Re: 0day: PDF pwns Windows

[Steve Shockley]

Thor (Hammer of God) wrote:

For the record, the original term "O-Day" was coined by a dyslexic
security engineer who listened to too much Harry Belafonte while working
all night on a drink of rum.  It's true.  Really.


That's not true at all; after leaving the Little Rascals TV show, 
William Thomas (Buckwheat) entered the fledgling field of security 
research.  Whenever he'd discover a vulnerability, he'd shout "O-tay!". 
 His peers soon started calling vulnerabilities "O-tays" and through 
typos and accents it eventually morphed into "O-days".

RE: 0day: PDF pwns Windows

[Thor (Hammer of God)]

For the record, the original term "O-Day" was coined by a dyslexic
security engineer who listened to too much Harry Belafonte while working
all night on a drink of rum.  It's true.  Really.
 
t

> -Original Message-
> From: Roland Kuhn [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, September 25, 2007 10:58 AM
> To: Lamont Granquist
> Cc: Chad Perrin; Crispin Cowan; [EMAIL PROTECTED]; Gadi Evron; pdp
> (architect); bugtraq@securityfocus.com; full-
> [EMAIL PROTECTED]
> Subject: Re: 0day: PDF pwns Windows
> 
> On 25 Sep 2007, at 00:57, Lamont Granquist wrote:
> 
> > The exploit is not made public by its use.  The exploit is not even
> > made public by (back-channel) sharing amongst the hacker/cracker
> > community. The exploit is only made public if detected or the
> > vulnerability is disclosed.  Until detected/disclosed the hacker/
> > cracker can use their 31337 0day spl01tz to break into whichever
> > vulnerable machines they like. 0day exploits are valuable because
the
> > opposition is ignorant of them.
> >
> > Posting exploits to BUGTRAQ, however, inherently makes them not
> > 0day...
> 
> And my ignorant self thought until this thread that the "0" in the
term
> referred to the number of days of head start granted to the vendor.
> Silly me. Because that would make all vulnerabilities published
without
> prior warning to the vendor a "0day"...
> 
> Roland (who seems to remember that this was once the meaning of this
> term)

Re: 0day: PDF pwns Windows

[Roland Kuhn]

On 25 Sep 2007, at 00:57, Lamont Granquist wrote:

The exploit is not made public by its use.  The exploit is not even  
made public by (back-channel) sharing amongst the hacker/cracker  
community. The exploit is only made public if detected or the  
vulnerability is disclosed.  Until detected/disclosed the hacker/ 
cracker can use their 31337 0day spl01tz to break into whichever  
vulnerable machines they like. 0day exploits are valuable because  
the opposition is ignorant of them.


Posting exploits to BUGTRAQ, however, inherently makes them not  
0day...


And my ignorant self thought until this thread that the "0" in the  
term referred to the number of days of head start granted to the  
vendor. Silly me. Because that would make all vulnerabilities  
published without prior warning to the vendor a "0day"...


Roland (who seems to remember that this was once the meaning of this  
term)


PGP.sig
Description: This is a digitally signed message part

Re: 0day: PDF pwns Windows

[Iggy E]

Hi Crispin,

I agree with almost everything you say until here:
"I continue to dismiss the requirement that an 0day be found
maliciously exploiting machines, because that requires inferring
intent."

IMO, everybody in this thread is taking this from an
inside-to-outside approach, whereas a '0day' is the opposite.

If I'm on a CERT team for a corporation then I don't give a flying F
if somebody's concocted a cool exploit for a vulnerability that
hasn't been patched; and moreover, I don't know about it.

I only care if there's malicious code running around in the real
world doing damage that has no patch for the vulnerability. That's
when I have to take some action or be completely helpless and in my
mind that's the only time I consider a '0day' to have any relevance.

Let me repeat: if it's a theoretical exploit, or even if it's hit
100,000 machines but has not been reported and is not "being in the
wild", then it has no relevance to me BECAUSE I DON'T KNOW THAT IT
EXISTS and therefore to me it is not 0day.

Only through normal channels doing my daily CERT work (dCERT, FrSIRT,
Secunia, etc.) if I see an exploit on an unpatched vulnerability
doing real damage is when I would ever consider the term '0day'.

Very respectfully,
Ignacio



--- Crispin Cowan <[EMAIL PROTECTED]> wrote:

> [EMAIL PROTECTED] wrote:
> >> But then there is the important concept of the "private 0day", a
> new
> >> vulnerability that a malicious person has but has not used yet.
> >> 
> > But the point is there is no such thing as a 0day
> *vulnerability"; there's
> > a 0day exploit, an exploit in the wild before the vulnerability
> id
> > discovered.
> >   
> An excellent point. Sorry I overlooked that. Exploit development
> today
> is so fast that I tend to equate knowledge of a vulnerability with
> "...
> and can have an exploit by tomorrow afternoon."
> 
> >> Rather, I just treat "0day" as a synonym for "new vulnerability"
> and
> >> don't give a hoot about the alleged intentions of whoever
> discovered it.
> >> What makes it an "0" day is that whoever is announcing it is
> first to
> >> announce it in public. You could only invalidate the 0day claim
> by
> >> showing that the same vulnerability had previously been
> disclosed by
> >> someone else.
> >> 
> > The point is that it is not supposed to be moniker for
> vulnerabilities;
> > it's a moniker for exploits.  In any other context it does not
> make sense.
> >
> > Specifically considering that "0-day exploit" is the only
> definition which
> > holds meaning with respect to a particular exploit over time. 
> "An exploit
> > which existed before the vulnerability was publicly known".
> >   
> Yes, you are right. So "0day" is a class of exploits. Specifically,
> it
> is the class of exploits that are developed before the first
> available
> patch for the vulnerability in question.
> 
> But that race condition of whether the patch or the exploit is
> partially
> ordered, because they could be developed independently. There is
> the
> special case where the person who first discovered the
> vulnerability
> also develops either a patch or an exploit, in which case it is
> totally
> ordered. But in the general case where one person discovers the
> vulnerability, and two other people independently develop an
> exploit and
> a patch, you can't tell who finished first. All you can do is
> detect who
> published first.
> 
> So fair enough, an "0day exploit" is one that appears in public
> before
> the associated patch is published.
> 
> A "private 0day exploit" (the case I was concerned with) would be
> where
> someone develops an exploit, but does not deploy or publish it,
> holding
> it in reserve to attack others at the time of their choosing.
> Presumably
> if such a person wanted to keep it for very long, they would have
> to
> base it on a vulnerability that they themselves discovered, and did
> not
> publish.
> 
> I continue to dismiss the requirement that an 0day be found
> maliciously
> exploiting machines, because that requires inferring intent. IMHO,
> a POC
> exploit first posted to Bugtraq ahead of the patch counts as an
> 0day
> exploit, unless it has been so thoroughly obfuscated that the
> "proof"
> part of "proof of concept" is itself BS.
> 
> Crispin
> 
> -- 
> Crispin Cowan, Ph.D.  
> http://crispincowan.com/~crispin/
> Director of Software Engineering   http://novell.com
>   AppArmor Chat: irc.oftc.net/#apparmor
> 
> 



  

Catch up on fall's hot new shows on Yahoo! TV. Watch previews, get listings, 
and more!
http://tv.yahoo.com/collections/3658 

Re: [Full-disclosure] 0day: PDF pwns Windows

[J. Oquendo]

Crispin Cowan wrote:

>
> This is a perfectly viable way to produce what amounts to Internet
> munitions. The recent incident of Estonia Under *Russian Cyber Attack*?
>  is an example
> of such a network brush war in which possession of such an arsenal would
> be very useful.
>
> Crispin

One would presume that governments across the world would have their
shares of unpublished exploits but with all the incidences of government
networks being compromised, I don't believe this to be the case. What
happened in Estonia though was nothing more than a botnet attack on
their infrastructure
(http://www.informationweek.com/showArticle.jhtml?articleID=199602023)
not an 0day attack.

