This redirect does not require a rating on Wikipedia's
content assessment scale. It is of interest to the following WikiProjects: | ||||||||||||||||
|
I don't believe this definition is correct.
Consider this alternative from TechTarget.com ( http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci955554,00.html#):
A zero-day exploit is one that takes advantage of a security vulnerability on the same day that the vulnerability becomes generally known.
192.91.173.36 ( talk) 14:07, 5 August 2009 (UTC) SteveRobinson
"I don't believe this definition is correct."
Sorry to hear it, because you're quite mistaken and have provided no basis for your belief. Your own citation contradicts your quote when it says "Sometimes, however, a hacker may be the first to discover the vulnerability", and there's a link on that page to http://netsecurity.about.com/od/newsandeditorial1/a/aazeroday.htm which says "A zero day exploit is when the exploit for the vulnerability is created before, or on the same day as the vulnerability is learned about by the vendor." What do you suppose the sort of thing that statement and this article describes is called ... a -1-day exploit? -- 96.248.226.133 ( talk) 23:52, 10 March 2013 (UTC)
I think it comes from the fact that it has been there since day-0? the creation date of the software? — Preceding unsigned comment added by 82.83.210.215 ( talk) 09:34, 25 October 2013 (UTC)
should these be in separate articles
can we remove stub status from this?
I tried doing a search for Zero day but couldn't find a link to this article in the search results... can someone else please try it and confirm this?? Hulleye 09:59, 10 November 2005 (UTC)
It looks like the external link is pointing to a site wanting to people to sign up for their courses. I've gone ahead and removed it. If anyone has a publicly available site that "teaches" things about this then post that one.
This article confuses the terms vulnerability and exploit. It treats them as the same thing which they are not (see RFC 2828). -- AlastairR 22:29, 25 April 2006 (UTC)
Ok, the rfc is great, but it does not give a clear distiction between an vuln and an exploit. Also in some cases the article does appear to treat a vuln and an exploit as though they are different. You are right, this needs to be much clearer in the article.
If I were a fan of a game, say, I would wait outside the store all night. Then on release day, I would buy the game -- right then and there on Zero Day! I would put it in my machine and, barring glitches, it would work! Right then and there on Zero Day! And it would be absolutely legal!
Please describe how the game software is obtained illegally, copied and modified (internationalized) and distributed illegally, and advertised illegally. Give historical examples. I can't tell what is going on in this article. -- 129.10.14.223 00:07, 28 June 2006 (UTC)
The head in a way says that Zero-day products can only be obtained illegally, but how is that possible when you can get the stuff on the day of the public release. If I'm not utterly mistaking a public release means that everybody can buy a product, legally of course.
As I see it, this article contradicts itself.
The first does implies that 0days vulnerabilities AND the exploits are publicly known, and that there may even be a patch, while the second strongly implies that there is no patch for the vulnerability (if we assume that we know what a released patch does)
The second point agrees with what I think 0day is (wrt security): sploits (or maybe even vulnerabilities that don't yet have sploits created for them) that someone has found/created. Once the vulnerability and/or sploit is public, new stuff is no longer 0day. Time zero is when the vulnerability becomes publicly known, and any vuln or sploit created before that time is 0day.
This (my) interpretation is used when people say "I'm only running OpenSSH on that box, and I don't think it has any 0days" (this from someone absolutely would know if the 0day was public). Note that a 0day doesn't have to be released to be a 0day, ever, even when the vulnerabilty becomes known. This for example is still to my knowledge still not released publicly, and was coded (and used) before any vuln was known. (on KTH for example).
Would it be possible to provide examples of 0day or -day software? Such as the FCKGW version of Windows, or even an album obtained illegally as -day or 0day?
Zero day is/was the release date of cracked software from the cracking groups, i.e. PARADOX. Because most posters in Usenet used "X-no archive" in their headers, there isn't much of a trail left. Exploits were *never* a part of the scene and those who wrote them were "script-kiddies".
1) This article mashes together two different topics. It would be confusing to treat these subjects as unrelated since a reader might not find both explanations if they are in separate articles. Leading with an introductory paragraph that highlights the meanings of Zero-Day so that the disucssion can branch out in a logical way will help
2) The first topic makes a brief & hazy explanation, then abruptly runs into the second topic
3) Both topics lack examples to help the reader to better understand the topic
4) Lack of references as to the origins of the term Zero-Day for either topic tells the reader that the author(s) lack the expertise to be writing about this subject
5) Writing mechanics are suffering here. Either run a draft through a spelling & grammar check or have these submissions read by several people who have a background in English grammar
6) Definitely merge the first topic with the other page. This gives the reader the breadth of the term's meanings
Cheers!
