question:

How can a bug be called "zero-day?

Is there an example of a bug or vulnerability that is, say , 5-day? Or
10-day? Or 30-day?

How can a piece of code (like flash) be anything other than "zero-day"?
Isin't it like saying:

"well, we know that flash has a bug or vulnerability, but
because of the peculiarities of its coding it won't actually
become exploitable until X days from now"

Is such a phenomena possible?

If not, then why refer to a bug as "X day" in the first place?

this is a very weird question IMO.

 

[FromTheRafters]

this is a very weird question IMO.

I agree, especially since "bug" is not well defined within this thread.

Zero-day as it applies to software exploits is different from zero-day
as it applies to non-software exploit based malware. If by "bug" he
means 'software flaw' then such a 'bug' can exist for a long time
without any vulnerability or exploit ever existing because of it. So
'zero-day' becomes closer to 'forever-day' in such a case.

 

[kurt wismer]

I agree, especially since "bug" is not well defined within this thread.

Zero-day as it applies to software exploits is different from zero-day
as it applies to non-software exploit based malware. If by "bug" he
means 'software flaw' then such a 'bug' can exist for a long time
without any vulnerability or exploit ever existing because of it. So
'zero-day' becomes closer to 'forever-day' in such a case.

umm, the software flaw IS the vulnerability. they are synonyms.

 

[FromTheRafters]

umm, the software flaw IS the vulnerability. they are synonyms.

I disagree, not all types of flaws in software lead to that software
being vulnerable to attack. If the flaw is of a type that might allow
some sort of an attack, it is a vulnerability.

I remember OE used to have something like that - where when the subject
line exceeded 255 characters, any further characters would push the
previous ones into the space where the attachment name is supposed to
go. If this was an overflowing buffer situation, then I would call it a
flaw but not a vulnerability.

 

[Virus Guy]

I disagree, not all types of flaws in software lead to that software
being vulnerable to attack.

What do you think we're talking about here?

I even gave an example - a new so-called "zero-day" bug in Flash player.

So again:

What concept or idea is being conveyed when you call a vulnerability a
"zero-day" vulnerability?

And what concept or idea is being expressed when you call an exploit a
"zero-day" exploit?

 

[kurt wismer]

I disagree, not all types of flaws in software lead to that software
being vulnerable to attack.

ok, that part i thought was obvious. sorry for not being more clear.
yes, we're specifically talking about flaws that enable undesirable
security consequences. nobody applies the term 0-day to bugs that
aren't vulnerabilities, as far as i know.

 

[kurt wismer]

What concept or idea is being conveyed when you call a vulnerability a
"zero-day" vulnerability?

that it is new and as yet unhandled.

And what concept or idea is being expressed when you call an exploit a
"zero-day" exploit?

that it is an exploit for a zero-day vulnerability.

 

[FromTheRafters]

What do you think we're talking about here?

A software flaw that leads to a vulnerability that is perhaps being
actively exploited.

I even gave an example - a new so-called "zero-day" bug in Flash player.

The word "bug" is vague, but I didn't misunderstand the meaning here.

So again:

What concept or idea is being conveyed when you call a vulnerability a
"zero-day" vulnerability?

To the software vendor whose program has the security hole (bug?) it is
the time after they first become aware of the hole to the time that they
make the fix (patch) available to users. IOW the flaw is either being
actively exploited, or through responsible disclosure they are informed,
or they discover the flaw themselves - and they work (perhaps in secret)
to issue a patch.

To the malware authors, it is the time between the discovery of the
working exploit code to the patch being issued (which can be a rather
lengthy period). IOW the time between *their* awareness and the software
vendor's fix.

And what concept or idea is being expressed when you call an exploit a
"zero-day" exploit?

"Get it while it's hot!"

....just that there is no fix available yet but there are possible
work-arounds that can be put in place so it is better to inform than it
is to suppress.

As for AV/AM vendors and classic trojans and viruses, it is the time
between discovering the need for detection of a particular malicious
program and the issuing of the signature needed to make that detection
possible.

 

[FromTheRafters]

[snip]
I agree, especially since "bug" is not well defined within this thread.

Zero-day as it applies to software exploits is different from zero-day
as it applies to non-software exploit based malware. If by "bug" he
means 'software flaw' then such a 'bug' can exist for a long time
without any vulnerability or exploit ever existing because of it. So
'zero-day' becomes closer to 'forever-day' in such a case.

umm, the software flaw IS the vulnerability. they are synonyms.

I disagree, not all types of flaws in software lead to that software
being vulnerable to attack.

ok, that part i thought was obvious. sorry for not being more clear.
yes, we're specifically talking about flaws that enable undesirable
security consequences. nobody applies the term 0-day to bugs that
aren't vulnerabilities, as far as i know.

True enough, but it might not have been obvious to everyone.

A flaw can exist, and be discovered, and be of no consequence (no need
to call it a zero-day anything). Perhaps, if it corrupts memory, and can
overwrite a return pointer - all that an attacker would need is to
populate the memory location that the attacker controls the pointer to
and he would have an exploit - so it is termed a vulnerability even if
no such exploit yet exists. So, the vulnerability is known to exist and
is unpatched which to my view makes it a zero-day vulnerability. A
malware author discovers a way to get shellcode into memory and corrupt
the pointer to point there - a working exploit. This starts the malware
author's zero-day period (zero-day exploit). The software vendor then
becomes aware of the flaw actually being exploited and *their* zero-day
period begins.

All such periods end when a patch is made available, yet usually the
malware continues to work on the many unpatched programs still out there.

Sometimes, a patch appears before the exploit does - in fact the patch
leads to the exploit being written. This illustrates how a zero-day
vulnerability can be worked on in secret and patched thus avoiding any
zero-day exploit leveraging that vulnerability. IIRC Blaster was like that.