0day's defined as "unpublished exploit" wouldn't do much in a
cyberwarfare theater as country against country as the purpose of such
warfare would LIKELY be to disconnect/disrupt communications. In the
cases of industrial/country vs. country espionage it might (likely) will
 be more effective for the long haul but in the short term, 0days will
be useless in this type of "cyberfight". Think about it logically, you
want to "disrupt" country X's communications, not tap them. You'd want
to make sure their physical army had no mechanism to communicate. You'd
want to make sure financially you would cripple them. Not worry about
injecting some crapware onto a machine for the sake of seeing what their
doing.

Reconnaissance is usually something done beforehand to mitigate your
strategy. Not mitigate what's happening after you possibly sent 1Gb of
traffic down a 100Mb pipe.



-- 

J. Oquendo
"Excusatio non petita, accusatio manifesta"

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E
sil . infiltrated @ net http://www.infiltrated.net



smime.p7s
Description: S/MIME Cryptographic Signature

RE: 0day: PDF pwns Windows

[Glenn.Everhart]

Minor point:

No need to limit such accumulations to nation-states though. People interested
in fiddling with other peoples' computers have come up with attacks that don't
get instantly published at least since the 1970s, and have had more-or-less 
private
channels to communicate them. The motives these days, if you believe the press,
may be more around money than simple mischief, but the practice of not 
disclosing
bugs and exploits to the world has been with us a long time. Such exploits are 
0day
exploits until someone gets wind of them who will do something to defend against
them. This can be a vendor, someone who publishes workarounds for admins, or 
whatnot,
the key point being that the "0day" issue is one that pretty much all systems of
the target type will be vulnerable to.

Once an exploit is widely used, it is likely to be noticed and cease to be 
effective
everywhere too. The recent stories about targetted attacks are I expect partly
devised to keep exploits working longer by avoiding this.

BTW the older use for "0day" to refer to warez that were newly cracked is 
similar in
that again the term refers to the fact that the vendor has not yet had time to 
do anything
to react to the crack or disallow use of the software.

Glenn Everhart


-Original Message-
From: Crispin Cowan [mailto:[EMAIL PROTECTED]
Sent: Monday, September 24, 2007 5:59 PM
To: Chad Perrin
Cc: [EMAIL PROTECTED]; Gadi Evron; pdp (architect);
bugtraq@securityfocus.com; [EMAIL PROTECTED]
Subject: Re: 0day: PDF pwns Windows


Chad Perrin wrote:
> On Sat, Sep 22, 2007 at 10:34:07PM -0700, Crispin Cowan wrote:
>   
>> A "private 0day exploit" (the case I was concerned with) would be where
>> someone develops an exploit, but does not deploy or publish it, holding
>> it in reserve to attack others at the time of their choosing. Presumably
>> if such a person wanted to keep it for very long, they would have to
>> base it on a vulnerability that they themselves discovered, and did not
>> publish.
>> 
> In the case of that "private zero day exploit", then, nobody will ever
> know about it except the person that has it waiting in reserve -- and if
> someone else discovers and patches the vulnerability before the exploit
> is ever used, it never becomes a "public" zero day exploit.  In other
> words, you can always posit that there's sort of a Heisenbergian state of
> potential private zero day exploitedness, but in real, practical terms
> there's no zero day anything unless it's public.
>
> The moment you have an opportunity to measure it, the waveforms collapse.
>   
Its a little less abstract than that. Consider that the United States
government might want to worry about whether some foreign nation is
banking a large pool of private 0day exploits in preparation for war.
Such a nation might farm these private 0day exploits by employing a pool
of vulnerability researchers and exploit developers, and just not
published the results.

This is a perfectly viable way to produce what amounts to Internet
munitions. The recent incident of Estonia Under *Russian Cyber Attack*?
<http://www.internetnews.com/security/article.php/3678606> is an example
of such a network brush war in which possession of such an arsenal would
be very useful.

Crispin

-- 
Crispin Cowan, Ph.D.   http://crispincowan.com/~crispin/
Director of Software Engineering   http://novell.com
AppArmor Chat: irc.oftc.net/#apparmor



-
This transmission may contain information that is privileged,
confidential, legally privileged, and/or exempt from disclosure
under applicable law.  If you are not the intended recipient, you
are hereby notified that any disclosure, copying, distribution, or
use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED.  Although this transmission and
any attachments are believed to be free of any virus or other
defect that might affect any computer system into which it is
received and opened, it is the responsibility of the recipient to
ensure that it is virus free and no responsibility is accepted by
JPMorgan Chase & Co., its subsidiaries and affiliates, as
applicable, for any loss or damage arising in any way from its use.
 If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format. Thank you.

Re: 0day: PDF pwns Windows

[Lamont Granquist]

On Sun, 23 Sep 2007, Chad Perrin wrote:

In the case of that "private zero day exploit", then, nobody will ever
know about it except the person that has it waiting in reserve -- and if
someone else discovers and patches the vulnerability before the exploit
is ever used, it never becomes a "public" zero day exploit.  In other
words, you can always posit that there's sort of a Heisenbergian state of
potential private zero day exploitedness, but in real, practical terms
there's no zero day anything unless it's public.

The moment you have an opportunity to measure it, the waveforms collapse.


The exploit is not made public by its use.  The exploit is not even made 
public by (back-channel) sharing amongst the hacker/cracker community. 
The exploit is only made public if detected or the vulnerability is 
disclosed.  Until detected/disclosed the hacker/cracker can use their 
31337 0day spl01tz to break into whichever vulnerable machines they like. 
0day exploits are valuable because the opposition is ignorant of them.


Posting exploits to BUGTRAQ, however, inherently makes them not 0day...

Re: 0day: PDF pwns Windows

[Crispin Cowan]

Chad Perrin wrote:
> On Sat, Sep 22, 2007 at 10:34:07PM -0700, Crispin Cowan wrote:
>   
>> A "private 0day exploit" (the case I was concerned with) would be where
>> someone develops an exploit, but does not deploy or publish it, holding
>> it in reserve to attack others at the time of their choosing. Presumably
>> if such a person wanted to keep it for very long, they would have to
>> base it on a vulnerability that they themselves discovered, and did not
>> publish.
>> 
> In the case of that "private zero day exploit", then, nobody will ever
> know about it except the person that has it waiting in reserve -- and if
> someone else discovers and patches the vulnerability before the exploit
> is ever used, it never becomes a "public" zero day exploit.  In other
> words, you can always posit that there's sort of a Heisenbergian state of
> potential private zero day exploitedness, but in real, practical terms
> there's no zero day anything unless it's public.
>
> The moment you have an opportunity to measure it, the waveforms collapse.
>   
Its a little less abstract than that. Consider that the United States
government might want to worry about whether some foreign nation is
banking a large pool of private 0day exploits in preparation for war.
Such a nation might farm these private 0day exploits by employing a pool
of vulnerability researchers and exploit developers, and just not
published the results.

