There is an interesting discussion this week on the Full Disclosure mailing list about the definition of “0day.” Oddly, what seems like an old term is definitely not a term with an understood and universal definition. It seems to vary widely, dramatically widely. Then again, FD is a fairly argumentative list with some people arguing anything just to argue. Still, it is interesting the lack of clarity in some of our widespread terms.
My take on 0day, which I’ve used ever since I first heard the term many years ago, is pretty much the same as the Wikipedia entry. To me, a 0day is an exploit released before solutions or patches have been diseminated from a vendor. This wouldn’t mean a new strain of a virus exploiting a known vulnerability would be a 0day. But a new worm exploiting a new vulnerability would qualify. A side effect is whether something is a 0day to someone who has seen it, and provided for a workaround, even though they’re not the vendor. To me, 0days are somewhat unstoppable exploits, mitigated by defense in depth / layered defenses.
And don’t even bring up “less than 0day,” as I feel dumber each time I hear that term…
less than 0day is just bullshit marketing terminology to ‘ooo’ and ‘ahhh’ mindless security practitioners and benighted managers.
0day to me means “code exploiting an unknown or an unpatched vulnerability.” This includes targeted attacks where the exploit and vulnerability are not publicly known (which some vendors like to call the ‘less than 0day’).