Talk:Zero-day attack

Definition
I don't believe this definition is correct.

Consider this alternative from TechTarget.com (http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci955554,00.html#):

A zero-day exploit is one that takes advantage of a security vulnerability on the same day that the vulnerability becomes generally known.

192.91.173.36 (talk) 14:07, 5 August 2009 (UTC) SteveRobinson

"I don't believe this definition is correct."

Sorry to hear it, because you're quite mistaken and have provided no basis for your belief. Your own citation contradicts your quote when it says "Sometimes, however, a hacker may be the first to discover the vulnerability", and there's a link on that page to http://netsecurity.about.com/od/newsandeditorial1/a/aazeroday.htm which says "A zero day exploit is when the exploit for the vulnerability is created before, or on the same day as the vulnerability is learned about by the vendor." What do you suppose the sort of thing that statement and this article describes is called ... a -1-day exploit? -- 96.248.226.133 (talk) 23:52, 10 March 2013 (UTC)

I think it comes from the fact that it has been there since day-0? the creation date of the software? — Preceding unsigned comment added by 82.83.210.215 (talk) 09:34, 25 October 2013 (UTC)

There is confusion, also in the comments below. At the very least the lede should be clearer. Google shows "generally known" or "publicly known" several times on its first page. The lede says "previously unknown" but there is confusion as to whether this is previously unknown by anyone, by the researcher, by the software vendor, by the public etc. You had to follow two links to get the definition you quote. Reference [1], of this Wiki article, says "A zero day exploit is when the exploit for the vulnerability is created before, or on the same day as the vulnerability is learned about by the vendor." but then says "Whether the vendors knew about the vulnerability a year ago or found out about it this morning, if the exploit code exists when the vulnerability is made public it’s a zero-day exploit on your calendar." So Wiki is using a reference which is causing confusion. The lede need fixing: change "previously unknown" to "previously unknown by the vendor". Even this not correct because researchers only know when a vulnerability is reported. Some companies are aware of vulnerabilities, even inserted by design at the behest of the NSA, or relying on "security through obscurity" long before researchers notify them. It would also be useful to explain the counting system. "Day 0 is the day a vulnerability is reported to a vendor, the days to the day the vendor provides a fix are counted from this day." The lede also specifies "application" this does not include the OS, which is wrong. 87.112.9.121 (talk) 07:15, 12 March 2014 (UTC)
 * @96.248.226.133 The quotation is the basis for the belief.

0day warez and exploits
should these be in separate articles

can we remove stub status from this?


 * Go for it!. If someone disagrees then the issue can be discussed here. Ellsworth 23:37, 6 May 2005 (UTC)

Wikipedia's search not working??
I tried doing a search for Zero day but couldn't find a link to this article in the search results... can someone else please try it and confirm this?? Hulleye 09:59, 10 November 2005 (UTC)
 * Interesting ... i went through all the results for "Zero day" both with and without quotations and this page did not come up as a result.  ALKIVAR &trade;[[Image:Radioactive.svg|18px|]] 10:04, 10 November 2005 (UTC)
 * Any idea who the appropriate person/link to complain to about this might be?? Hulleye 10:05, 10 November 2005 (UTC)
 * Seems whatever the problem was, it's been fixed. Typing in Zero day into the search bar now brings me directly to this page. Though perhaps there should be a disambiguation link to distinguish it from the Zero Day page. Hulleye 12:14, 10 November 2005 (UTC)
 * Perhaps we should move it back to 0-day?  ALKIVAR &trade;[[Image:Radioactive.svg|18px|]] 19:19, 10 November 2005 (UTC)

Remove External Link
It looks like the external link is pointing to a site wanting to people to sign up for their courses. I've gone ahead and removed it. If anyone has a publicly available site that "teaches" things about this then post that one.