This is a perfectly viable way to produce what amounts to Internet
munitions. The recent incident of Estonia Under *Russian Cyber Attack*?
 is an example
of such a network brush war in which possession of such an arsenal would
be very useful.

Crispin

-- 
Crispin Cowan, Ph.D.   http://crispincowan.com/~crispin/
Director of Software Engineering   http://novell.com
AppArmor Chat: irc.oftc.net/#apparmor

Re: 0day: PDF pwns Windows

[Chad Perrin]

On Sat, Sep 22, 2007 at 10:34:07PM -0700, Crispin Cowan wrote:
> 
> A "private 0day exploit" (the case I was concerned with) would be where
> someone develops an exploit, but does not deploy or publish it, holding
> it in reserve to attack others at the time of their choosing. Presumably
> if such a person wanted to keep it for very long, they would have to
> base it on a vulnerability that they themselves discovered, and did not
> publish.
> 
> I continue to dismiss the requirement that an 0day be found maliciously
> exploiting machines, because that requires inferring intent. IMHO, a POC
> exploit first posted to Bugtraq ahead of the patch counts as an 0day
> exploit, unless it has been so thoroughly obfuscated that the "proof"
> part of "proof of concept" is itself BS.

In the case of that "private zero day exploit", then, nobody will ever
know about it except the person that has it waiting in reserve -- and if
someone else discovers and patches the vulnerability before the exploit
is ever used, it never becomes a "public" zero day exploit.  In other
words, you can always posit that there's sort of a Heisenbergian state of
potential private zero day exploitedness, but in real, practical terms
there's no zero day anything unless it's public.

The moment you have an opportunity to measure it, the waveforms collapse.

-- 
CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ]
Amazon.com interview candidate: "When C++ is your hammer, everything starts
to look like your thumb."

Re: Re: 0day: PDF pwns Windows

[Lamont Granquist]

I was under the impression that "0day" came from the hacking/cracking 
community and was synonymous with the concept of "private 0day" that has 
been used in this thread.


So, a hacker/cracker would have a variety of tools at their disposal 
including many exploits that were known to security professionals, 
vendors, and the public for various lengths of time, but also the "0day" 
exploits for which no vulnerable machines should be patched against.  As 
soon as the vulnerability is published, it no longer becomes a "0day" 
since even in the absence of vendor patches, admins could take actions to 
audit and protect their systems.


Under this definition, "0day" exploits should be not publically disclosed 
and to be pedantic should be actively being used to break into systems. 
Exploits generated by the grey-hat community, not used for malicious 
reasons, and published before vendor patches exist would not have gone 
through the "0day" stage.  Neither would exploits generated for publically 
known vulnerabilities before the vendor patches were released would be 
considered "0day" since the vulnerability was publically known and again 
there could be workarounds encountered by the hacker/cracker that would 
prevent gaining access.


It seems that the definition of the term has morphed in the past 10+ years 
though...


On Sat, 22 Sep 2007 [EMAIL PROTECTED] wrote:
I think we're missing the point.  To my very limited knowledge, a zero 
day vulnerability is a vulnerability that is released into the wild 
before the vendor has notified its customers thereof, i.e. the person 
who discovered the vulnerability decides to release it to parties other 
than the vendor in question.


This will most likely lead to a zero day exploit, which is an exploit 
that "exploits" the vulnerability before the vendor releases a patch for 
that vulnerability.


This is just my view, but if it makes sense, use it as your own.

Regards,
Johan

Re: Re: 0day: PDF pwns Windows

[johanfunsale]

I think we're missing the point.  To my very limited knowledge, a zero day 
vulnerability is a vulnerability that is released into the wild before the 
vendor has notified its customers thereof, i.e. the person who discovered the 
vulnerability decides to release it to parties other than the vendor in 
question.

This will most likely lead to a zero day exploit, which is an exploit that 
"exploits" the vulnerability before the vendor releases a patch for that 
vulnerability.

This is just my view, but if it makes sense, use it as your own.

Regards,
Johan

Re: 0day: PDF pwns Windows

[Crispin Cowan]

[EMAIL PROTECTED] wrote:
>> But then there is the important concept of the "private 0day", a new
>> vulnerability that a malicious person has but has not used yet.
>> 
> But the point is there is no such thing as a 0day *vulnerability"; there's
> a 0day exploit, an exploit in the wild before the vulnerability id
> discovered.
>   
An excellent point. Sorry I overlooked that. Exploit development today
is so fast that I tend to equate knowledge of a vulnerability with "...
and can have an exploit by tomorrow afternoon."

>> Rather, I just treat "0day" as a synonym for "new vulnerability" and
>> don't give a hoot about the alleged intentions of whoever discovered it.
>> What makes it an "0" day is that whoever is announcing it is first to
>> announce it in public. You could only invalidate the 0day claim by
>> showing that the same vulnerability had previously been disclosed by
>> someone else.
>> 
> The point is that it is not supposed to be moniker for vulnerabilities;
> it's a moniker for exploits.  In any other context it does not make sense.
>
> Specifically considering that "0-day exploit" is the only definition which
> holds meaning with respect to a particular exploit over time.  "An exploit
> which existed before the vulnerability was publicly known".
>   
Yes, you are right. So "0day" is a class of exploits. Specifically, it
is the class of exploits that are developed before the first available
patch for the vulnerability in question.

But that race condition of whether the patch or the exploit is partially
ordered, because they could be developed independently. There is the
special case where the person who first discovered the vulnerability
also develops either a patch or an exploit, in which case it is totally
ordered. But in the general case where one person discovers the
vulnerability, and two other people independently develop an exploit and
a patch, you can't tell who finished first. All you can do is detect who
published first.

So fair enough, an "0day exploit" is one that appears in public before
the associated patch is published.

A "private 0day exploit" (the case I was concerned with) would be where
someone develops an exploit, but does not deploy or publish it, holding
it in reserve to attack others at the time of their choosing. Presumably
if such a person wanted to keep it for very long, they would have to
base it on a vulnerability that they themselves discovered, and did not
publish.

I continue to dismiss the requirement that an 0day be found maliciously
exploiting machines, because that requires inferring intent. IMHO, a POC
exploit first posted to Bugtraq ahead of the patch counts as an 0day
exploit, unless it has been so thoroughly obfuscated that the "proof"
part of "proof of concept" is itself BS.

Crispin

-- 
Crispin Cowan, Ph.D.   http://crispincowan.com/~crispin/
Director of Software Engineering   http://novell.com
AppArmor Chat: irc.oftc.net/#apparmor

Re: [Full-disclosure] 0day: PDF pwns Windows

[Aaron Collins]

An article with a little more info is available on Zdnet.
http://blogs.zdnet.com/security/?p=530

Thierry Zoller wrote:

Dear All,

pa> http://www.gnucitizen.org/blog/0day-pdf-pwns-windows
Is this the way responsible disclosure works these days ?
"Adobe�s representatives can contact me from the usual place."

Wow, now that's coordinated release. Knowing the bugs that you found
previously it should take 10 minutes to rediscover this one. Which
makes this even worse.