-- Sandman619 08:02, 6 December 2006 (UTC)
Neither article explains "zero-day" attack to me. If it only means "a software exploit released the same day as the exploited software, indicating nonpublic access to the software" why all the verbiage? And if it does mean that, why does it make any difference in the response time (which is a function of exploit discovery, not software or exploit release)? —The preceding unsigned comment was added by 75.32.23.77 ( talk) 04:53, 8 December 2006 (UTC).
This entry seems to make one thing clear to me - zero day is a bit of jargon that means different things to different people. I accept that many, possibly even most, definitions attempted on the web say that zero day means an exploit available on the same day as a patch is published.
But when people are using the term, rather than defining it, they are talking about the time before a patch is published. On the patching timelines, day zero goes from when the vulnerability is discovered to day 1, which is when the patch appears.
For example, http://research.eeye.com/html/alerts/zeroday/index.html http://www.securityfocus.com/columnists/377
Day one exploits are a problem but aren't half as big a headache for security managers as those for which there is no fix and no prospect of a fix. That is why they are such a big deal.
Yakheart 12:12, 11 December 2006 (UTC)
I support a disambig page, not a merge. -Slash- 06:19, 22 December 2006 (UTC)
I think the two articles should be merged as the term zero-day inevitably refers to the attacks that it can produce. The vulnerability and the exploit are indisputably intertwined.
-- Njkmohan 16:54, 28 December 2006 (UTC)
The term "zero-day exploit" has been so abused by the media as to be meaningless. It is now just a buzz-word used for any unpatched vulnerability, whereas originally it meant an exploit that takes advantage of a vulnerability that has yet to be discovered by the vendor (and hence is unpatched).
It is based on the time between when the vulnerability is known and when an exploit based on it is released. If the exploit is released before the vulnerability is known about, it's a zero-day exploit.
SecuritySearch.com netsecurity.about.com
It has two significant features:
Finally, this discussion has been going on for nearly a year, is anyone going to actually merge the pages? —The preceding unsigned comment was added by 203.206.51.155 ( talk) 00:23, 28 January 2007 (UTC).
"Zero-day" refers to the day the exploitable bug in a common piece of software was discovered. In order for the exploit to become an attack, a nefarious ("black-hat") actor writes code to exploit it.
A good reference for these types of terms is the Sans Institute ([www.sans.org]). A glossary of security terms is available at [1].
WilliamsJD 15:16, 6 September 2006 (UTC)
All the talk about Zero-Day attacks is fine and good, but what exactly is a zero-day attack? Is it a specific vunerability, or just a blanket term referring to security holes found in anything? The article does not say for sure, and it's very confusing. Sloverlord 16:01, 6 December 2006 (UTC)
Zero-day attacks occur when an exploitable bug or vulnerability is found in a common piece of software when no patch is available.
-PC Magazine -- Advent nemesis 18:05, 21 April 2007 (UTC)
There seems to be a distinct lack of citations for disputable claims, and a good amount of 'weasel wording' (ie "0-day attacks are generally unknown to the public") and original research (" Recent history shows an increasing rate of worm propagation.") in the current article. I'm going to be bold (tm) and tag the former (ie citation needed) and remove the latter (the latter being the weasel words/original research). -- audiodude 08:42, 17 August 2007 (UTC)
Okay phase one is complete. I've done up to Ethics. I would appreciate a 'code review' of this work and the community's opinion on whether I should do the rest of the article. Thanks! audiodude 09:02, 17 August 2007 (UTC)
Its certainly better than it was. I can't feel comfortable with citing Tony Bradley's article in About.com as an authoritative definition of "zero day exploit", but its darned hard to figure who would be an authority. Its not a term that SANS or CERT defines. SANS and CERT use, but do not define, the term.
If we could agree that "Zero Day" or "0day" is not a noun, but is, instead, an adjective, there could be some standardized usage.
It was always my understanding that "zero day vulnerability," not "zero day exploit," was the appropriate phrase. A zero day vulnerability exists when the vendor becomes aware of a vulnerability only because it is being actively exploited. In that situation, the vendor has zero days to respond with a patch or other remediation measure. ("When do you need this fixed?" Yesterday.) If a vendor is made aware of a vulnerability through what is known as "responsible disclosure," then the vendor has more than zero days to respond.
The phrases "zero day exploit" and "zero day attack" are phrases that I have seen but would not attempt to define. Every exploit and every attack has its first day; I suppose the day before that would be "day zero", the day before that "day minus one," and the day before that "day minus two." Those would be accurate terms, meaningful terms but they would not be notable, newsworthy or interesting terms.