Vulnerabilities versus Exploits
This article confuses the terms vulnerability and exploit. It treats them as the same thing which they are not (see RFC 2828). -- AlastairR 22:29, 25 April 2006 (UTC)

Ok, the rfc is great, but it does not give a clear distiction between an vuln and an exploit. Also in some cases the article does appear to treat a vuln and an exploit as though they are different. You are right, this needs to be much clearer in the article.

Please Write Me Better
If I were a fan of a game, say, I would wait outside the store all night. Then on release day, I would buy the game -- right then and there on Zero Day! I would put it in my machine and, barring glitches, it would work! Right then and there on Zero Day! And it would be absolutely legal!


 * Zero day or 0day refers to software, videos, music, or information unlawfully released or obtained on the day of public release. -- so according to the article, if it's not unlawfully obtained, it's not 0day

the scene
Please describe how the game software is obtained illegally, copied and modified (internationalized) and distributed illegally, and advertised illegally. Give historical examples. I can't tell what is going on in this article. --129.10.14.223 00:07, 28 June 2006 (UTC)


 * see The Scene

Illegal on 0Day?
The head in a way says that Zero-day products can only be obtained illegally, but how is that possible when you can get the stuff on the day of the public release. If I'm not utterly mistaking a public release means that everybody can buy a product, legally of course.


 * Zero day or 0day refers to software, videos, music, or information unlawfully released or obtained on the day of public release. -- so according to the article, if it's not unlawfully obtained, it's not 0day

0day public or not?
As I see it, this article contradicts itself. The first does implies that 0days vulnerabilities AND the exploits are publicly known, and that there may even be a patch, while the second strongly implies that there is no patch for the vulnerability (if we assume that we know what a released patch does)
 * 1) "The term derives from the number of days between the public advisory and the release of the exploit"
 * 2) "zero-day attacks are generally unknown to the public"

The second point agrees with what I think 0day is (wrt security): sploits (or maybe even vulnerabilities that don't yet have sploits created for them) that someone has found/created. Once the vulnerability and/or sploit is public, new stuff is no longer 0day. Time zero is when the vulnerability becomes publicly known, and any vuln or sploit created before that time is 0day.

This (my) interpretation is used when people say "I'm only running OpenSSH on that box, and I don't think it has any 0days" (this from someone absolutely would know if the 0day was public). Note that a 0day doesn't have to be released to be a 0day, ever, even when the vulnerabilty becomes known. This for example is still to my knowledge still not released publicly, and was coded (and used) before any vuln was known. (on KTH for example).

Examples of 0day or -day?
Would it be possible to provide examples of 0day or -day software? Such as the FCKGW version of Windows, or even an album obtained illegally as -day or 0day?

This is WRONG on so many levels
Zero day is/was the release date of cracked software from the cracking groups, i.e. PARADOX. Because most posters in Usenet used "X-no archive" in their headers, there isn't much of a trail left. Exploits were *never* a part of the scene and those who wrote them were "script-kiddies".

Improvements
1) This article mashes together two different topics.  It would be confusing to treat these subjects as unrelated since a reader might not find both explanations if they are in separate articles.  Leading with an introductory paragraph that highlights the meanings of Zero-Day so that the disucssion can branch out in a logical way will help

2) The first topic makes a brief & hazy explanation, then abruptly runs into the second topic

3) Both topics lack examples to help the reader to better understand the topic

4) Lack of references as to the origins of the term Zero-Day for either topic tells the reader that the author(s) lack the expertise to be writing about this subject

5) Writing mechanics are suffering here.  Either run a draft through a spelling & grammar check or have these submissions read by several people who have a background in English grammar

6) Definitely merge the first topic with the other page.  This gives the reader the breadth of the term's meanings

Cheers!

--Sandman619 08:02, 6 December 2006 (UTC)

Huh?
Neither article explains "zero-day" attack to me. If it only means "a software exploit released the same day as the exploited software, indicating nonpublic access to the software" why all the verbiage? And if it does mean that, why does it make any difference in the response time (which is a function of exploit discovery, not software or exploit release)? —The preceding unsigned comment was added by 75.32.23.77 (talk) 04:53, 8 December 2006 (UTC).