  

-Aaron Collins

Re: [Full-disclosure] 0day: PDF pwns Windows

[Kevin Finisterre (lists)]

Partial disclosure rocks...

-KF

On Sep 21, 2007, at 3:53 PM, Thierry Zoller wrote:


Dear All,

pa> http://www.gnucitizen.org/blog/0day-pdf-pwns-windows
Is this the way responsible disclosure works these days ?
"Adobe’s representatives can contact me from the usual place."

Wow, now that's coordinated release. Knowing the bugs that you found
previously it should take 10 minutes to rediscover this one. Which
makes this even worse.

--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6 F1C7

Re: [Full-disclosure] 0day: PDF pwns Windows

[bugtraq]

Can we close this thread now?

http://en.wikipedia.org/wiki/Zero_day

"A zero-day (or zero-hour) attack is a computer threat that exposes undisclosed 
or unpatched computer application vulnerabilities. Zero-day attacks take 
advantage of computer security holes for which no solution is currently 
available."


> Steven Adair wrote:
> > Not in my book.  I guess the people on this list are working off too many
> > different definitions of 0day.  0day to me is something for which there is
> > no patch/update at the time of the exploit being coded/used.  So if I code
> > an exploit for IE right now and they don't patch it until April September
> > 2008, it's a 0day exploit for a year.  It's not necessarily new and it
> > doesn't have to be used maliciously.
> > 
> > If I code an exploit (for which there is no patch) and use it on my own
> > servers, does that mean it's not 0day?  I don't think so.  If my WordPress
> > blog gets owned by pwnpress, that's not 0day.. there's patches/updates for
> > everything on there.  It just makes me an idiot for not upgrading.  Now if
> > I get hit with some WP exploit that's not patched, then that's another
> > [0-day] story.
> > 
> > Steven
> > securityzone.org
> > 
> 
> If you're going to steal a term from the biological community at least 
> use in in the same context.  The biological metaphor is getting 
> stretched so much that people forget that these terms have meaning 
> outside the IT realm.
> 
> -- 
> Wayne D. Hoxsie Jr.
> 
- Robert
http://www.cgisecurity.com/

Re: [Full-disclosure] 0day: PDF pwns Windows

[Thierry Zoller]

Dear All,

pa> http://www.gnucitizen.org/blog/0day-pdf-pwns-windows
Is this the way responsible disclosure works these days ?
"Adobe’s representatives can contact me from the usual place."

Wow, now that's coordinated release. Knowing the bugs that you found
previously it should take 10 minutes to rediscover this one. Which
makes this even worse.

-- 
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6 F1C7

Re: 0day: PDF pwns Windows

[J. Oquendo]

[EMAIL PROTECTED] wrote:

> But a "0 day vulnerability" is meaningless as a definition; it applies to
> a vulnerability for exactly 24 hours and then is meaningless.  ALL 
> vulnerabilities were discovered at some point and had their 24 hours of
> "0 day fame" by your definition.  It just does not make sense.
> 
> Casper
> 

Should we now create a new term for the industry +0day or 1day. How
about? nowaday

-- 

J. Oquendo
"Excusatio non petita, accusatio manifesta"

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E
sil . infiltrated @ net http://www.infiltrated.net



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Re: 0day: PDF pwns Windows

[rmk115]

I must concur with Gadi. "0day" does not apply. 
How the vulnerability comes to light does matter.

So far, all that has been exposed is "a vulnerability exists." If a PDF which 
exploits the vulnerability had circulated, then "0day" would apply. Active 
exploitation is the defining characteristic of "0day".

Otherwise all vulnerabilities would be "0day" vulnerabilities. The term would 
be meaningless.

RE: [Full-disclosure] 0day: PDF pwns Windows

[Jeff Wells (jmwells)]

"Fatboy?"

J.

-Original Message-
From: Joey Mengele [mailto:[EMAIL PROTECTED] 
Sent: Thursday, September 20, 2007 3:34 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; bugtraq@securityfocus.com
Subject: Re: [Full-disclosure] 0day: PDF pwns Windows

Dear Fatboy,

Let's put aside for a minute the fact that you have no idea what 
you are talking about and let's also, for the benefit of this very 
valuable debate, assume your definition is correct. First, please 
prove this bug was never used in the wild. After that, please prove 
your credibility in the realm of defining words related to illegal 
computer hacking. Thanks.

J

P.S. Talking about botnets doesn't count to satisfy part 1 OR part 2

___
"If today I stand here as a revolutionary, it is as a revolutionary 
against the Revolution." 


On Thu, 20 Sep 2007 11:29:22 -0400 Gadi Evron <[EMAIL PROTECTED]> 
wrote:
>Impressive vulnerability, new. Not a 0day.
>
>Not to start an argument again, but fact is, people stop calling 
>everything a 0day unless it is, say WMF, ANI, etc. exploited in 
>the wild 
>without being known.
>
>I don't like the mis-use of this buzzword.
>
>   Gadi.
>
>
>On Thu, 20 Sep 2007, pdp (architect) wrote:
>
>> http://www.gnucitizen.org/blog/0day-pdf-pwns-windows
>>
>> I am closing the season with the following HIGH Risk 
>vulnerability:
>> Adobe Acrobat/Reader PDF documents can be used to compromise 
>your
>> Windows box. Completely!!! Invisibly and unwillingly!!! All it 
>takes
>> is to open a PDF document or stumble across a page which embeds 
>one.
>>
>> The issue is quite critical given the fact that PDF documents 
>are in
>> the core of today's modern business. This and the fact that it 
>may
>> take a while for Adobe to fix their closed source product, are 
>the
>> reasons why I am not going to publish any POCs. You have to take 
>my
>> word for it. The POCs will be released when an update is 
>available.
>>
>> Adobe's representatives can contact me from the usual place. My 
>advise
>> for you is not to open any PDF files (locally or remotely). 
>Other PDF
>> viewers might be vulnerable too. The issues was verified on 
>Windows XP
>> SP2 with the latest Adobe Reader 8.1, although previous versions 
>and
>> other setups are also affected.
>>
>> A formal summary and conclusion of the GNUCITIZEN bug hunt to be 
>expected soon.
>>
>> cheers
>>
>> -- 
>> pdp (architect) | petko d. petkov
>> http://www.gnucitizen.org
>>
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

--
Click for free info on earning your associates degrees.
http://tagline.hushmail.com/fc/Ioyw6h4dDtGMI3TNpcvpjdNAOmIKYwGE2mXyuQX1w
CzAkHpnY9xTtK/

Re: 0day: PDF pwns Windows

[Casper . Dik]

>But then there is the important concept of the "private 0day", a new
>vulnerability that a malicious person has but has not used yet.

But the point is there is no such thing as a 0day *vulnerability"; there's
a 0day exploit, an exploit in the wild before the vulnerability id
discovered.

By claiming all "new" vulnerabilities are 0day the term becomes completely
meaningless; by your reasoning there is no such thing as a non-0day 
vulnerabillity; well, the next they it's no longer a 0day vulnerability but
the funny thing is that everybody keeps calling it that.

When a vulnerability is discovered you cannot be sure no-one found it
before; the only thing you can ever be sure of whether at that point
an exploit was detected in the wild.


>I don't like this chain of logic. Whether a new vulnerability is an 0day
>or not depends entirely too much on the disclosure process, with funky
>race conditions in there.

