Do we really need to keep using "zero-day" term?

Discussion in 'Anti-Virus' started by VIrus Guy, Feb 16, 2012.

  1. VIrus Guy

    VIrus Guy Guest

    I understand the term "zero-day" to mean that what-ever it is, it is in
    effect right now (not X days from now).

    Does anyone know the history of the usage of that term? When did it
    start to be used?

    What are examples of a "non zero-day" thing? (by thing, I could mean a
    vulnerability or an exploit).

    When was the last "non-zero-day" vulnerability or exploit?

    This was the story that sparked my question:

    =====================
    Adobe confirms new zero-day Flash bug

    http://www.computerworld.com/s/article/9224303/Adobe_confirms_new_zero_day_Flash_bug
    =====================

    So here's a side question:

    How can a bug be called "zero-day?

    Is there an example of a bug or vulnerability that is, say , 5-day? Or
    10-day? Or 30-day?

    How can a piece of code (like flash) be anything other than "zero-day"?
    Isin't it like saying:

    "well, we know that flash has a bug or vulnerability, but
    because of the peculiarities of its coding it won't actually
    become exploitable until X days from now"

    Is such a phenomena possible?

    If not, then why refer to a bug as "X day" in the first place?
     
    VIrus Guy, Feb 16, 2012
    #1
    1. Advertisements

  2. VIrus Guy wrote:
    > I understand the term "zero-day" to mean that what-ever it is, it is in
    > effect right now (not X days from now).
    >
    > Does anyone know the history of the usage of that term? When did it
    > start to be used?
    >
    > What are examples of a "non zero-day" thing? (by thing, I could mean a
    > vulnerability or an exploit).
    >
    > When was the last "non-zero-day" vulnerability or exploit?
    >
    > This was the story that sparked my question:
    >
    > =====================
    > Adobe confirms new zero-day Flash bug
    >
    > http://www.computerworld.com/s/article/9224303/Adobe_confirms_new_zero_day_Flash_bug
    > =====================
    >
    > So here's a side question:
    >
    > How can a bug be called "zero-day?
    >
    > Is there an example of a bug or vulnerability that is, say , 5-day? Or
    > 10-day? Or 30-day?
    >
    > How can a piece of code (like flash) be anything other than "zero-day"?
    > Isin't it like saying:
    >
    > "well, we know that flash has a bug or vulnerability, but
    > because of the peculiarities of its coding it won't actually
    > become exploitable until X days from now"
    >
    > Is such a phenomena possible?
    >
    > If not, then why refer to a bug as "X day" in the first place?


    Usually, zero-day just means it hasn't been addressed with a patch yet -
    IOW it is *still* an exploitable vulnerability as of the time of writing.

    Could be 'zero-year' or zero-decade' with some vulnerabilities having
    been exploited for years before being addressed.
     
    FromTheRafters, Feb 16, 2012
    #2
    1. Advertisements

  3. VIrus Guy

    kurt wismer Guest

    On Feb 16, 9:42 am, VIrus Guy <> wrote:
    > I understand the term "zero-day" to mean that what-ever it is, it is in
    > effect right now (not X days from now).


    umm, nope. as i understand it, the X-day term bled into the security
    lexicon from the warez scene, where for example you might find a BBS
    (yeah, this is back in the really old days) that would only accept
    uploads of 3-day warez or less (ie. it was officially released at most
    3 days ago). the X-day terminology may originally come from something
    even before the warez scene but that would be before my time.

    in security, a 0-day bug is one that's released before a patch for the
    bug is available. a bug that is released *after* the patch is made
    available never gets called a 0-day (although they technically all
    start out as 0-days). in fact, after patches are released i'm pretty
    sure we no longer say they are 0-days, we say they were 0-days.

    the adoption of the term hasn't been perfect, i've never heard of a 1-
    day, 2-day, 3-day, etc. vulnerability, but the general meaning of 0-
    day as something that is 'as new as it gets' is carried through to the
    adoptive field.
     
    kurt wismer, Feb 16, 2012
    #3
  4. VIrus Guy

    Dustin Guest

    VIrus Guy <> wrote in news::

    > I understand the term "zero-day" to mean that what-ever it is, it is
    > in effect right now (not X days from now).


    Sort of.

    > Does anyone know the history of the usage of that term? When did it
    > start to be used?


    The warez scene, back when BBSes were the rage. It meant new software upto
    3 days old. You had to have status to get in that early.

