Full Disclosure mailing list archives

Re: 0-day "vulnerability"

From: "Cal Leeming [Simplicity Media Ltd]" <cal.leeming () simplicitymedialtd co uk>
Date: Fri, 29 Oct 2010 03:23:57 +0100

Yeah, just for the record, this thread is now hitting google spam filters :S

On Fri, Oct 29, 2010 at 2:03 AM, Josey Yelsef <hg_exposed () yahoo com> wrote:

0-day is a scene word. Connotations are inferred, you're more precise
definition is pretty much what people already assume.

Desensitization to security is a serious issue also. Look at homeland
security's warning level system. Look at the news of deaths in Iraq and
Afghanistan. It's boring as looking up at the blue sky.

--- On *Thu, 10/28/10, Thor (Hammer of God) <thor () hammerofgod com>* wrote:


From: Thor (Hammer of God) <thor () hammerofgod com>
Subject: Re: [Full-disclosure] 0-day "vulnerability"
To: "Curt Purdy" <infosysec () gmail com>, "Thor (Hammer of God)" <
thor () hammerofgod com>
Cc: "full-disclosure () lists grok org uk" <full-disclosure () lists grok org uk>,
"full-disclosure-bounces () lists grok org uk" <
full-disclosure-bounces () lists grok org uk>
Date: Thursday, October 28, 2010, 5:14 PM

I would further define it as "code that can be run on a machine remotely
without any human interaction."   What I think would be ultimately effective
is if researches and those who make disclosure announcements quit trying to
make their discoveries or processes "cool" and just stick to the facts.
Vendors want to downplay vulnerabilities, disclosures want it to sound as
bad as it can be.  That's why we have people describing a user following a
link in an email to download something from their site to be subsequently
executed as "Remote Code Execution" that is "Moderately Critical" as if
there are actually varying degrees of "Critical."

The same holds true for quantifying "likelihood of exploitation" as "high"
based on what researchers call "extremely common deployment environments in
many businesses" when they are actually inferring what they THINK is common
based on what two of their 5-10 workstation clients are doing  with XP
peer-to-peer configurations.

I think that the only people really paying any attention to this are other
researchers, who basically ignore what other people call something - this
doesn't really benefit the "user."  People want the "vulnerability" they
"discover" to be awesome and cool and critical because it substantiates
their egos.  For now, preceding anything with "0-day" is a way of invoking
fear and urgency as if it represents some immanent disaster, but soon people
will become desensitized to that as well.

t

-----Original Message-----
From: Curt Purdy [mailto:infosysec () gmail com<http://mc/compose?to=infosysec () gmail com>

Sent: Thursday, October 28, 2010 9:51 AM
To: Thor (Hammer of God)
Cc: w0lfd33m () gmail com <http://mc/compose?to=w0lfd33m () gmail com>;

full-disclosure-bounces () lists grok org uk<http://mc/compose?to=full-disclosure-bounces () lists grok org uk>;
full-

disclosure () lists grok org uk<http://mc/compose?to=disclosure () lists grok org uk>
Subject: Re: [Full-disclosure] 0-day "vulnerability"

Right as usual t-man, but while we are doing F&Ws job for them, "Remote
code execution" is: any program you can run on a machine you can't touch

(for

further explanation, "man touch").

Curt



On Thu, Oct 28, 2010 at 12:35 PM, Thor (Hammer of God)
<thor () hammerofgod com <http://mc/compose?to=thor () hammerofgod com>> wrote:

None of this really matters.  People will call it whatever they want

to.  Generally, all software has some sort of vulnerability.  If they want

to call

the process of that vulnerability being communicated for the first time "0

day

vulnerability" then so what.


The industry can't (and won't) even come up with what "Remote Code

Execution" really means, so trying to standardize disclosure nomenclature

is a

waste of time IMO.

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk<http://mc/compose?to=full-disclosure-bounces () lists grok org 
uk>
[mailto:full-disclosure- bounces () lists grok org uk<http://mc/compose?to=bounces () lists grok org uk>]

On Behalf Of

w0lfd33m () gmail com <http://mc/compose?to=w0lfd33m () gmail com>
Sent: Thursday, October 28, 2010 9:25 AM
To: Curt Purdy; full-disclosure-bounces () lists grok org uk<http://mc/compose?to=full-disclosure-bounces () lists 
grok org uk>;

full-

disclosure () lists grok org uk<http://mc/compose?to=disclosure () lists grok org uk>
Subject: Re: [Full-disclosure] 0-day "vulnerability"

Yep. Totally agree. Vulnerability exists in the system since it has
been developed. It is just the matter when it has been disclosed or

being

exploited.

I would suggest " 0 day disclosure" instead of "0 day vulnerability"
:)

------Original Message------
From: Curt Purdy
Sender: full-disclosure-bounces () lists grok org uk<http://mc/compose?to=full-disclosure-bounces () lists grok 
org uk>
To: full-disclosure () lists grok org uk<http://mc/compose?to=full-disclosure () lists grok org uk>
Subject: [Full-disclosure] 0-day "vulnerability"
Sent: Oct 28, 2010 8:48 PM

Sorry to rant, but I have seen this term used once too many times to
sit idly by. And used today by what I once thought was a respectable
infosec publication (that will remain nameless) while referring to the
current Firefox vulnerability (that did, by the way, once have a 0-day
sploit)  Also, by definition, a 0-day no longer exists the moment it
is announced ;)

For once and for all: There is no such thing as a "zero-day

vulnerability"

(quoted), only a 0-day exploit...

Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Sent from BlackBerry(r) on Airtel
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




-- 

Cal Leeming

Operational Security & Support Team

*Out of Hours: *+44 (07534) 971120 | *Support Tickets: *
support () simplicitymedialtd co uk
*Fax: *+44 (02476) 578987 | *Email: *cal.leeming () simplicitymedialtd co uk
*IM: *AIM / ICQ / MSN / Skype (available upon request)
Simplicity Media Ltd. All rights reserved.
Registered company number 7143564

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: 0-day "vulnerability", (continued)
- - Re: 0-day "vulnerability" Josey Yelsef (Oct 28)
    - Re: 0-day "vulnerability" Benji (Oct 28)
- Re: 0-day "vulnerability" w0lfd33m (Oct 28)
  - Re: 0-day "vulnerability" Curt Purdy (Oct 28)
  - Re: 0-day "vulnerability" Thor (Hammer of God) (Oct 28)
    - Re: 0-day "vulnerability" Curt Purdy (Oct 28)
    - Re: 0-day "vulnerability" Thor (Hammer of God) (Oct 28)
    - Re: 0-day "vulnerability" Curt Purdy (Oct 28)
    - Re: 0-day "vulnerability" Christian Sciberras (Oct 28)
    - Re: 0-day "vulnerability" Josey Yelsef (Oct 28)
    - Re: 0-day "vulnerability" Cal Leeming [Simplicity Media Ltd] (Oct 28)
    - Re: 0-day "vulnerability" w0lfd33m (Oct 28)
    - Re: 0-day "vulnerability" Tyler Borland (Oct 29)
    - Re: 0-day "vulnerability" Cal Leeming [Simplicity Media Ltd] (Oct 29)
    - Re: 0-day "vulnerability" Marsh Ray (Oct 29)
    - Re: 0-day "vulnerability" w0lfd33m (Oct 28)
  - Re: 0-day "vulnerability" Akhthar Parvez K (Oct 28)
- Re: 0-day "vulnerability" w0lfd33m (Oct 28)