But by your reasoning *all* vulnerabilities are 0day at some point; or
is the only exception those found by the vendor itself?

>Rather, I just treat "0day" as a synonym for "new vulnerability" and
>don't give a hoot about the alleged intentions of whoever discovered it.
>What makes it an "0" day is that whoever is announcing it is first to
>announce it in public. You could only invalidate the 0day claim by
>showing that the same vulnerability had previously been disclosed by
>someone else.


The point is that it is not supposed to be moniker for vulnerabilities;
it's a moniker for exploits.  In any other context it does not make sense.

Specifically considering that "0-day exploit" is the only definition which
holds meaning with respect to a particular exploit over time.  "An exploit
which existed before the vulnerability was publicly known".

But a "0 day vulnerability" is meaningless as a definition; it applies to
a vulnerability for exactly 24 hours and then is meaningless.  ALL 
vulnerabilities were discovered at some point and had their 24 hours of
"0 day fame" by your definition.  It just does not make sense.

Casper

Re: [Full-disclosure] 0day: PDF pwns Windows

[Wayne D. Hoxsie Jr.]

Steven Adair wrote:

Not in my book.  I guess the people on this list are working off too many
different definitions of 0day.  0day to me is something for which there is
no patch/update at the time of the exploit being coded/used.  So if I code
an exploit for IE right now and they don't patch it until April September
2008, it's a 0day exploit for a year.  It's not necessarily new and it
doesn't have to be used maliciously.

If I code an exploit (for which there is no patch) and use it on my own
servers, does that mean it's not 0day?  I don't think so.  If my WordPress
blog gets owned by pwnpress, that's not 0day.. there's patches/updates for
everything on there.  It just makes me an idiot for not upgrading.  Now if
I get hit with some WP exploit that's not patched, then that's another
[0-day] story.

Steven
securityzone.org



If you're going to steal a term from the biological community at least 
use in in the same context.  The biological metaphor is getting 
stretched so much that people forget that these terms have meaning 
outside the IT realm.


--
Wayne D. Hoxsie Jr.

RE: [Full-disclosure] 0day: PDF pwns Windows

[Michael Bitow]

 Name calling and arguing about semantics is about as useful and
enjoyable as a fart in an elevator.

Sheesh.  I thought it was just the Quake players that got in to e-peen
pissing contests.

And yes, I'm top-posting!



-Original Message-
From: Chad Perrin [mailto:[EMAIL PROTECTED] 
Sent: Thursday, September 20, 2007 11:10 AM
To: bugtraq@securityfocus.com
Subject: Re: [Full-disclosure] 0day: PDF pwns Windows

On Thu, Sep 20, 2007 at 06:34:03PM -0400, Joey Mengele wrote:
> Dear Fatboy,
> 
> Let's put aside for a minute the fact that you have no idea what you 
> are talking about and let's also, for the benefit of this very 
> valuable debate, assume your definition is correct. First, please 
> prove this bug was never used in the wild. After that, please prove 
> your credibility in the realm of defining words related to illegal 
> computer hacking. Thanks.

Tell me something -- what do *you* think "zero day" means that
differentiates it from "not zero day"?  I keep seeing people use the
term "zero day" (or "0day" or however you want to spell it) without any
regard for how this is meant to differentiate it from some alternative
to "zero day", and I have to wonder what these people think the term
means.  Do you just regard it as a way to make discovery of a
vulnerability as more "important" or "exciting"?  Why exactly use the
term if it has no meaning other than "look at this!"?

There is no such thing as a "zero day vulnerability".  A "zero day
exploit" is an exploit that has been used to compromise systems by the
"bad guys" before the "good guys" discovered it or, arguably, an exploit
being used by the "bad guys" before the "good guys" have developed a
patch for it.  It's not a proof of concept that no "bad guy" has any use
for, and it's not a vulnerability that someone outside of a vendor
discovered before the vendor announced its discovery.  If you have a
definition of the term "zero day" in a computer security context that
contradicts mine, I'd love to read your reasoning and see your sources.
After all, I can't learn anything new if I ignore things that I don't
already know.

--
CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] MacUser, Nov.
1990: "There comes a time in the history of any project when it becomes
necessary to shoot the engineers and begin production."

Re: [Full-disclosure] 0day: PDF pwns Windows

[Chad Perrin]

On Fri, Sep 21, 2007 at 10:24:40AM -0400, Steven Adair wrote:
> Not in my book.  I guess the people on this list are working off too many
> different definitions of 0day.  0day to me is something for which there is
> no patch/update at the time of the exploit being coded/used.  So if I code
> an exploit for IE right now and they don't patch it until April September
> 2008, it's a 0day exploit for a year.  It's not necessarily new and it
> doesn't have to be used maliciously.
> 
> If I code an exploit (for which there is no patch) and use it on my own
> servers, does that mean it's not 0day?  I don't think so.  If my WordPress
> blog gets owned by pwnpress, that's not 0day.. there's patches/updates for
> everything on there.  It just makes me an idiot for not upgrading.  Now if
> I get hit with some WP exploit that's not patched, then that's another
> [0-day] story.

The reason malicious use before there's a patch is significant is that it
indicates a greater risk profile for users of the software in question.
If it's being actively used to compromise systems, you can't just sit
around waiting for a patch and expect to call your systems "secure" in
any sense of the term: you have to find a work-around, or remove the
vulnerable systems from the environment in which they're vulnerable
(normally, this means "the Internet").  That's why the term zero day is
important, and why it should not be misused to refer to something
demonstrated in a lab somewhere but not publicly disclosed in any detail.

That's why it's important to differentiate from exploits "in the wild"
and discovered vulnerabilities or proofs of concept.

-- 
CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ]
Baltasar Gracian: "A wise man gets more from his enemies than a fool from
his friends."

Re: [Full-disclosure] 0day: PDF pwns Windows

[coderman]

On 9/20/07, Crispin Cowan <[EMAIL PROTECTED]> wrote:
> ...
> Rather, I just treat "0day" as a synonym for "new vulnerability"

0day is a perspective; if it came out of nowhere and pwnd your ass it is 0day.


[that is, where you are on that clunky chain of disclosure process you
describe...]

Re: 0day: PDF pwns Windows

[Crispin Cowan]

Gadi Evron wrote:
> Impressive vulnerability, new. Not a 0day.
>
> Not to start an argument again, but fact is, people stop calling
> everything a 0day unless it is, say WMF, ANI, etc. exploited in the
> wild without being known.
>
> I don't like the mis-use of this buzzword.
I respectfully disagree. By your definition, we have:

* "new vulnerability" is just what it sounds like
* "0day" is a "new vulnerability" that comes to public attention
  because someone used it maliciously

But then there is the important concept of the "private 0day", a new
vulnerability that a malicious person has but has not used yet.

Does it really matter how the new vulnerability came to light? Do you
really want to get into arguments about whether the person who
discovered it was malicious? Especially for "private 0days" where the
discoverer may be sitting on his discovery for some time, waiting for
the highest bider to buy his result. If he sells it to criminals, then
it becomes an 0day, and if he sells it to a vulnerability marketing
company, then it is something else.

I don't like this chain of logic. Whether a new vulnerability is an 0day
or not depends entirely too much on the disclosure process, with funky
race conditions in there.

