Talk:Zero day attack

From Wikipedia, the free encyclopedia

Contents 1 0day warez and exploits 2 Wikipedia's search not working?? 3 Remove External Link 4 Vulnerabilities versus Exploits 5 Please Write Me Better 6 the scene 7 Illegal on 0Day? 8 0day public or not? 9 Examples of 0day or -day? 10 This is WRONG on so many levels 11 Improvements 12 Huh? 13 I think that zero day means before the patch, not on the same day. 14 Merge 15 Yes, Merge them 16 Merge them, and correct the errors 17 Merged from Talk:Zero-Day Attack 17.1 Notes for anyone writing this article 17.2 Needs More Info 18 Citations/Weasel Words/Original Research 19 Inaccuracy on 0 day exploit availability 20 Why the name?

[edit] 0day warez and exploits

should these be in separate articles

can we remove stub status from this?

Go for it!. If someone disagrees then the issue can be discussed here. Ellsworth 23:37, 6 May 2005 (UTC)

[edit] Wikipedia's search not working??

I tried doing a search for Zero day but couldn't find a link to this article in the search results... can someone else please try it and confirm this?? Hulleye 09:59, 10 November 2005 (UTC)

Interesting ... i went through all the results for "Zero day" both with and without quotations and this page did not come up as a result.  ALKIVAR™ 10:04, 10 November 2005 (UTC)

Any idea who the appropriate person/link to complain to about this might be?? Hulleye 10:05, 10 November 2005 (UTC)

Seems whatever the problem was, it's been fixed. Typing in Zero day into the search bar now brings me directly to this page. Though perhaps there should be a disambiguation link to distinguish it from the Zero Day page. Hulleye 12:14, 10 November 2005 (UTC)

Perhaps we should move it back to 0-day?  ALKIVAR™ 19:19, 10 November 2005 (UTC)

[edit] Remove External Link

It looks like the external link is pointing to a site wanting to people to sign up for their courses. I've gone ahead and removed it. If anyone has a publicly available site that "teaches" things about this then post that one.

[edit] Vulnerabilities versus Exploits

This article confuses the terms vulnerability and exploit. It treats them as the same thing which they are not (see RFC 2828). -- AlastairR 22:29, 25 April 2006 (UTC)

Ok, the rfc is great, but it does not give a clear distiction between an vuln and an exploit. Also in some cases the article does appear to treat a vuln and an exploit as though they are different. You are right, this needs to be much clearer in the article.

[edit] Please Write Me Better

If I were a fan of a game, say, I would wait outside the store all night. Then on release day, I would buy the game -- right then and there on Zero Day! I would put it in my machine and, barring glitches, it would work! Right then and there on Zero Day! And it would be absolutely legal!

• Zero day or 0day refers to software, videos, music, or information unlawfully released or obtained on the day of public release. -- so according to the article, if it's not unlawfully obtained, it's not 0day

[edit] the scene

Please describe how the game software is obtained illegally, copied and modified (internationalized) and distributed illegally, and advertised illegally. Give historical examples. I can't tell what is going on in this article. --129.10.14.223 00:07, 28 June 2006 (UTC)

• see The Scene

[edit] Illegal on 0Day?

The head in a way says that Zero-day products can only be obtained illegally, but how is that possible when you can get the stuff on the day of the public release. If I'm not utterly mistaking a public release means that everybody can buy a product, legally of course.

• Zero day or 0day refers to software, videos, music, or information unlawfully released or obtained on the day of public release. -- so according to the article, if it's not unlawfully obtained, it's not 0day

[edit] 0day public or not?

As I see it, this article contradicts itself.

1. "The term derives from the number of days between the public advisory and the release of the exploit"
2. "zero-day attacks are generally unknown to the public"

The first does implies that 0days vulnerabilities AND the exploits are publicly known, and that there may even be a patch, while the second strongly implies that there is no patch for the vulnerability (if we assume that we know what a released patch does)

The second point agrees with what I think 0day is (wrt security): sploits (or maybe even vulnerabilities that don't yet have sploits created for them) that someone has found/created. Once the vulnerability and/or sploit is public, new stuff is no longer 0day. Time zero is when the vulnerability becomes publicly known, and any vuln or sploit created before that time is 0day.