    If not, then why refer to a bug as "X day" in the first place?



    --
    Character is doing the right thing when nobody's looking. There are too
    many people who think that the only thing that's right is to get by, and
    the only thing that's wrong is to get caught. - J.C. Watts
     
    Dustin, Feb 16, 2012
    #4
  5. From: "Dustin" <>

    > VIrus Guy <> wrote in news::
    >
    >> I understand the term "zero-day" to mean that what-ever it is, it is
    >> in effect right now (not X days from now).

    >
    > Sort of.
    >
    >> Does anyone know the history of the usage of that term? When did it
    >> start to be used?

    >
    > The warez scene, back when BBSes were the rage. It meant new software upto
    > 3 days old. You had to have status to get in that early.
    >


    news:alt.binaries.warez.0-day


    > If not, then why refer to a bug as "X day" in the first place?
    >
    >



    --
    Dave
    Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
    http://www.pctipp.ch/downloads/dl/35905.asp
     
    David H. Lipman, Feb 16, 2012
    #5
  6. VIrus Guy

    Bear Guest

    On 2/16/2012 8:42 AM, VIrus Guy wrote:
    > I understand the term "zero-day" to mean that what-ever it is, it is in
    > effect right now (not X days from now).
    >
    > Does anyone know the history of the usage of that term? When did it
    > start to be used?
    >
    > What are examples of a "non zero-day" thing? (by thing, I could mean a
    > vulnerability or an exploit).
    >
    > When was the last "non-zero-day" vulnerability or exploit?
    >
    > This was the story that sparked my question:
    >
    > =====================
    > Adobe confirms new zero-day Flash bug
    >
    > http://www.computerworld.com/s/article/9224303/Adobe_confirms_new_zero_day_Flash_bug
    > =====================
    >
    > So here's a side question:
    >
    > How can a bug be called "zero-day?
    >
    > Is there an example of a bug or vulnerability that is, say , 5-day? Or
    > 10-day? Or 30-day?
    >
    > How can a piece of code (like flash) be anything other than "zero-day"?
    > Isin't it like saying:
    >
    > "well, we know that flash has a bug or vulnerability, but
    > because of the peculiarities of its coding it won't actually
    > become exploitable until X days from now"
    >
    > Is such a phenomena possible?
    >
    > If not, then why refer to a bug as "X day" in the first place?


    this is a very weird question IMO.

    --
    Bear
    http://bearware.info
    The real Bear's header path is:
    news.sunsite.dk!dotsrc.org!filter.dotsrc.org!news.dotsrc.org!not-for-mail
     
    Bear, Feb 16, 2012
    #6
  7. Bear wrote:
    > On 2/16/2012 8:42 AM, VIrus Guy wrote:
    >> I understand the term "zero-day" to mean that what-ever it is, it is in
    >> effect right now (not X days from now).
    >>
    >> Does anyone know the history of the usage of that term? When did it
    >> start to be used?
    >>
    >> What are examples of a "non zero-day" thing? (by thing, I could mean a
    >> vulnerability or an exploit).
    >>
    >> When was the last "non-zero-day" vulnerability or exploit?
    >>
    >> This was the story that sparked my question:
    >>
    >> =====================
    >> Adobe confirms new zero-day Flash bug
    >>
    >> http://www.computerworld.com/s/article/9224303/Adobe_confirms_new_zero_day_Flash_bug
    >>
    >> =====================
    >>
    >> So here's a side question:
    >>
    >> How can a bug be called "zero-day?
    >>
    >> Is there an example of a bug or vulnerability that is, say , 5-day? Or
    >> 10-day? Or 30-day?
    >>
    >> How can a piece of code (like flash) be anything other than "zero-day"?
    >> Isin't it like saying:
    >>
    >> "well, we know that flash has a bug or vulnerability, but
    >> because of the peculiarities of its coding it won't actually
    >> become exploitable until X days from now"
    >>
    >> Is such a phenomena possible?
    >>
    >> If not, then why refer to a bug as "X day" in the first place?

    >
    > this is a very weird question IMO.
    >

    I agree, especially since "bug" is not well defined within this thread.

    Zero-day as it applies to software exploits is different from zero-day
    as it applies to non-software exploit based malware. If by "bug" he
    means 'software flaw' then such a 'bug' can exist for a long time
    without any vulnerability or exploit ever existing because of it. So
    'zero-day' becomes closer to 'forever-day' in such a case.
     