Rather, I just treat "0day" as a synonym for "new vulnerability" and
don't give a hoot about the alleged intentions of whoever discovered it.
What makes it an "0" day is that whoever is announcing it is first to
announce it in public. You could only invalidate the 0day claim by
showing that the same vulnerability had previously been disclosed by
someone else.

Crispin

-- 
Crispin Cowan, Ph.D.   http://crispincowan.com/~crispin/
Director of Software Engineering   http://novell.com
AppArmor Chat: irc.oftc.net/#apparmor

Re: [Full-disclosure] 0day: PDF pwns Windows

[Chad Perrin]

On Thu, Sep 20, 2007 at 06:34:03PM -0400, Joey Mengele wrote:
> Dear Fatboy,
> 
> Let's put aside for a minute the fact that you have no idea what 
> you are talking about and let's also, for the benefit of this very 
> valuable debate, assume your definition is correct. First, please 
> prove this bug was never used in the wild. After that, please prove 
> your credibility in the realm of defining words related to illegal 
> computer hacking. Thanks.

Tell me something -- what do *you* think "zero day" means that
differentiates it from "not zero day"?  I keep seeing people use the term
"zero day" (or "0day" or however you want to spell it) without any regard
for how this is meant to differentiate it from some alternative to "zero
day", and I have to wonder what these people think the term means.  Do
you just regard it as a way to make discovery of a vulnerability as more
"important" or "exciting"?  Why exactly use the term if it has no
meaning other than "look at this!"?

There is no such thing as a "zero day vulnerability".  A "zero day
exploit" is an exploit that has been used to compromise systems by the
"bad guys" before the "good guys" discovered it or, arguably, an exploit
being used by the "bad guys" before the "good guys" have developed a
patch for it.  It's not a proof of concept that no "bad guy" has any use
for, and it's not a vulnerability that someone outside of a vendor
discovered before the vendor announced its discovery.  If you have a
definition of the term "zero day" in a computer security context that
contradicts mine, I'd love to read your reasoning and see your sources.
After all, I can't learn anything new if I ignore things that I don't
already know.

-- 
CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ]
MacUser, Nov. 1990: "There comes a time in the history of any project when
it becomes necessary to shoot the engineers and begin production."

Re: [Full-disclosure] 0day: PDF pwns Windows

[Gadi Evron]

On Thu, 20 Sep 2007, Joey Mengele wrote:

Dear Fatboy,

Let's put aside for a minute the fact that you have no idea what


You like people on the heavy side? Psst... call me.



you are talking about and let's also, for the benefit of this very
valuable debate, assume your definition is correct. First, please
prove this bug was never used in the wild. After that, please prove
your credibility in the realm of defining words related to illegal
computer hacking. Thanks.

J

P.S. Talking about botnets doesn't count to satisfy part 1 OR part 2

___
"If today I stand here as a revolutionary, it is as a revolutionary
against the Revolution."


On Thu, 20 Sep 2007 11:29:22 -0400 Gadi Evron <[EMAIL PROTECTED]>
wrote:

Impressive vulnerability, new. Not a 0day.

Not to start an argument again, but fact is, people stop calling
everything a 0day unless it is, say WMF, ANI, etc. exploited in
the wild
without being known.

I don't like the mis-use of this buzzword.

Gadi.


On Thu, 20 Sep 2007, pdp (architect) wrote:


http://www.gnucitizen.org/blog/0day-pdf-pwns-windows

I am closing the season with the following HIGH Risk

vulnerability:

Adobe Acrobat/Reader PDF documents can be used to compromise

your

Windows box. Completely!!! Invisibly and unwillingly!!! All it

takes

is to open a PDF document or stumble across a page which embeds

one.


The issue is quite critical given the fact that PDF documents

are in

the core of today's modern business. This and the fact that it

may

take a while for Adobe to fix their closed source product, are

the

reasons why I am not going to publish any POCs. You have to take

my

word for it. The POCs will be released when an update is

available.


Adobe's representatives can contact me from the usual place. My

advise

for you is not to open any PDF files (locally or remotely).

Other PDF

viewers might be vulnerable too. The issues was verified on

Windows XP

SP2 with the latest Adobe Reader 8.1, although previous versions

and

other setups are also affected.

A formal summary and conclusion of the GNUCITIZEN bug hunt to be

expected soon.


cheers

--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


--
Click now for accounting software that's a huge plus!
http://tagline.hushmail.com/fc/Ioyw6h4eooFnoPRHh77yKi8qPMTyf03wCE9icEun2cA0zQJXBBid3w/

Re: 0day: PDF pwns Windows

[pdp (architect)]

None of them are related to this vulnerability. As far as I know, the
issue is brand new.

On 9/21/07, Antivirus Taneja <[EMAIL PROTECTED]> wrote:
> Hi,
>
> Too interesting and dangerousLast couple of months there were PDF
> spamming (Stocks Information)  all over the internet..I analyzed those PDF i
> didn't find any such thingDid you checked them? Are they related to any
> vulnerability?
>
> Regards,
> Taneja Vikas
> http://annysoft.wordpress.com
>
>
>
> On 9/20/07, pdp (architect) <[EMAIL PROTECTED]> wrote:
> > > My upcoming research feature everything regarding this and the issue you
> > > have
> > > already discussed.
> >
> > really :).. which one... the one from last year?
> >
> > On 9/20/07, Aditya K Sood <[EMAIL PROTECTED]> wrote:
> > > pdp (architect) wrote:
> > > > http://www.gnucitizen.org/blog/0day-pdf-pwns-windows
> > > >
> > > > I am closing the season with the following HIGH Risk vulnerability:
> > > > Adobe Acrobat/Reader PDF documents can be used to compromise your
> > > > Windows box. Completely!!! Invisibly and unwillingly!!! All it takes
> > > > is to open a PDF document or stumble across a page which embeds one.
> > > >
> > > > The issue is quite critical given the fact that PDF documents are in
> > > > the core of today's modern business. This and the fact that it may
> > > > take a while for Adobe to fix their closed source product, are the
> > > > reasons why I am not going to publish any POCs. You have to take my
> > > > word for it. The POCs will be released when an update is available.
> > > >
> > > > Adobe's representatives can contact me from the usual place. My advise
> > > > for you is not to open any PDF files (locally or remotely). Other PDF
> > > > viewers might be vulnerable too. The issues was verified on Windows XP
> > > > SP2 with the latest Adobe Reader 8.1, although previous versions and
> > > > other setups are also affected.
> > > >
> > > > A formal summary and conclusion of the GNUCITIZEN bug hunt to be
> expected soon.
> > > >
> > > > cheers
> > > >
> > > >
> > > Hi
> > >
> > >  Your point is right. But there are a number of factors other
> > > than this
> > > in exploiting pdf  in other sense. My latest research is working over
> the
> > > exploitation of PDF.
> > >
> > > Even if you look at the core then there are no restriction on READ in
> PDF
> > > in most of the versions. Only outbound data is filtered to some extent.
> you
> > > can even read /etc/passwd file from inside of PDF.
> > >
> > > Other infection vector includes infection through Local Area Networks
> > > through
> > > sharing and printing PDF docs and all.
> > >
> > > My upcoming research feature everything regarding this and the issue you
> > > have
> > > already discussed.
> > >
> > > Regards
> > > Aks
> > > http://ww.secniche.org
> > >
> > >
> > >
> >
> >
> > --
> > pdp (architect) | petko d. petkov
> > http://www.gnucitizen.org
> >
>
>


-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

Re: [Full-disclosure] 0day: PDF pwns Windows

[Steven Adair]

Not in my book.  I guess the people on this list are working off too many
different definitions of 0day.  0day to me is something for which there is
no patch/update at the time of the exploit being coded/used.  So if I code
an exploit for IE right now and they don't patch it until April September
2008, it's a 0day exploit for a year.  It's not necessarily new and it
doesn't have to be used maliciously.