This (my) interpretation is used when people say "I'm only running OpenSSH on that box, and I don't think it has any 0days" (this from someone absolutely would know if the 0day was public). Note that a 0day doesn't have to be released to be a 0day, ever, even when the vulnerabilty becomes known. This for example is still to my knowledge still not released publicly, and was coded (and used) before any vuln was known. (on KTH for example).

[edit] Examples of 0day or -day?

Would it be possible to provide examples of 0day or -day software? Such as the FCKGW version of Windows, or even an album obtained illegally as -day or 0day?

[edit] This is WRONG on so many levels

Zero day is/was the release date of cracked software from the cracking groups, i.e. PARADOX. Because most posters in Usenet used "X-no archive" in their headers, there isn't much of a trail left. Exploits were *never* a part of the scene and those who wrote them were "script-kiddies".

[edit] Improvements

1) This article mashes together two different topics. It would be confusing to treat these subjects as unrelated since a reader might not find both explanations if they are in separate articles. Leading with an introductory paragraph that highlights the meanings of Zero-Day so that the disucssion can branch out in a logical way will help
2) The first topic makes a brief & hazy explanation, then abruptly runs into the second topic
3) Both topics lack examples to help the reader to better understand the topic
4) Lack of references as to the origins of the term Zero-Day for either topic tells the reader that the author(s) lack the expertise to be writing about this subject
5) Writing mechanics are suffering here. Either run a draft through a spelling & grammar check or have these submissions read by several people who have a background in English grammar
6) Definitely merge the first topic with the other page. This gives the reader the breadth of the term's meanings

Cheers!

--Sandman619 08:02, 6 December 2006 (UTC)

[edit] Huh?

Neither article explains "zero-day" attack to me. If it only means "a software exploit released the same day as the exploited software, indicating nonpublic access to the software" why all the verbiage? And if it does mean that, why does it make any difference in the response time (which is a function of exploit discovery, not software or exploit release)? —The preceding unsigned comment was added by 75.32.23.77 (talk) 04:53, 8 December 2006 (UTC).

[edit] I think that zero day means before the patch, not on the same day.

This entry seems to make one thing clear to me - zero day is a bit of jargon that means different things to different people. I accept that many, possibly even most, definitions attempted on the web say that zero day means an exploit available on the same day as a patch is published.

But when people are using the term, rather than defining it, they are talking about the time before a patch is published. On the patching timelines, day zero goes from when the vulnerability is discovered to day 1, which is when the patch appears.

For example, http://research.eeye.com/html/alerts/zeroday/index.html http://www.securityfocus.com/columnists/377

Day one exploits are a problem but aren't half as big a headache for security managers as those for which there is no fix and no prospect of a fix. That is why they are such a big deal.

Yakheart 12:12, 11 December 2006 (UTC)

[edit] Merge

I support a disambig page, not a merge. -Slash- 06:19, 22 December 2006 (UTC)

[edit] Yes, Merge them

I think the two articles should be merged as the term zero-day inevitably refers to the attacks that it can produce. The vulnerability and the exploit are indisputably intertwined.

--Njkmohan 16:54, 28 December 2006 (UTC)

[edit] Merge them, and correct the errors

The term "zero-day exploit" has been so abused by the media as to be meaningless. It is now just a buzz-word used for any unpatched vulnerability, whereas originally it meant an exploit that takes advantage of a vulnerability that has yet to be discovered by the vendor (and hence is unpatched).

It is based on the time between when the vulnerability is known and when an exploit based on it is released. If the exploit is released before the vulnerability is known about, it's a zero-day exploit.

SecuritySearch.com netsecurity.about.com

It has two significant features:

• it is an actual exploit, not just a vulnerability, and
• generally it shows the vulnerability is easy to exploit, since someone has been able to discover and exploit it before the vendor or anyone else found it.

Finally, this discussion has been going on for nearly a year, is anyone going to actually merge the pages? —The preceding unsigned comment was added by 203.206.51.155 (talk) 00:23, 28 January 2007 (UTC).