Psource 23:42, 22 September 2007 (UTC)
"A 0-day exploit is usually unknown to the public and to the product vendor [1]."
it is perfectly reasonable to assume that a vendor also has a copy of an exploit yet hasn't produced a patch for it yet. some companies will take as many as 9 months to produce a patch for a known exploit. Therefore only the public is unaware. —Preceding unsigned comment added by Zeroday ( talk • contribs) 02:44, 11 January 2008 (UTC)
Why are "zero day attacks" called "zero day"? How are they different from other, non-zero-day attacks on undisclosed/unpatched vulnerabilities? - Brian Kendig ( talk) 12:43, 28 May 2008 (UTC)
I've re-written the Vulnerability window section. I've also done a global find/replace with "vendor" (replaced by "developer"), as I find the term "developer" more inclusive (for example, I write software, but I don't sell it, so I'm a developer, not a vendor. However, I still need to pay attention to zero day attacks). Osric ( talk) 02:30, 28 January 2010 (UTC)
to make "manufacturing vulnerabilities illegal" - it's quite unfortunate wording. —Preceding unsigned comment added by 149.156.90.26 ( talk) 14:26, 17 February 2010 (UTC)
One thing missing from the ethics section is a software developer's ethical responsibility to fix exploits promptly. I've heard of cases where security experts got so sick and tired of being ignored by developers that they released the zero-day exploits to the public to force the software developer to take action. Of course, releasing these to force the developer to take action has its own set of ethical questions. 69.7.41.230 ( talk) 18:15, 13 June 2012 (UTC)
Please fix. Either this article or Wikipedia's definition of " hardwired": "In computer programming, a kludge to temporarily or quickly fix a problem. Something that is not considered good programming practice." 87.112.9.121 ( talk) 14:57, 13 March 2014 (UTC)
Incorrect, the vulnerability could be in the OS. It could be in firmware. The article even says it could be hardwired in. 87.112.9.121 ( talk) 15:12, 13 March 2014 (UTC)
eg: "The origin of the term is from researchers counting the number of days from when a vulnerability is reported to the developer to a fix being released. The next day would be one day, the same day is zero days. Researchers would call a previously developed attack a zero day attack because they would only know that retrospectively." 87.112.9.121 ( talk) 15:14, 13 March 2014 (UTC)
As the article goes on to say the developers may have had time but may not want to fix for other reasons. As indicated elsewhere in the article a developer may be aware of a vulnerability when the software is first released and may not close the vulnerability because its too difficult to close, to expensive, would take too long and they need to get the software to market, they hope it is not discovered, security through obscurity, or even because it is there by design perhaps at the behest of the NSA. The NSA have been encouraging companies that produce computer systems to incorporate "backdoors" and flaws in algorithms so that they can access the data easier. 87.112.9.121 ( talk) 15:16, 13 March 2014 (UTC)
This comment was triggered by the article's statement "the average vulnerability window of a zero-day exploit is about 10 months". I believe the source for that statement was using a flawed definition, which I seek to clarify here.
When an exploit is developed against a secret vulnerability, any attack made using this exploit is not a Zero-day attack if carried out before the vulnerability is made public. This is because the definition of a Zero-day attack is that it uses an exploit taking advantage of publicly known vulnerability for which no fix is available. So there are three vulnerability windows, in order:
Once a given system has been patched or access to the vulnerability blocked, it is no longer in a vulnerability window for this exploit.
It's important to realise that some people might think that any attack made during the Potential vulnerability window retrospectively becomes a Zero-day attack after publication of the vulnerability. This is not the case because an such an exploit has to have been developed from knowledge gained via the vulnerability's public release.
All software starts in the Potential vulnerability window.
The Zero-day vulnerability window opens when a vulnerability is published, e.g.: by mainstream awareness of a released exploit; by public mailing list post detailing the vulnerability; by open-access distribution of an academic paper describing the vulnerability; by publicly confirmed bug report from a vendor; or co-ordinated disclosure by a CERT. This window is not open if the exploit is kept secret or if a vendor bug report does not include details of how to reproduce a failure.
The Post-patch vulnerability window is entered once software/OS vendors release a patch. Therefore some OSes or software versions would still be in the Zero-day vulnerability window if a patch for that version hasn't been released yet.
-- AlastairIrvine ( talk) 18:19, 10 April 2014 (UTC)
There are three basic moments in time:
(1) When the vulnerability is first 'discovered' (let's not treat the case where it is simultaneously discovered by multiple agents.)
(2) When the existence of the vulnerability is first 'made public' (let's not worry about exactly what that means, but rapid, wide-spread dissemination is the essence.)
(3) When the 'first' attack(s) occur(s). (Let's not worry about how these are detected/defined; 'significant impact' might be a criterion.)
Both the definition in the current article and the one pointed to at http://searchsecurity.techtarget.com/definition/zero-day-exploit suffer from essentially the same problem: they do not distinguish between (1) and(2), and it seems to me this is an important distinction in most cases.
DrTLesterThomas ( talk) 19:13, 10 April 2014 (UTC)
Hey guys, can you guys add your views about merging the three WP zero-day articles attack, virus and warez into one at: Talk:Zero_day. Thank you :)