Follow

Current debate: what qualifies a vuln as "0-day"? After hearing someone use it in a way that surprised me, I asked 3 others and got 4 new answers, so…

What's your definition of "0-day"?

Boosts for wide sampling appreciated

Interesting range of responses, from "0-day is zero days since exploit (using the vuln burns the 0-day, and it's not a 0-day anymore)" to "0-day is zero days of prior disclosure to vendor before release" to "0-day is zero days of fix/patch availability"

I "grew up with" the strictest of those — a 0-day is something no one but the attacker is aware of; once it's out, it maybe WAS a 0-day but isn't anymore

@darrenpmeyer to me it means that the vendor, or whoever is responsible for publishing fixes for a given software system has had "0 days" to respond to this vulnerability; meaning that it is a vulnerability that has NOT been reported to the vendor.

@darrenpmeyer a vulnerability that is not yet known as CVE, but that is actively exploited.

@meena @darrenpmeyer That's what it used to mean. Now it just means that whoever is using the term thinks they're cool.

@darrenpmeyer I feel it depends who's discussing it, and why, and that this isn't a flaw in the definition. Somebody has had zero days... who?

Perhaps it's the flaw in your back pocket, waiting to be used. The admins haven't seen it, nor the vendors, nor the fellow hackers.

Perhaps it's the one you sold, now in someone else's back pocket. The admins and vendors remain in the dark.

Perhaps it's the one you told the vendor about, but they're sitting on it. And you're sitting on it. And the admins have no idea... yet.

Perhaps it's the one you overused a few times, so the admins raised an eyebrow, but the vendor is still flying blind.

But it's definitely not the one somebody posted a PoC of on reddit.

@darrenpmeyer I would say - vendor is unaware of the vuln and it is being exploited

@darrenpmeyer An unpatched vulnerability. Doesn't matter if the vendor or anybody knew about it, you had 0 days to apply any fix before it was exploited. Also it's usually impossible to determine when anybody knew about the bug, nobody agrees on who's knowledge matters etc. But availability of a patch is usually quite definitive. So it's days with patch, not days of knowledge.

@darrenpmeyer to the vendor i mean (i guess i typed faster than i wrote)

@darrenpmeyer If you want to test this, look for any example of full disclosure - someone drops details of e.g. an Exchange bug on e.g. Nov 10, which is then weaponized to an exploit on Nov 11 and used to own a massive bank on Nov 12. When the news is published on Nov 13, and a patch is still unavailable, what percentage of articles, tech reports, etc. will call this an "0day" vs "1day" or more? Answer: 100% will call it an 0day. Because it's unpatched.

@darrenpmeyer It doesn't matter that the vendor knew about it when the exploit was developed or attack happened. I have literally not seen a single exception.

By the alternative "its only 0day if the vendor doesn't know about it" standard, nothing publicly published can describe an 0day, because once it's published, it's not an 0day.

But even though that's what people often *say* they want as a definition, it's not how any of us really use the language in practice.

@darrenpmeyer

0-day = no patch is available.

What does this mean for products that haven't pulled in a patch for a dependency (e.g., if Chrome doesn't have a security patch for libjpeg)?
- 0-day in Chrome
- Not 0-day in libjpeg

Next 🔥 question: how do you pronounce 0-day?

@adam I pronounce 0-day as 0-day. People who pronounce it 0-day are just as bad as people who say gif instead of gif.

@darrenpmeyer a vulnerability that has not been publicly disclosed, exists in the wild, potentially with existing PoC code

@darrenpmeyer 0-day is a software vulnerability that has not yet had a patch issued to fix it.

That's different from a vulnerability that exists for which a patch has been published yet the software operator has simply not applied the patch.

@darrenpmeyer Okay, I know this is bonkers, but I’m getting a vague memory of 0-day vulns being vulns in unpatched products. I vaguely remember, back in the day, 0-day vulns reported in Windows installation media, fixed in service packs. We used to keep service packs on CDs so we could update without putting an unpatched machine online. That’s what 0-day used to mean to me. Haven’t thought about it in ages!

@darrenpmeyer I "grew up" in the same era. The usefulness of the term 0-day is that "those who might be expected to know of such vulns" learned of the vuln when it was burned.

Now, let's define burned. 😉

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.