Share via

What is a "zero-day"?

  • Article

Once again, it seems misguided reporters have appropriated a technical term and are misusing it in ways to confuse the field. "Hacker" was not the first term they ruined, but it is still the one that irks me the most. The primary definition of "Hacker," is of course "a person who creates and modifies computer software and computer hardware, including computer programming, administration, and security-related items" according to Wikipedia.

Now it appears that reporters unwilling to actually understand the terminology they use are in the process of destroying the term "zero-day." We have been reading over the past few days about a "zero-day" vulnerability in Symantec Anti-virus, which Marc Maiffret, probably to protect the world in his own trademark way, made public. Unfortunately (or maybe fortunately), this is not a zero-day, unless zero-day has somehow been redefined to mean "new."

Zero-day, as it pertains to vulnerabilities, means a vulnerability that was exploited before anyone, other than the criminal using it, knew about it. This definition is perfectly in line with the definition of zero-day as something for which information is not publicly available. By definition, the fact that Marc was nice enough to alert the world to Symantec's flaw means that it is not a zero-day, unless Marc went and exploited it before he advised the world of the flaw, and we have no indication that he did that.

It may sound like a rant, and of course it is, but it is really important that we keep these terms straight. A zero-day vulnerability is a security professional's worst nightmare. By diluting the term to refer to any vulnerability for which a patch is not available we dilute the language of our field, and lose a very important definition that we need to be able to discuss without ambiguity. It is unfortunate that reporters write about something without bothering to understand the terms of the field they report on. Those reporters give a bad name to those dedicated reporters who take care, and work hard to do a public service in understanding and documenting a field that is important to illuminate. Inaccurate use of important terminology muddy the waters for those of us who are charged with actually taking the field forward.

We do need a term for a vulnerability, like the current Symantec one, which has been publicly announced, but for which a patch is not yet available, I have in the past used "0.5-day" to describe such an issue, but that term does not yet seem to stick.

Comments

  • Anonymous
    January 01, 2003
    Once again, it seems misguided reporters have appropriated a technical term and are misusing it in ways...

  • Anonymous
    January 01, 2003
    Jesper I agree with your point on precise terminology and shake your hand. I can see where Dewi helps keep an open minded perspective between different groups or whatever one wants to call it. I will give everyone a good example about precise terminology. A person at home cannot get on the internet. The home user calls their ISP and tells them the internet doesn't appear to be working. The home user tells the ISP their router doesn't appear to be getting the IP address from the cable modem. After 20 mins of trouble shooting the tech with ISP finds out it's not a router at all. The home user has the placed a 4-Port USB HUB. Now, you tell me how important precise terminology is.

  • Anonymous
    January 01, 2003
    PingBack from http://ertitaly009.info/whatisazerolotline.html

  • Anonymous
    May 27, 2006
    The comment has been removed

  • Anonymous
    May 27, 2006
    The comment has been removed

  • Anonymous
    May 27, 2006
    Another - possibly even more egregious - example is the slew of media articles this week of a purported new "zero-day" SMB vulnerability in Windows 2000.  In fact, the vulnerability it exploits was patched by MS05-011 well over a year ago.  See the MSRC statement here:  http://blogs.technet.com/msrc/archive/2006/05/25/430278.aspx

  • Anonymous
    May 29, 2006
    > a term for a vulnerability, ...
    > which has been publicly announced,
    > but for which a patch is not yet available

    How about "no-patch vulnerability"?
    I thought about "unpatched" but that overlaps with "not yet patched in our installation".
    In theory "no-patch" overlaps with "not-yet-announced" vulnerabilities (including "known-in-secret" and "undiscovered") but we've managed without terms for those so far.....

  • Anonymous
    May 29, 2006
    How do you pronounce "0.5-day"?
    "zero dot five day" or "half day"?

  • Anonymous
    May 29, 2006
    Jesper writes: "it is really important that we keep these terms straight."

    I'd instead argue that it's really important that we don't confuse fuzzy slang and buzzwords with crisply defined jargon, and that if precision is required we stick to using existing dictionary terms (eg "Unknown", "Unannounced", "Unpatched", "Patched") rather than relying on every english-speaking culture and every security subculture throughout the world to have the same definition of the slang word.

    Like "Hacker", "0-day" is slang, rather than jargon, and like all slang, its definition varies between subcultures.

    However, "zero day exploit" got its name from the action of creating an exploit for security vulnerabilities the day the security bulletin goes out (from the warez scene where a 0-day is a product cracked and rereleased on the day of its formal release).

    So, 0-day implies a public release, at least by derivation. This is supported by common usage.

    Admittedly it's sometimes also used to describe pre-announce exploits, but I'd need proof of Wikipedia's claim that it "usually" means this since Google (and my own experience) appear to contradict this.

  • Anonymous
    May 30, 2006
    Dewi, I think you are right. However, every field has its own terminology. What may be slang to a sub-culture, is important terminology to a field. To ensure that we can communicate accurately in a field we really need to ensure that we maintain the integrity of the language of that field. The medical field has its jargon, or terminology if you will. IT has a different one, and infosec has additional terms. If we lose the precise definitions of those terms, we lose the ability to accurately talk about what is happening in the field. Several years ago Blackwell Publishing started publishing the Encyclopaedia of Management to document the language of the management disciplines, including Management Information Systems. The terminology of IT belonged in there, but unfortunately, the encyclopaedia was incomplete. It would be a good idea to actually develop one that is more complete for infosec.

    Didier, I didn't say the term was good! :-) I usually call it "zero point five day" but that usually requires explanation. If anyone has a better term, I'd welcome it.

  • Anonymous
    May 30, 2006
    The comment has been removed

  • Anonymous
    May 31, 2006
    The comment has been removed

  • Anonymous
    July 28, 2006
    The comment has been removed

  • Anonymous
    October 28, 2014
    Blogs - Jesper's Blog - Site Home - TechNet Blogs