    FromTheRafters, Feb 16, 2012
    #7
  8. VIrus Guy

    kurt wismer Guest

    On Feb 16, 6:57 pm, FromTheRafters <> wrote:
    [snip]
    > I agree, especially since "bug" is not well defined within this thread.
    >
    > Zero-day as it applies to software exploits is different from zero-day
    > as it applies to non-software exploit based malware. If by "bug" he
    > means 'software flaw' then such a 'bug' can exist for a long time
    > without any vulnerability or exploit ever existing because of it. So
    > 'zero-day' becomes closer to 'forever-day' in such a case.


    umm, the software flaw IS the vulnerability. they are synonyms.
     
    kurt wismer, Feb 17, 2012
    #8
  9. kurt wismer wrote:
    > On Feb 16, 6:57 pm, FromTheRafters<> wrote:
    > [snip]
    >> I agree, especially since "bug" is not well defined within this thread.
    >>
    >> Zero-day as it applies to software exploits is different from zero-day
    >> as it applies to non-software exploit based malware. If by "bug" he
    >> means 'software flaw' then such a 'bug' can exist for a long time
    >> without any vulnerability or exploit ever existing because of it. So
    >> 'zero-day' becomes closer to 'forever-day' in such a case.

    >
    > umm, the software flaw IS the vulnerability. they are synonyms.


    I disagree, not all types of flaws in software lead to that software
    being vulnerable to attack. If the flaw is of a type that might allow
    some sort of an attack, it is a vulnerability.

    I remember OE used to have something like that - where when the subject
    line exceeded 255 characters, any further characters would push the
    previous ones into the space where the attachment name is supposed to
    go. If this was an overflowing buffer situation, then I would call it a
    flaw but not a vulnerability.
     
    FromTheRafters, Feb 17, 2012
    #9
  10. VIrus Guy

    Virus Guy Guest

    FromTheRafters wrote:

    > > umm, the software flaw IS the vulnerability. they are synonyms.

    >
    > I disagree, not all types of flaws in software lead to that software
    > being vulnerable to attack.


    What do you think we're talking about here?

    I even gave an example - a new so-called "zero-day" bug in Flash player.

    So again:

    What concept or idea is being conveyed when you call a vulnerability a
    "zero-day" vulnerability?

    And what concept or idea is being expressed when you call an exploit a
    "zero-day" exploit?
     
    Virus Guy, Feb 17, 2012
    #10
  11. VIrus Guy

    kurt wismer Guest

    On Feb 16, 9:57 pm, FromTheRafters <> wrote:
    > kurt wismer wrote:
    > > On Feb 16, 6:57 pm, FromTheRafters<>  wrote:
    > > [snip]
    > >> I agree, especially since "bug" is not well defined within this thread..

    >
    > >> Zero-day as it applies to software exploits is different from zero-day
    > >> as it applies to non-software exploit based malware. If by "bug" he
    > >> means 'software flaw' then such a 'bug' can exist for a long time
    > >> without any vulnerability or exploit ever existing because of it. So
    > >> 'zero-day' becomes closer to 'forever-day' in such a case.

    >
    > > umm, the software flaw IS the vulnerability. they are synonyms.

    >
    > I disagree, not all types of flaws in software lead to that software
    > being vulnerable to attack.


    ok, that part i thought was obvious. sorry for not being more clear.
    yes, we're specifically talking about flaws that enable undesirable
    security consequences. nobody applies the term 0-day to bugs that
    aren't vulnerabilities, as far as i know.
     
    kurt wismer, Feb 17, 2012
    #11
  12. VIrus Guy

    kurt wismer Guest

    On Feb 16, 10:08 pm, Virus Guy <> wrote:
    [snip]
    > What concept or idea is being conveyed when you call a vulnerability a
    > "zero-day" vulnerability?


    that it is new and as yet unhandled.

    > And what concept or idea is being expressed when you call an exploit a
    > "zero-day" exploit?


    that it is an exploit for a zero-day vulnerability.
     
    kurt wismer, Feb 17, 2012
    #12
  13. Virus Guy wrote:
    > FromTheRafters wrote:
    >
    >>> umm, the software flaw IS the vulnerability. they are synonyms.

    >>
    >> I disagree, not all types of flaws in software lead to that software
    >> being vulnerable to attack.

    >
    > What do you think we're talking about here?


