Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] 0day: PDF pwns Windows

from [Lamont Granquist] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] 0day: PDF pwns Windows
Date: Mon, 24 Sep 2007 15:57:41 -0700 (PDT) 


On Sun, 23 Sep 2007, Chad Perrin wrote:

In the case of that "private zero day exploit", then, nobody will ever
know about it except the person that has it waiting in reserve -- and if
someone else discovers and patches the vulnerability before the exploit
is ever used, it never becomes a "public" zero day exploit.  In other
words, you can always posit that there's sort of a Heisenbergian state of
potential private zero day exploitedness, but in real, practical terms
there's no zero day anything unless it's public.

The moment you have an opportunity to measure it, the waveforms collapse.


The exploit is not made public by its use.  The exploit is not even made 
public by (back-channel) sharing amongst the hacker/cracker community. 
The exploit is only made public if detected or the vulnerability is 
disclosed.  Until detected/disclosed the hacker/cracker can use their 
31337 0day spl01tz to break into whichever vulnerable machines they like. 
0day exploits are valuable because the opposition is ignorant of them.

Posting exploits to BUGTRAQ, however, inherently makes them not 0day...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] [USN-518-1] Linux kernel vulnerabilities, Kees Cook
Next by Date:  Re: [Full-disclosure] 0day: PDF pwns Windows, Glenn.Everhart
Previous by Thread:  Re: [Full-disclosure] 0day: PDF pwns Windows, J. Oquendo
Next by Thread:  Re: 0day: PDF pwns Windows, Roland Kuhn
Indexes:  [Date] [Thread] [Top] [All Lists]