Zero-Day Vulnerability vs. Zero-Day Exploit vs. Zero-Day

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

Harry

Member
Oct 13, 2020
19
3
I have a few questions based on previous comments from Steve and general industry conduct.

  • Is it safe to say that a zero-day vulnerability is a vulnerability that is unknown by the vendor?
  • If a vulnerability is known by the vendor but not the public (and maybe even has a hidden CVE), is it a zero-day? Does it matter if the vulnerability is patched or not?
  • What if the vulnerability is known by the vendor, but they choose to not patch, as-described in Episode 780 (0-Day Folly). That was the vulnerability that Microsoft knew about and chose not to patch for two years.
Is there such a thing as a zero-day exploit? Is it an unremediated exploit (no patch, no AV detection), or an exploit of an unknown vulnerability?

I read the Accenture "network access sellers" report Steve mention in Episode 789. Accenture says "zero-day exploits are exploits developed targeting unpatched vulnerabilities)." It's not clear if that means unpatched by the vendor or the client.

https://www.accenture.com/us-en/blo...-network-access-sellers-and-ransomware-groups

Ohio State University has a questionable explanation of this as well.

What is a Zero-Day Exploit?

"A “zero-day” or “0Day” in the cybersecurity biz is a vulnerability in an internet-connected device, network component or piece of software that was essentially just discovered or exposed. The whole idea is that this vulnerability has zero-days of history."​

OK, that seems reasonable, though not specific enough. But here is where it goes off the rails. They later talk about the Shadow Brokers leak of EternalBlue, and the subsequent WannaCry attack.

The WannaCry ransomware attack took advantage of these vulnerabilities and was considered one of the biggest outbreaks of ransomware at the time. This illustrates another point, which is that zero-day vulnerabilities are particularly dangerous because they can lead to sudden, explosive outbreaks of malware that end up having a huge impact in cyberspace.
Their assertion that WannaCry was a zero-day is wrong in my opinion. It was patched for around 60 days at that point. Is it correct to say that WannaCry was not a zero-day?

I know that I'm nitpicking but I think this is sloppy use of jargon, often to sensationalize stories.
 
I would say that a zero-day would be a vulnerability that is spent 0 days before being exploited in the wild. Same for zero-day vulnerability.
Where as a zero-day exploit would be an exploit that uses that zero-day vulnerability.

That's the way I use the phrase.
 
The only zero-day you really care about is the one that got exploited on your system (or any system you care about.) It's exploitation that is the key here...

When do you start counting the days. I say from the day of discovery by the bad guy who is going to use it against you. That information is rarely available so I guess the second useful day is where discovery means that a system was discovered exploited. If it's discovered and responsibly reported, it was never exploited, and thus is not a zero-day exploit, only a potential vulnerability... it had the potential to be a zero-day exploit. To me it REQUIRES malicious exploitation to be considered a zero-day exploit. I think calling it a zero-day vulnerability, with no available exploit, is assuming an exploitation will happen... so that is technically a potential zero-day vulnerability.