By gravax on Mar 15, 2007
OK... so I keep hearing about zero-day vulnerabilities... I think journalists sometimes need to get a clue.
ZERO-DAY vulnerability is a term that doesn't make sense.
Think about it.
The real term they are looking for is zero-day ATTACK or zero-day EXPLOIT. These terms refer to an attack (or attack code) that appears on the net on the same day (or before) a vulnerability is made known, or disclosed in some other way. In this context, the attack or exploit is truely on day zero of the vulnerability being known... since, in most of the cases of this happening, it is when the attack / exploit becomes public that the vulnerability becomes known.
Often, actually, this is because the vendor affected by the vulnerability didn't want it publicized (for fear of loss of reputation) so the users actually end up not being protected on the day the attack is out in the wild. This is ridiculous, of course, but some companies still believe that. Mostly, these are companies developing software in closed-source mode, rather than open source.
It could also be because an attacker found a flaw and decides to exploit it as soon as possible before it gets known or fixed... but in the open source world, this is almost never possible given that good guys find the flaws at about the same speed as the bad guys... and immediately report them to the vendors (see my previous (in French) entry on telnet hole in Solaris that was fixed extremely fast thanks to this being disclosed to us so quickly).
So... back to zero-day vulnerabilities. It's simple... vulnerabilities are found on the day they are found. So they are either all zero-day... or it really doesn't make sence to call them zero-day... but it should be the same for all vulnerabilities.
Unfortunately, journalists without a clue think that it sounds more impressive (more hacker-style?) to call something "zero-day"... than not... and it sounds/looks so good when put just in front of the word "vulnerability" that they can't just resist.
Tomorrow we'll have zero-day operating systems... zero-day software (available the day it is made available?)... zero-day news (oh... wait... that's already usually the case, thanks to companies like Reuters who do a fantastic job of bringing in the news in as close to real time as possible)...
All right... so. Takeaway from today's rant : only call zero-day things for which it makes actual sense. zero-day attacks : yes. zero-day exploit : yes, zero-day vulnerability : just say NO!