If I code an exploit (for which there is no patch) and use it on my own
servers, does that mean it's not 0day?  I don't think so.  If my WordPress
blog gets owned by pwnpress, that's not 0day.. there's patches/updates for
everything on there.  It just makes me an idiot for not upgrading.  Now if
I get hit with some WP exploit that's not patched, then that's another
[0-day] story.

Steven
securityzone.org

> Gadi Evron wrote:
>> Impressive vulnerability, new. Not a 0day.
>>
>> Not to start an argument again, but fact is, people stop calling
>> everything a 0day unless it is, say WMF, ANI, etc. exploited in the
>> wild without being known.
>>
>> I don't like the mis-use of this buzzword.
> I respectfully disagree. By your definition, we have:
>
> * "new vulnerability" is just what it sounds like
> * "0day" is a "new vulnerability" that comes to public attention
>   because someone used it maliciously
>
> But then there is the important concept of the "private 0day", a new
> vulnerability that a malicious person has but has not used yet.
>
> Does it really matter how the new vulnerability came to light? Do you
> really want to get into arguments about whether the person who
> discovered it was malicious? Especially for "private 0days" where the
> discoverer may be sitting on his discovery for some time, waiting for
> the highest bider to buy his result. If he sells it to criminals, then
> it becomes an 0day, and if he sells it to a vulnerability marketing
> company, then it is something else.
>
> I don't like this chain of logic. Whether a new vulnerability is an 0day
> or not depends entirely too much on the disclosure process, with funky
> race conditions in there.
>
> Rather, I just treat "0day" as a synonym for "new vulnerability" and
> don't give a hoot about the alleged intentions of whoever discovered it.
> What makes it an "0" day is that whoever is announcing it is first to
> announce it in public. You could only invalidate the 0day claim by
> showing that the same vulnerability had previously been disclosed by
> someone else.
>
> Crispin
>
> --
> Crispin Cowan, Ph.D.   http://crispincowan.com/~crispin/
> Director of Software Engineering   http://novell.com
>   AppArmor Chat: irc.oftc.net/#apparmor
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Re: [Full-disclosure] 0day: PDF pwns Windows

[pdp (architect)]

back online - too many users ..

On 9/21/07, Rohit Srivastwa <[EMAIL PROTECTED]> wrote:
> And your website is down at this moment
>
> http://www.gnucitizen.org/   403
> http://www.gnucitizen.org/blog/   403
> http://www.gnucitizen.org/blog/0day-pdf-pwns-windows 404
>
> Is it a reverse attack by someone hurt :)
>
> --Through the Firewall,Out the Router,Down the T1,Across the Backbone,Bounced 
> from Satellite  Nothing but the Internet
>
> - Original Message 
> From: pdp (architect) <[EMAIL PROTECTED]>
> To: bugtraq@securityfocus.com; [EMAIL PROTECTED]
> Sent: Thursday, September 20, 2007 6:51:33 PM
> Subject: [Full-disclosure] 0day: PDF pwns Windows
>
> http://www.gnucitizen.org/blog/0day-pdf-pwns-windows
>
> I am closing the season with the following HIGH Risk vulnerability:
> Adobe Acrobat/Reader PDF documents can be used to compromise your
> Windows box. Completely!!! Invisibly and unwillingly!!! All it takes
> is to open a PDF document or stumble across a page which embeds one.
>
> The issue is quite critical given the fact that PDF documents are in
> the core of today's modern business. This and the fact that it may
> take a while for Adobe to fix their closed source product, are the
> reasons why I am not going to publish any POCs. You have to take my
> word for it. The POCs will be released when an update is available.
>
> Adobe's representatives can contact me from the usual place. My advise
> for you is not to open any PDF files (locally or remotely). Other PDF
> viewers might be vulnerable too. The issues was verified on Windows XP
> SP2 with the latest Adobe Reader 8.1, although previous versions and
> other setups are also affected.
>
> A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected 
> soon.
>
> cheers
>
> --
> pdp (architect) | petko d. petkov
> http://www.gnucitizen.org
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>
>
>
> 
> Building a website is a piece of cake. Yahoo! Small Business gives you all 
> the tools to get online.
> http://smallbusiness.yahoo.com/webhosting
>


-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

Re: [Full-disclosure] 0day: PDF pwns Windows

[Rohit Srivastwa]

And your website is down at this moment

http://www.gnucitizen.org/   403
http://www.gnucitizen.org/blog/   403
http://www.gnucitizen.org/blog/0day-pdf-pwns-windows 404

Is it a reverse attack by someone hurt :)
 
--Through the Firewall,Out the Router,Down the T1,Across the Backbone,Bounced 
from Satellite  Nothing but the Internet

- Original Message 
From: pdp (architect) <[EMAIL PROTECTED]>
To: bugtraq@securityfocus.com; [EMAIL PROTECTED]
Sent: Thursday, September 20, 2007 6:51:33 PM
Subject: [Full-disclosure] 0day: PDF pwns Windows

http://www.gnucitizen.org/blog/0day-pdf-pwns-windows

I am closing the season with the following HIGH Risk vulnerability:
Adobe Acrobat/Reader PDF documents can be used to compromise your
Windows box. Completely!!! Invisibly and unwillingly!!! All it takes
is to open a PDF document or stumble across a page which embeds one.

The issue is quite critical given the fact that PDF documents are in
the core of today's modern business. This and the fact that it may
take a while for Adobe to fix their closed source product, are the
reasons why I am not going to publish any POCs. You have to take my
word for it. The POCs will be released when an update is available.

Adobe's representatives can contact me from the usual place. My advise
for you is not to open any PDF files (locally or remotely). Other PDF
viewers might be vulnerable too. The issues was verified on Windows XP
SP2 with the latest Adobe Reader 8.1, although previous versions and
other setups are also affected.

A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected soon.

cheers

-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/





   

Building a website is a piece of cake. Yahoo! Small Business gives you all the 
tools to get online.
http://smallbusiness.yahoo.com/webhosting

Re: [Full-disclosure] 0day: PDF pwns Windows

[Joey Mengele]

Dear Fatboy,

Let's put aside for a minute the fact that you have no idea what 
you are talking about and let's also, for the benefit of this very 
valuable debate, assume your definition is correct. First, please 
prove this bug was never used in the wild. After that, please prove 
your credibility in the realm of defining words related to illegal 
computer hacking. Thanks.

