 |
 |
Well, last time I rushed to judgment without properly reading the articles, and I stuck my foot in my mouth big-time. Now we have a new "Zero-day" flaw announced, and this time I'm not the only one complaining about misuse of the term, as you may see in the discussion at Slashdot: http://it.slashdot.org/story/14/05/21/220225/new-ie-8-zero-day-discovered So it seems that people do use the term just because it "sounds cool", and it has ceased to mean anything useful. I suggest we get rid of "zero-day". -- dkm At 4/29/2014 03:10 PM Tuesday, David McFarlane wrote: >About my screed on "0-day": Looks like I need a lesson on reading >comprehension. As has been kindly pointed out to me, the first >sentence of the original Microsoft Security Advisory at >https://technet.microsoft.com/en-us/library/security/2963983.aspx >says, "Microsoft is aware of limited, targeted attacks ..." I would >have had to click through an extra link to get to that statement, >but even the press account that started this thread, in the first >sentence of the second paragraph, reads, "Attacks taking advantage >of the vulnerability are largely targeting ..." So this does honor >the traditional use of "0-day", and I have no excuse. > >Mea culpa, >-- dkm > > >At 4/29/2014 11:42 AM Tuesday, David McFarlane wrote: >><editorial> >>And going off on a tangent here... Have we changed the meaning of >>"Zero Day Vulnerability"? According to my understanding, and as >>corroborated by Wikipedia, a "Zero-day attack" refers to a >>situation where "There are zero days between the time the >>vulnerability is discovered (and made public), and the first >>attack." But in this case we have not yet seen any attack, so it >>would be more proper to refer to this as an n-day vulnerability, >>where n indicates the number of days since the vulnerability was >>discovered. Or has "0-day" suffered journalistic inflation, like >>so much of our terminology? If every discovered vulnerability is >>now considered "0-day", then what function does the modifier >>"0-day" serve? What then makes a "0-day" vulnerability different >>from a non 0-day vulnerability? >> >>This is much like the misused term DDoS, where in many cases the >>first "D" is irrelevant and simply DoS would serve. Sigh. >></editorial> >> >>-- dkm >> >> >>At 4/29/2014 11:29 AM Tuesday, David Graff wrote: >>>I agree that this is sensationalist. We have arbitrary code execution >>>vulnerabilities against Flash, Acrobat, and Java all the time and those have >>>active user bases on par with IE these days. What's one more way to >>>infiltrate an XP system? >>> >>>But, if you're looking for mitigation against unpatched buffer overrun >>>attacks Windows, its worth installing the EMET package from Microsoft and >>>accepting the default config which will run DEP and SEHOP in opt-out mode. >>> >>>http://www.microsoft.com/en-us/download/details.aspx?id=41138 >>> >>>Hopefully the IE sandboxing that UAC creates is also containing this attack >>>for anything running Vista and newer. >>> >>>On Mon, 28 Apr 2014 14:41:39 -0400, David McFarlane >>><[log in to unmask]> wrote: >>> >>> >Yet another (less alarmist) perspective on >>> >this: >>> >http://steve.grc.com/2014/04/28/a-quick-mitigation-for-internet-e >>> x p lorers-new-0-day-vulnerability >>> > >>> >-- dkm "What, me worry?" >>> > >>> > >>> >At 4/28/2014 08:57 AM Monday, Murray, Troy wrote: >>> >>Zero-day exploit in every version of Internet Explorer discovered >>> >>late yesterday, and XP won't be patched when a fix is released. >>> >> >>> >><http://gizmodo.com/new-vulnerability-found-in-every-single-vers >>> i o >>> n-of-inte-1568383903/+whitsongordon?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+lifehacker%2Ffull+%28Lifehacker%29>http://gizmodo.com/new-vulnerability-found-in-every-single-version-of-inte-1568383903/