I think that zero day means before the patch, not on the same day.
This entry seems to make one thing clear to me - zero day is a bit of jargon that means different things to different people. I accept that many, possibly even most, definitions attempted on the web say that zero day means an exploit available on the same day as a patch is published.

But when people are using the term, rather than defining it, they are talking about the time before a patch is published. On the patching timelines, day zero goes from when the vulnerability is discovered to day 1, which is when the patch appears.

For example, http://research.eeye.com/html/alerts/zeroday/index.html http://www.securityfocus.com/columnists/377

Day one exploits are a problem but aren't half as big a headache for security managers as those for which there is no fix and no prospect of a fix. That is why they are such a big deal.

Yakheart 12:12, 11 December 2006 (UTC)

Merge
I support a disambig page, not a merge. -Slash- 06:19, 22 December 2006 (UTC)

Yes, Merge them
I think the two articles should be merged as the term zero-day inevitably refers to the attacks that it can produce. The vulnerability and the exploit are indisputably intertwined.

--Njkmohan 16:54, 28 December 2006 (UTC)

Merge them, and correct the errors
The term "zero-day exploit" has been so abused by the media as to be meaningless. It is now just a buzz-word used for any unpatched vulnerability, whereas originally it meant an exploit that takes advantage of a vulnerability that has yet to be discovered by the vendor (and hence is unpatched).

It is based on the time between when the vulnerability is known and when an exploit based on it is released. If the exploit is released before the vulnerability is known about, it's a zero-day exploit.

SecuritySearch.com netsecurity.about.com

It has two significant features:
 * it is an actual exploit, not just a vulnerability, and
 * generally it shows the vulnerability is easy to exploit, since someone has been able to discover and exploit it before the vendor or anyone else found it.

Finally, this discussion has been going on for nearly a year, is anyone going to actually merge the pages? —The preceding unsigned comment was added by 203.206.51.155 (talk) 00:23, 28 January 2007 (UTC).


 * I don't think its an error. Yes it does mean an expliot, but the people who patch the exploit up always call it a zero-day flaw, or a zero-day vulnerability to increase the exposure of the weakness. If they just go on saying, a flaw, then it really doesn't get the message out like it should be, and millions of people could become infected due to underexposure. This article should be merged. War  rush  13:31, 22 June 2007 (UTC)


 * I did a brute force merge. That is, they are merged, but still need copyediting for some duplicate content, and error checking.
 * I'm also copying here (bellow) two talk entries from there. - Nabla 23:07, 24 June 2007 (UTC)

Notes for anyone writing this article
"Zero-day" refers to the day the exploitable bug in a common piece of software was discovered. In order for the exploit to become an attack, a nefarious ("black-hat") actor writes code to exploit it.

A good reference for these types of terms is the Sans Institute ([www.sans.org]). A glossary of security terms is available at.

WilliamsJD 15:16, 6 September 2006 (UTC)

Needs More Info
All the talk about Zero-Day attacks is fine and good, but what exactly is a zero-day attack? Is it a specific vunerability, or just a blanket term referring to security holes found in anything? The article does not say for sure, and it's very confusing. Sloverlord 16:01, 6 December 2006 (UTC)
 * Indeed the article is a bit confusing, but it's simple, 0-Day is just a term nothing more. What's a zero-day today will just be yet another exploit or vulnerabilitie tomorrow. It's a hyped term, some site report Zero-Day over a period of week or so. What makes 0-Day "more dangerous" than anything else is just the fact that 99.9% of users and administrators don't update their software on daily bases, thus making almost every user a possible victim. --Gussi 02:00, 8 December 2006 (UTC)

Zero-day attacks occur when an exploitable bug or vulnerability is found in a common piece of software when no patch is available. -PC Magazine --Advent nemesis 18:05, 21 April 2007 (UTC)

