So I was sitting with a group of people recently – experts, as it were – discussing “bad things on the internet”.  Someone turned over his shoulder back towards us and asked “So, what exactly is a 0day?” In context, he was asking “Where does the term come from” because, in the conversation, it was being used to describe some exploits that we, as the “good guys”, all knew about – and had for some time.   The answer he got disturbed me a bit: “Exploits and vulnerabilities that have not been patched.”

Really?

What gives? 0days/0-days/zero days used to mean (generally speaking) those exploits of which neither the vendor nor the “good guys” knew anything about. Ie, “zero days” had passed since a solution -could have- begun being developed.   I like About.com’s phrasing:

“A zero day exploit is when the exploit for the vulnerability is created before, or on the same day as the vulnerability is learned about by the vendor.”

A flaw that the vendor and the response community have known about for months but which the vendor hasn’t addressed is NOT a 0day – it’s an unpatched problem :P (There are cases where the time from the issue being known about until the vendor patches it has exceeded, in some cases, a decade.)

I’m trying to figure out how we got to this perceived definition and I wonder if it’s our refusal to come to grips with the fact that there are hundreds/thousands of security flaws running around out there that “the bad guys” know about (and use) that the “good guys” dont have a clue about. We run around patching things like if only we could just reduce the time it takes to patch systems to near-zero that somehow we would be measurably more secure.

If we just write out the truly severe part of the vulnerability window  – where there are vulnerabilities and exploits we don’t know about – from our language/definitions, it won’t exist right?

Right?

Bueller?