And going off on a tangent here... Have we changed the meaning of
"Zero Day Vulnerability"? According to my understanding, and as
corroborated by Wikipedia, a "Zero-day attack" refers to a situation
where "There are zero days between the time the vulnerability is
discovered (and made public), and the first attack." But in this
case we have not yet seen any attack, so it would be more proper to
refer to this as an n-day vulnerability, where n indicates the number
of days since the vulnerability was discovered. Or has "0-day"
suffered journalistic inflation, like so much of our terminology? If
every discovered vulnerability is now considered "0-day", then what
function does the modifier "0-day" serve? What then makes a "0-day"
vulnerability different from a non 0-day vulnerability?
This is much like the misused term DDoS, where in many cases the
first "D" is irrelevant and simply DoS would serve. Sigh.
At 4/29/2014 11:29 AM Tuesday, David Graff wrote:
>I agree that this is sensationalist. We have arbitrary code execution
>vulnerabilities against Flash, Acrobat, and Java all the time and those have
>active user bases on par with IE these days. What's one more way to
>infiltrate an XP system?
>But, if you're looking for mitigation against unpatched buffer overrun
>attacks Windows, its worth installing the EMET package from Microsoft and
>accepting the default config which will run DEP and SEHOP in opt-out mode.
>Hopefully the IE sandboxing that UAC creates is also containing this attack
>for anything running Vista and newer.
>On Mon, 28 Apr 2014 14:41:39 -0400, David McFarlane <[log in to unmask]> wrote:
> >Yet another (less alarmist) perspective on
> >-- dkm "What, me worry?"
> >At 4/28/2014 08:57 AM Monday, Murray, Troy wrote:
> >>Zero-day exploit in every version of Internet Explorer discovered
> >>late yesterday, and XP won't be patched when a fix is released.