Re: 0day: PDF pwns Windows

[Crispin Cowan <crispin () novell com>]

Chad Perrin wrote:
> On Sat, Sep 22, 2007 at 10:34:07PM -0700, Crispin Cowan wrote:
>   
> > A "private 0day exploit" (the case I was concerned with) would be where
> > someone develops an exploit, but does not deploy or publish it, holding
> > it in reserve to attack others at the time of their choosing. Presumably
> > if such a person wanted to keep it for very long, they would have to
> > base it on a vulnerability that they themselves discovered, and did not
> > publish.
> >     
> In the case of that "private zero day exploit", then, nobody will ever
> know about it except the person that has it waiting in reserve -- and if
> someone else discovers and patches the vulnerability before the exploit
> is ever used, it never becomes a "public" zero day exploit.  In other
> words, you can always posit that there's sort of a Heisenbergian state of
> potential private zero day exploitedness, but in real, practical terms
> there's no zero day anything unless it's public.
>
> The moment you have an opportunity to measure it, the waveforms collapse.
>   
Its a little less abstract than that. Consider that the United States
government might want to worry about whether some foreign nation is
banking a large pool of private 0day exploits in preparation for war.
Such a nation might farm these private 0day exploits by employing a pool
of vulnerability researchers and exploit developers, and just not
published the results.

This is a perfectly viable way to produce what amounts to Internet
munitions. The recent incident of Estonia Under *Russian Cyber Attack*?
<http://www.internetnews.com/security/article.php/3678606> is an example
of such a network brush war in which possession of such an arsenal would
be very useful.

Crispin

-- 
Crispin Cowan, Ph.D.               http://crispincowan.com/~crispin/
Director of Software Engineering   http://novell.com
        AppArmor Chat: irc.oftc.net/#apparmor