Citations/Weasel Words/Original Research
There seems to be a distinct lack of citations for disputable claims, and a good amount of 'weasel wording' (ie "0-day attacks are generally unknown to the public") and original research ("Recent history shows an increasing rate of worm propagation.") in the current article. I'm going to be bold (tm) and tag the former (ie ) and remove the latter (the latter being the weasel words/original research). --audiodude 08:42, 17 August 2007 (UTC)

Okay phase one is complete. I've done up to Ethics. I would appreciate a 'code review' of this work and the community's opinion on whether I should do the rest of the article. Thanks! audiodude 09:02, 17 August 2007 (UTC)

Its certainly better than it was. I can't feel comfortable with citing Tony Bradley's article in About.com as an authoritative definition of "zero day exploit", but its darned hard to figure who would be an authority. Its not a term that SANS or CERT defines. SANS and CERT use, but do not define, the term.

If we could agree that "Zero Day" or "0day" is not a noun, but is, instead, an adjective, there could be some standardized usage.

It was always my understanding that "zero day vulnerability," not "zero day exploit," was the appropriate phrase. A zero day vulnerability exists when the vendor becomes aware of a vulnerability only because it is being actively exploited. In that situation, the vendor has zero days to respond with a patch or other remediation measure. ("When do you need this fixed?" Yesterday.) If a vendor is made aware of a vulnerability through what is known as "responsible disclosure," then the vendor has more than zero days to respond.

The phrases "zero day exploit" and "zero day attack" are phrases that I have seen but would not attempt to define. Every exploit and every attack has its first day; I suppose the day before that would be "day zero", the day before that "day minus one," and the day before that "day minus two." Those would be accurate terms, meaningful terms but they would not be notable, newsworthy or interesting terms.

Psource 23:42, 22 September 2007 (UTC)

Inaccuracy on 0 day exploit availability
"A 0-day exploit is usually unknown to the public and to the product vendor [1]."

it is perfectly reasonable to assume that a vendor also has a copy of an exploit yet hasn't produced a patch for it yet. some companies will take as many as 9 months to produce a patch for a known exploit. Therefore only the public is unaware. —Preceding unsigned comment added by Zeroday (talk • contribs) 02:44, 11 January 2008 (UTC)

Why the name?
Why are "zero day attacks" called "zero day"? How are they different from other, non-zero-day attacks on undisclosed/unpatched vulnerabilities? - Brian Kendig (talk) 12:43, 28 May 2008 (UTC)

Idle cleanups
I've re-written the Vulnerability window section. I've also done a global find/replace with "vendor" (replaced by "developer"), as I find the term "developer" more inclusive (for example, I write software, but I don't sell it, so I'm a developer, not a vendor. However, I still need to pay attention to zero day attacks). Osric (talk) 02:30, 28 January 2010 (UTC)

Funny wording
to make "manufacturing vulnerabilities illegal" - it's quite unfortunate wording. —Preceding unsigned comment added by 149.156.90.26 (talk) 14:26, 17 February 2010 (UTC)

Software makers ethical responsibility
One thing missing from the ethics section is a software developer's ethical responsibility to fix exploits promptly. I've heard of cases where security experts got so sick and tired of being ignored by developers that they released the zero-day exploits to the public to force the software developer to take action. Of course, releasing these to force the developer to take action has its own set of ethical questions. 69.7.41.230 (talk) 18:15, 13 June 2012 (UTC)

"Some windows may never be closed, for example if they are hardwired in a device..."
Please fix. Either this article or Wikipedia's definition of "hardwired": "In computer programming, a kludge to temporarily or quickly fix a problem. Something that is not considered good programming practice." 87.112.9.121 (talk) 14:57, 13 March 2014 (UTC)

a previously unknown[by whom?] vulnerability in a computer application,
Incorrect, the vulnerability could be in the OS. It could be in firmware. The article even says it could be hardwired in. 87.112.9.121 (talk) 15:12, 13 March 2014 (UTC)

