Do we really need to keep using "zero-day" term?

Discussion in 'Anti-Virus' started by VIrus Guy, Feb 16, 2012.

  1. VIrus Guy

    VIrus Guy Guest

    I understand the term "zero-day" to mean that what-ever it is, it is in
    effect right now (not X days from now).

    Does anyone know the history of the usage of that term? When did it
    start to be used?

    What are examples of a "non zero-day" thing? (by thing, I could mean a
    vulnerability or an exploit).

    When was the last "non-zero-day" vulnerability or exploit?

    This was the story that sparked my question:

    Adobe confirms new zero-day Flash bug

    So here's a side question:

    How can a bug be called "zero-day?

    Is there an example of a bug or vulnerability that is, say , 5-day? Or
    10-day? Or 30-day?

    How can a piece of code (like flash) be anything other than "zero-day"?
    Isin't it like saying:

    "well, we know that flash has a bug or vulnerability, but
    because of the peculiarities of its coding it won't actually
    become exploitable until X days from now"

    Is such a phenomena possible?

    If not, then why refer to a bug as "X day" in the first place?
    VIrus Guy, Feb 16, 2012
    1. Advertisements

  2. Usually, zero-day just means it hasn't been addressed with a patch yet -
    IOW it is *still* an exploitable vulnerability as of the time of writing.

    Could be 'zero-year' or zero-decade' with some vulnerabilities having
    been exploited for years before being addressed.
    FromTheRafters, Feb 16, 2012
    1. Advertisements

  3. VIrus Guy

    kurt wismer Guest

    umm, nope. as i understand it, the X-day term bled into the security
    lexicon from the warez scene, where for example you might find a BBS
    (yeah, this is back in the really old days) that would only accept
    uploads of 3-day warez or less (ie. it was officially released at most
    3 days ago). the X-day terminology may originally come from something
    even before the warez scene but that would be before my time.

    in security, a 0-day bug is one that's released before a patch for the
    bug is available. a bug that is released *after* the patch is made
    available never gets called a 0-day (although they technically all
    start out as 0-days). in fact, after patches are released i'm pretty
    sure we no longer say they are 0-days, we say they were 0-days.

    the adoption of the term hasn't been perfect, i've never heard of a 1-
    day, 2-day, 3-day, etc. vulnerability, but the general meaning of 0-
    day as something that is 'as new as it gets' is carried through to the
    adoptive field.
    kurt wismer, Feb 16, 2012
  4. VIrus Guy

    Dustin Guest

    Sort of.
    The warez scene, back when BBSes were the rage. It meant new software upto
    3 days old. You had to have status to get in that early.

    If not, then why refer to a bug as "X day" in the first place?
    Dustin, Feb 16, 2012
    David H. Lipman, Feb 16, 2012
  6. VIrus Guy

    Bear Guest

    this is a very weird question IMO.
    Bear, Feb 16, 2012
  7. I agree, especially since "bug" is not well defined within this thread.

    Zero-day as it applies to software exploits is different from zero-day
    as it applies to non-software exploit based malware. If by "bug" he
    means 'software flaw' then such a 'bug' can exist for a long time
    without any vulnerability or exploit ever existing because of it. So
    'zero-day' becomes closer to 'forever-day' in such a case.
    FromTheRafters, Feb 16, 2012
  8. VIrus Guy

    kurt wismer Guest

    umm, the software flaw IS the vulnerability. they are synonyms.
    kurt wismer, Feb 17, 2012
  9. I disagree, not all types of flaws in software lead to that software
    being vulnerable to attack. If the flaw is of a type that might allow
    some sort of an attack, it is a vulnerability.

    I remember OE used to have something like that - where when the subject
    line exceeded 255 characters, any further characters would push the
    previous ones into the space where the attachment name is supposed to
    go. If this was an overflowing buffer situation, then I would call it a
    flaw but not a vulnerability.
    FromTheRafters, Feb 17, 2012
  10. VIrus Guy

    Virus Guy Guest

    What do you think we're talking about here?

    I even gave an example - a new so-called "zero-day" bug in Flash player.

    So again:

    What concept or idea is being conveyed when you call a vulnerability a
    "zero-day" vulnerability?

    And what concept or idea is being expressed when you call an exploit a
    "zero-day" exploit?
    Virus Guy, Feb 17, 2012
  11. VIrus Guy

    kurt wismer Guest

    ok, that part i thought was obvious. sorry for not being more clear.
    yes, we're specifically talking about flaws that enable undesirable
    security consequences. nobody applies the term 0-day to bugs that
    aren't vulnerabilities, as far as i know.
    kurt wismer, Feb 17, 2012
  12. VIrus Guy

    kurt wismer Guest

    that it is new and as yet unhandled.
    that it is an exploit for a zero-day vulnerability.
    kurt wismer, Feb 17, 2012
  13. A software flaw that leads to a vulnerability that is perhaps being
    actively exploited.
    The word "bug" is vague, but I didn't misunderstand the meaning here.
    To the software vendor whose program has the security hole (bug?) it is
    the time after they first become aware of the hole to the time that they
    make the fix (patch) available to users. IOW the flaw is either being
    actively exploited, or through responsible disclosure they are informed,
    or they discover the flaw themselves - and they work (perhaps in secret)
    to issue a patch.

    To the malware authors, it is the time between the discovery of the
    working exploit code to the patch being issued (which can be a rather
    lengthy period). IOW the time between *their* awareness and the software
    vendor's fix.
    "Get it while it's hot!"

    ....just that there is no fix available yet but there are possible
    work-arounds that can be put in place so it is better to inform than it
    is to suppress.

    As for AV/AM vendors and classic trojans and viruses, it is the time
    between discovering the need for detection of a particular malicious
    program and the issuing of the signature needed to make that detection
    FromTheRafters, Feb 17, 2012
  14. True enough, but it might not have been obvious to everyone.

    A flaw can exist, and be discovered, and be of no consequence (no need
    to call it a zero-day anything). Perhaps, if it corrupts memory, and can
    overwrite a return pointer - all that an attacker would need is to
    populate the memory location that the attacker controls the pointer to
    and he would have an exploit - so it is termed a vulnerability even if
    no such exploit yet exists. So, the vulnerability is known to exist and
    is unpatched which to my view makes it a zero-day vulnerability. A
    malware author discovers a way to get shellcode into memory and corrupt
    the pointer to point there - a working exploit. This starts the malware
    author's zero-day period (zero-day exploit). The software vendor then
    becomes aware of the flaw actually being exploited and *their* zero-day
    period begins.

    All such periods end when a patch is made available, yet usually the
    malware continues to work on the many unpatched programs still out there.

    Sometimes, a patch appears before the exploit does - in fact the patch
    leads to the exploit being written. This illustrates how a zero-day
    vulnerability can be worked on in secret and patched thus avoiding any
    zero-day exploit leveraging that vulnerability. IIRC Blaster was like that.
    FromTheRafters, Feb 17, 2012
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.