J

P.S. Talking about botnets doesn't count to satisfy part 1 OR part 2

___
"If today I stand here as a revolutionary, it is as a revolutionary 
against the Revolution." 


On Thu, 20 Sep 2007 11:29:22 -0400 Gadi Evron <[EMAIL PROTECTED]> 
wrote:
>Impressive vulnerability, new. Not a 0day.
>
>Not to start an argument again, but fact is, people stop calling 
>everything a 0day unless it is, say WMF, ANI, etc. exploited in 
>the wild 
>without being known.
>
>I don't like the mis-use of this buzzword.
>
>   Gadi.
>
>
>On Thu, 20 Sep 2007, pdp (architect) wrote:
>
>> http://www.gnucitizen.org/blog/0day-pdf-pwns-windows
>>
>> I am closing the season with the following HIGH Risk 
>vulnerability:
>> Adobe Acrobat/Reader PDF documents can be used to compromise 
>your
>> Windows box. Completely!!! Invisibly and unwillingly!!! All it 
>takes
>> is to open a PDF document or stumble across a page which embeds 
>one.
>>
>> The issue is quite critical given the fact that PDF documents 
>are in
>> the core of today's modern business. This and the fact that it 
>may
>> take a while for Adobe to fix their closed source product, are 
>the
>> reasons why I am not going to publish any POCs. You have to take 
>my
>> word for it. The POCs will be released when an update is 
>available.
>>
>> Adobe's representatives can contact me from the usual place. My 
>advise
>> for you is not to open any PDF files (locally or remotely). 
>Other PDF
>> viewers might be vulnerable too. The issues was verified on 
>Windows XP
>> SP2 with the latest Adobe Reader 8.1, although previous versions 
>and
>> other setups are also affected.
>>
>> A formal summary and conclusion of the GNUCITIZEN bug hunt to be 
>expected soon.
>>
>> cheers
>>
>> -- 
>> pdp (architect) | petko d. petkov
>> http://www.gnucitizen.org
>>
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

--
Click for free info on earning your associates degrees.
http://tagline.hushmail.com/fc/Ioyw6h4dDtGMI3TNpcvpjdNAOmIKYwGE2mXyuQX1wCzAkHpnY9xTtK/

Re: 0day: PDF pwns Windows

[Aditya K Sood]

pdp (architect) wrote:

http://www.gnucitizen.org/blog/0day-pdf-pwns-windows

I am closing the season with the following HIGH Risk vulnerability:
Adobe Acrobat/Reader PDF documents can be used to compromise your
Windows box. Completely!!! Invisibly and unwillingly!!! All it takes
is to open a PDF document or stumble across a page which embeds one.

The issue is quite critical given the fact that PDF documents are in
the core of today's modern business. This and the fact that it may
take a while for Adobe to fix their closed source product, are the
reasons why I am not going to publish any POCs. You have to take my
word for it. The POCs will be released when an update is available.

Adobe's representatives can contact me from the usual place. My advise
for you is not to open any PDF files (locally or remotely). Other PDF
viewers might be vulnerable too. The issues was verified on Windows XP
SP2 with the latest Adobe Reader 8.1, although previous versions and
other setups are also affected.

A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected soon.

cheers

  

Hi

Your point is right. But there are a number of factors other 
than this

in exploiting pdf  in other sense. My latest research is working over the
exploitation of PDF.

Even if you look at the core then there are no restriction on READ in PDF
in most of the versions. Only outbound data is filtered to some extent. you
can even read /etc/passwd file from inside of PDF.

Other infection vector includes infection through Local Area Networks 
through

sharing and printing PDF docs and all.

My upcoming research feature everything regarding this and the issue you 
have

already discussed.

Regards
Aks
http://ww.secniche.org

Re: 0day: PDF pwns Windows

[pdp (architect)]

> My upcoming research feature everything regarding this and the issue you
> have
> already discussed.

really :).. which one... the one from last year?

On 9/20/07, Aditya K Sood <[EMAIL PROTECTED]> wrote:
> pdp (architect) wrote:
> > http://www.gnucitizen.org/blog/0day-pdf-pwns-windows
> >
> > I am closing the season with the following HIGH Risk vulnerability:
> > Adobe Acrobat/Reader PDF documents can be used to compromise your
> > Windows box. Completely!!! Invisibly and unwillingly!!! All it takes
> > is to open a PDF document or stumble across a page which embeds one.
> >
> > The issue is quite critical given the fact that PDF documents are in
> > the core of today's modern business. This and the fact that it may
> > take a while for Adobe to fix their closed source product, are the
> > reasons why I am not going to publish any POCs. You have to take my
> > word for it. The POCs will be released when an update is available.
> >
> > Adobe's representatives can contact me from the usual place. My advise
> > for you is not to open any PDF files (locally or remotely). Other PDF
> > viewers might be vulnerable too. The issues was verified on Windows XP
> > SP2 with the latest Adobe Reader 8.1, although previous versions and
> > other setups are also affected.
> >
> > A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected 
> > soon.
> >
> > cheers
> >
> >
> Hi
>
>  Your point is right. But there are a number of factors other
> than this
> in exploiting pdf  in other sense. My latest research is working over the
> exploitation of PDF.
>
> Even if you look at the core then there are no restriction on READ in PDF
> in most of the versions. Only outbound data is filtered to some extent. you
> can even read /etc/passwd file from inside of PDF.
>
> Other infection vector includes infection through Local Area Networks
> through
> sharing and printing PDF docs and all.
>
> My upcoming research feature everything regarding this and the issue you
> have
> already discussed.
>
> Regards
> Aks
> http://ww.secniche.org
>
>
>


-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

Re: 0day: PDF pwns Windows

[Gadi Evron]

Impressive vulnerability, new. Not a 0day.

Not to start an argument again, but fact is, people stop calling 
everything a 0day unless it is, say WMF, ANI, etc. exploited in the wild 
without being known.


I don't like the mis-use of this buzzword.

Gadi.


On Thu, 20 Sep 2007, pdp (architect) wrote:


http://www.gnucitizen.org/blog/0day-pdf-pwns-windows

I am closing the season with the following HIGH Risk vulnerability:
Adobe Acrobat/Reader PDF documents can be used to compromise your
Windows box. Completely!!! Invisibly and unwillingly!!! All it takes
is to open a PDF document or stumble across a page which embeds one.

The issue is quite critical given the fact that PDF documents are in
the core of today's modern business. This and the fact that it may
take a while for Adobe to fix their closed source product, are the
reasons why I am not going to publish any POCs. You have to take my
word for it. The POCs will be released when an update is available.

Adobe's representatives can contact me from the usual place. My advise
for you is not to open any PDF files (locally or remotely). Other PDF
viewers might be vulnerable too. The issues was verified on Windows XP
SP2 with the latest Adobe Reader 8.1, although previous versions and
other setups are also affected.

A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected soon.

cheers

--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

0day: PDF pwns Windows

[pdp (architect)]

http://www.gnucitizen.org/blog/0day-pdf-pwns-windows

I am closing the season with the following HIGH Risk vulnerability:
Adobe Acrobat/Reader PDF documents can be used to compromise your
Windows box. Completely!!! Invisibly and unwillingly!!! All it takes
is to open a PDF document or stumble across a page which embeds one.

The issue is quite critical given the fact that PDF documents are in
the core of today's modern business. This and the fact that it may
take a while for Adobe to fix their closed source product, are the
reasons why I am not going to publish any POCs. You have to take my
word for it. The POCs will be released when an update is available.

Adobe's representatives can contact me from the usual place. My advise
for you is not to open any PDF files (locally or remotely). Other PDF
viewers might be vulnerable too. The issues was verified on Windows XP
SP2 with the latest Adobe Reader 8.1, although previous versions and
other setups are also affected.

A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected soon.

cheers

-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org