I don't think its an error. Yes it does mean an expliot, but the people who patch the exploit up always call it a zero-day flaw, or a zero-day vulnerability to increase the exposure of the weakness. If they just go on saying, a flaw, then it really doesn't get the message out like it should be, and millions of people could become infected due to underexposure. This article should be merged. Warrush 13:31, 22 June 2007 (UTC)

I did a brute force merge. That is, they are merged, but still need copyediting for some duplicate content, and error checking.

I'm also copying here (bellow) two talk entries from there. - Nabla 23:07, 24 June 2007 (UTC)

[edit] Merged from Talk:Zero-Day Attack

[edit] Notes for anyone writing this article

"Zero-day" refers to the day the exploitable bug in a common piece of software was discovered. In order for the exploit to become an attack, a nefarious ("black-hat") actor writes code to exploit it.

A good reference for these types of terms is the Sans Institute ([www.sans.org]). A glossary of security terms is available at [1].

WilliamsJD 15:16, 6 September 2006 (UTC)

[edit] Needs More Info

All the talk about Zero-Day attacks is fine and good, but what exactly is a zero-day attack? Is it a specific vunerability, or just a blanket term referring to security holes found in anything? The article does not say for sure, and it's very confusing. Sloverlord 16:01, 6 December 2006 (UTC)

Indeed the article is a bit confusing, but it's simple, 0-Day is just a term nothing more. What's a zero-day today will just be yet another exploit or vulnerabilitie tomorrow. It's a hyped term, some site report Zero-Day over a period of week or so. What makes 0-Day "more dangerous" than anything else is just the fact that 99.9% of users and administrators don't update their software on daily bases, thus making almost every user a possible victim. --Gussi 02:00, 8 December 2006 (UTC)

Zero-day attacks occur when an exploitable bug or vulnerability is found in a common piece of software when no patch is available.

-PC Magazine --Advent nemesis 18:05, 21 April 2007 (UTC)

[edit] Citations/Weasel Words/Original Research

There seems to be a distinct lack of citations for disputable claims, and a good amount of 'weasel wording' (ie "0-day attacks are generally unknown to the public") and original research ("Recent history shows an increasing rate of worm propagation.") in the current article. I'm going to be bold (tm) and tag the former (ie ^{[citation needed]}) and remove the latter (the latter being the weasel words/original research). --audiodude 08:42, 17 August 2007 (UTC)

Okay phase one is complete. I've done up to Ethics. I would appreciate a 'code review' of this work and the community's opinion on whether I should do the rest of the article. Thanks! audiodude 09:02, 17 August 2007 (UTC)

Its certainly better than it was. I can't feel comfortable with citing Tony Bradley's article in About.com as an authoritative definition of "zero day exploit", but its darned hard to figure who would be an authority. Its not a term that SANS or CERT defines. SANS and CERT use, but do not define, the term.

If we could agree that "Zero Day" or "0day" is not a noun, but is, instead, an adjective, there could be some standardized usage.

It was always my understanding that "zero day vulnerability," not "zero day exploit," was the appropriate phrase. A zero day vulnerability exists when the vendor becomes aware of a vulnerability only because it is being actively exploited. In that situation, the vendor has zero days to respond with a patch or other remediation measure. ("When do you need this fixed?" Yesterday.) If a vendor is made aware of a vulnerability through what is known as "responsible disclosure," then the vendor has more than zero days to respond.

The phrases "zero day exploit" and "zero day attack" are phrases that I have seen but would not attempt to define. Every exploit and every attack has its first day; I suppose the day before that would be "day zero", the day before that "day minus one," and the day before that "day minus two." Those would be accurate terms, meaningful terms but they would not be notable, newsworthy or interesting terms.

Psource 23:42, 22 September 2007 (UTC)

[edit] Inaccuracy on 0 day exploit availability

"A 0-day exploit is usually unknown to the public and to the product vendor [1]."

it is perfectly reasonable to assume that a vendor also has a copy of an exploit yet hasn't produced a patch for it yet. some companies will take as many as 9 months to produce a patch for a known exploit. Therefore only the public is unaware. —Preceding unsigned comment added by Zeroday (talk • contribs) 02:44, 11 January 2008 (UTC)

[edit] Why the name?

Why are "zero day attacks" called "zero day"? How are they different from other, non-zero-day attacks on undisclosed/unpatched vulnerabilities? - Brian Kendig (talk) 12:43, 28 May 2008 (UTC)