Re: [Full-disclosure] 0day: PDF pwns Windows

[Chad Perrin <perrin () apotheon com>]

On Thu, Sep 20, 2007 at 06:34:03PM -0400, Joey Mengele wrote:
> Dear Fatboy,
>
> Let's put aside for a minute the fact that you have no idea what 
> you are talking about and let's also, for the benefit of this very 
> valuable debate, assume your definition is correct. First, please 
> prove this bug was never used in the wild. After that, please prove 
> your credibility in the realm of defining words related to illegal 
> computer hacking. Thanks.

Tell me something -- what do *you* think "zero day" means that
differentiates it from "not zero day"?  I keep seeing people use the term
"zero day" (or "0day" or however you want to spell it) without any regard
for how this is meant to differentiate it from some alternative to "zero
day", and I have to wonder what these people think the term means.  Do
you just regard it as a way to make discovery of a vulnerability as more
"important" or "exciting"?  Why exactly use the term if it has no
meaning other than "look at this!"?

There is no such thing as a "zero day vulnerability".  A "zero day
exploit" is an exploit that has been used to compromise systems by the
"bad guys" before the "good guys" discovered it or, arguably, an exploit
being used by the "bad guys" before the "good guys" have developed a
patch for it.  It's not a proof of concept that no "bad guy" has any use
for, and it's not a vulnerability that someone outside of a vendor
discovered before the vendor announced its discovery.  If you have a
definition of the term "zero day" in a computer security context that
contradicts mine, I'd love to read your reasoning and see your sources.
After all, I can't learn anything new if I ignore things that I don't
already know.

-- 
CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ]
MacUser, Nov. 1990: "There comes a time in the history of any project when
it becomes necessary to shoot the engineers and begin production."