    A software flaw that leads to a vulnerability that is perhaps being
    actively exploited.

    > I even gave an example - a new so-called "zero-day" bug in Flash player.


    The word "bug" is vague, but I didn't misunderstand the meaning here.

    > So again:
    >
    > What concept or idea is being conveyed when you call a vulnerability a
    > "zero-day" vulnerability?


    To the software vendor whose program has the security hole (bug?) it is
    the time after they first become aware of the hole to the time that they
    make the fix (patch) available to users. IOW the flaw is either being
    actively exploited, or through responsible disclosure they are informed,
    or they discover the flaw themselves - and they work (perhaps in secret)
    to issue a patch.

    To the malware authors, it is the time between the discovery of the
    working exploit code to the patch being issued (which can be a rather
    lengthy period). IOW the time between *their* awareness and the software
    vendor's fix.
    >
    > And what concept or idea is being expressed when you call an exploit a
    > "zero-day" exploit?


    "Get it while it's hot!"

    ....just that there is no fix available yet but there are possible
    work-arounds that can be put in place so it is better to inform than it
    is to suppress.

    As for AV/AM vendors and classic trojans and viruses, it is the time
    between discovering the need for detection of a particular malicious
    program and the issuing of the signature needed to make that detection
    possible.
     
    FromTheRafters, Feb 17, 2012
    #13
  14. kurt wismer wrote:
    > On Feb 16, 9:57 pm, FromTheRafters<> wrote:
    >> kurt wismer wrote:
    >>> On Feb 16, 6:57 pm, FromTheRafters<> wrote:
    >>> [snip]
    >>>> I agree, especially since "bug" is not well defined within this thread.

    >>
    >>>> Zero-day as it applies to software exploits is different from zero-day
    >>>> as it applies to non-software exploit based malware. If by "bug" he
    >>>> means 'software flaw' then such a 'bug' can exist for a long time
    >>>> without any vulnerability or exploit ever existing because of it. So
    >>>> 'zero-day' becomes closer to 'forever-day' in such a case.

    >>
    >>> umm, the software flaw IS the vulnerability. they are synonyms.

    >>
    >> I disagree, not all types of flaws in software lead to that software
    >> being vulnerable to attack.

    >
    > ok, that part i thought was obvious. sorry for not being more clear.
    > yes, we're specifically talking about flaws that enable undesirable
    > security consequences. nobody applies the term 0-day to bugs that
    > aren't vulnerabilities, as far as i know.


    True enough, but it might not have been obvious to everyone.

    A flaw can exist, and be discovered, and be of no consequence (no need
    to call it a zero-day anything). Perhaps, if it corrupts memory, and can
    overwrite a return pointer - all that an attacker would need is to
    populate the memory location that the attacker controls the pointer to
    and he would have an exploit - so it is termed a vulnerability even if
    no such exploit yet exists. So, the vulnerability is known to exist and
    is unpatched which to my view makes it a zero-day vulnerability. A
    malware author discovers a way to get shellcode into memory and corrupt
    the pointer to point there - a working exploit. This starts the malware
    author's zero-day period (zero-day exploit). The software vendor then
    becomes aware of the flaw actually being exploited and *their* zero-day
    period begins.

    All such periods end when a patch is made available, yet usually the
    malware continues to work on the many unpatched programs still out there.

    Sometimes, a patch appears before the exploit does - in fact the patch
    leads to the exploit being written. This illustrates how a zero-day
    vulnerability can be worked on in secret and patched thus avoiding any
    zero-day exploit leveraging that vulnerability. IIRC Blaster was like that.
     
    FromTheRafters, Feb 17, 2012
    #14
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andreas Tolfsen

    How is a anti-virus software really working?

    Andreas Tolfsen, Sep 29, 2003, in forum: Anti-Virus
    Replies:
    7
    Views:
    179
    Andreas Tolfsen
    Oct 1, 2003
  2. David

    Underware - new generic term...

    David, May 18, 2005, in forum: Anti-Virus
    Replies:
    24
    Views:
    430
    David
    May 21, 2005
  3. Shane
    Replies:
    4
    Views:
    192
    Art 2-threepenny bits
    Jan 6, 2006
  4. Larry Sabo
    Replies:
    12
    Views:
    311
    Fenton
    Apr 8, 2007
  5. Eugene F.
    Replies:
    8
    Views:
    547
    FromTheRafters
    Mar 1, 2012
Loading...

Share This Page