Explain the term.
eg: "The origin of the term is from researchers counting the number of days from when a vulnerability is reported to the developer to a fix being released. The next day would be one day, the same day is zero days. Researchers would call a previously developed attack a zero day attack because they would only know that retrospectively." 87.112.9.121 (talk) 15:14, 13 March 2014 (UTC)

... one that developers have had no time to address and patch.
As the article goes on to say the developers may have had time but may not want to fix for other reasons. As indicated elsewhere in the article a developer may be aware of a vulnerability when the software is first released and may not close the vulnerability because its too difficult to close, to expensive, would take too long and they need to get the software to market, they hope it is not discovered, security through obscurity, or even because it is there by design perhaps at the behest of the NSA. The NSA have been encouraging companies that produce computer systems to incorporate "backdoors" and flaws in algorithms so that they can access the data easier. 87.112.9.121 (talk) 15:16, 13 March 2014 (UTC)

Vulnerability windows and definitions
This comment was triggered by the article's statement "the average vulnerability window of a zero-day exploit is about 10 months". I believe the source for that statement was using a flawed definition, which I seek to clarify here.

When an exploit is developed against a secret vulnerability, any attack made using this exploit is not a Zero-day attack if carried out before the vulnerability is made public. This is because the definition of a Zero-day attack is that it uses an exploit taking advantage of publicly known vulnerability for which no fix is available. So there are three vulnerability windows, in order:


 * 1) Potential vulnerability window: theoretical/suspected attacks against unknown vulnerabilities.
 * 2) * Any attack exploiting the Heartbleed bug before 7 April 2014 was a theoretical attack because little/no evidence was available if/when an attack had taken place, and the vulnerability was not published yet.
 * 3) * A DDoS with an unknown cause would be a suspected attack because the attack vector used is not known, therefore a suspected vulnerability exists.
 * 4) Zero-day vulnerability window: as per the section in the article.
 * 5) * This includes systems that are out of security support, e.g. Windows XP
 * 6) Post-patch vulnerability window: a patch is available but systems that haven't been patched yet are vulnerable to the exploit.

Once a given system has been patched or access to the vulnerability blocked, it is no longer in a vulnerability window for this exploit.

It's important to realise that some people might think that any attack made during the Potential vulnerability window retrospectively becomes a Zero-day attack after publication of the vulnerability. This is not the case because an such an exploit has to have been developed from knowledge gained via the vulnerability's public release.

Triggers
All software starts in the Potential vulnerability window.

The Zero-day vulnerability window opens when a vulnerability is published, e.g.: by mainstream awareness of a released exploit; by public mailing list post detailing the vulnerability; by open-access distribution of an academic paper describing the vulnerability; by publicly confirmed bug report from a vendor; or co-ordinated disclosure by a CERT. This window is not open if the exploit is kept secret or if a vendor bug report does not include details of how to reproduce a failure.

The Post-patch vulnerability window is entered once software/OS vendors release a patch. Therefore some OSes or software versions would still be in the Zero-day vulnerability window if a patch for that version hasn't been released yet.

--AlastairIrvine (talk) 18:19, 10 April 2014 (UTC)

Definition is ill-defined
There are three basic moments in time:

(1) When the vulnerability is first 'discovered' (let's not treat the case where it is simultaneously discovered by multiple agents.)

(2) When the existence of the vulnerability is first 'made public' (let's not worry about exactly what that means, but rapid, wide-spread dissemination is the essence.)

(3) When the 'first' attack(s) occur(s). (Let's not worry about how these are detected/defined; 'significant impact' might be a criterion.)

Both the definition in the current article and the one pointed to at http://searchsecurity.techtarget.com/definition/zero-day-exploit suffer from essentially the same problem: they do not distinguish between (1) and(2), and it seems to me this is an important distinction in most cases.

DrTLesterThomas (talk) 19:13, 10 April 2014 (UTC)

Attack as a section under Zero-day
Hey guys, can you guys add your views about merging the three WP zero-day articles attack, virus and warez into one at: Talk:Zero_day. Thank you :)