Talk:Zero-day vulnerability

Page title

Shouldn't it be called Zero-day malware. In my opinion virus is too specific. — Preceding unsigned comment added by Alejo123 (talk • contribs) 01:29, 4 April 2011 (UTC)

I thought that it was "zero day." A part of the computer. — Preceding unsigned comment added by 24.187.145.47 (talk) 12:12, 12 July 2011 (UTC)

"0day" originally referred to exploits targeting vulnerabilities that are unknown to a vendor. When the exploit is used, the author originates the start of this unique attack activity, at "Day Zero" (everything starts at "0", not "1", in the world of computing). So, a true "0day worm" like Slammer spread via an 0day attacking CVE-2002-0649 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0649), which was unknown to Microsoft at the time. In more recent terms, Stuxnet was an 0day worm. It is very unusual to find true 0day malware - worms, client side remotes, whatever. The current "zero day virus" description on wikipedia follows the lame marketing department lingo at startups looking to take market share from AV vendors, who don't understand the original term, but want a catchy/flashy term to describe new variants of malware, which are commonplace. This lingo is also commonly used as an attempt to suggest that AV scanners detect fewer malware than they really do. Wikiksec (talk) 00:41, 16 February 2012 (UTC)

On the one hand, I agree that Zero-day malware is a better name for this article than Zero-day virus. On the other hand, I agree with Wikiksec's comments - the article may well not be encyclopedic. Time for an Wikipedia:AFD? --Elvey (talk) 03:15, 28 April 2012 (UTC)

virus as a section of zero-day

Hey guys, can you guys add your views about merging the three WP zero-day articles attack, virus (and/or also malware) and warez into one at: Talk:Zero_day. Thank you :)

Done,

footnote 11 leads to "page not found" for InfoWorld article on SONAR by Symantec — Preceding unsigned comment added by 12.157.110.195 (talk) 18:11, 7 June 2016 (UTC)

Warez

Warez doesn't really belong here IMO Deku-shrub (talk) 19:42, 17 May 2015 (UTC)

I agree and will wait a week or so for differing opinions DGerman (talk) 01:14, 10 July 2015 (UTC)

The usage of the term zero-day began with the warez scene, so why would the mention of warez not belong here?

Agree, zero day started in the 'cracking' scene (warez). If mentioned it should be in a history of the meaning section. --Jericho347 (talk) 01:40, 20 August 2022 (UTC)

"Undisclosed" ?

The lead sentence currently says that a zero-day vulnerability is one that is "undisclosed". Later in the article it's pretty clear that the vulnerability may be disclosed and still be considered a zero-day -- it just isn't fixed yet.

I suggest this should either be removed or modified to say "possibly undisclosed" or "disclosed or undisclosed", but I thought I'd discuss before going bold on it.--NapoliRoma (talk) 17:56, 9 November 2015 (UTC)

This page is a bit of a Frankenstein currently. In which section has the second reference you're referring to? I can't find it. Deku-shrub (talk) 20:03, 9 November 2015 (UTC)

More than anything I was referring to later in the lead paragraph, where it mentions that zero-day vulnerabilities may be exploited on the day that notice is released (which would mean that at that point, they are disclosed).

But on reflection, I think the "undisclosed vulnerability" description is accurate. I would now be more inclined to leave it as-is.--NapoliRoma (talk) 03:27, 10 November 2015 (UTC)

Zero day is just a "street slang" term; the article should be short and link readers to where they should really go.

the term "zero-day" is used because it sounds "cool", and it doesn't have much other meaning. Just like stoners think you sound like a guidance counselor if you say marijuana, leet haxorz think you sound like a PHB if you don't say zero-day, but otherwise it's just a newly discovered bug (or previously discovered and kept under wraps) that is exploitable. What's the difference between a virus and a zero day virus? nothing except "is there a patch available for it?" So, this article should restrict itself to that, and keep the rest of the discussion about viruses vs worms etc. in the "real" articles. We don't have separate articles for "dime bag", "roofie", etc. where all the other info about the drugs is recapitulated, and nor we should recapitulate exploit info that belongs elsewhere in the zero-day article. The distinctions that are interesting are, zero day vuln vs zero day exploit, and whether bugs are are fixed in new releases, or if vulns or sploits have been predicted (based on the beta, specs or previous versions) and do exist on day zero of a new launch. 74.73.179.172 (talk) 18:27, 19 January 2016 (UTC)

My understanding of the term zero day has always been that it is an exploit that is being exploited by hackers "in the wild" for which there is not yet any published fix or mitigation. Hence you have zero days to get the patch out or whatever. If there has been no zero day attack then it's not a zero day vulnerability! BrianDGregory (talk) 22:57, 4 August 2020 (UTC)

Double Zero-Day?

When searching for Zero-Day exploit info the term Double Zero-Day comes up frequently and would be nice to be defined here as it seems related somehow. I could not find a definition and it may well just be something that the script kiddies uses trying to look cool. But it would stille be nice to have it layed out here. User:L00KnS33

I have not seen this term used anywhere. If you or anyone can come up with some citations it would be easier to evaluate it. I suspect you are right, just a random term to sound cool. --Jericho347 (talk) 01:40, 20 August 2022 (UTC)

The only real references I can find related to "double zero-day" all seem to be stories about two zero-day vulnerabilities cropping up at once. So I suspect that's all it is, a way of talking about (double) (zero-day {vulnerabilities|exploits|announcements}), not (double zero-day) ({vulnerabilities|exploits|announcements}). FeRDNYC (talk) 01:51, 4 April 2024 (UTC)

Name origins

This section is incoherent and unreferenced. It talks about 2 origins and then doesn't say what they are. Also unreferenced sections are usually removed. 69.86.6.150 (talk) 21:06, 6 May 2016 (UTC)

External links modified

Hello fellow Wikipedians,

I have just modified one external link on Zero-day (computing). Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

• Added archive https://web.archive.org/web/20091027041339/http://geocities.com/skrzydla/ to http://en.wikipedia.org/wiki/Wikipedia:Footnotes

When you have finished reviewing my changes, please set the checked parameter below to true or failed to let others know (documentation at {{Sourcecheck}}).

N An editor has determined that the edit contains an error somewhere. Please follow the instructions below and mark the |checked= to true

• If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
• If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 17:37, 16 July 2016 (UTC)

This is some glitch in the bot, I guess. Debresser (talk) 18:48, 16 July 2016 (UTC)

External links modified

Hello fellow Wikipedians,

I have just modified 4 external links on Zero-day (computing). Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

• Added archive http://web.archive.org/web/20081222035950/http://www.computerworld.com:80/action/article.do?command=viewArticleBasic&articleId=9005117 to http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9005117
• Added {{dead link}} tag to http://www.avinti.com/download/case_studies/whitepaper_email_residual_risk.pdf
• Added archive http://web.archive.org/web/20090402192651/http://www.infoworld.com:80/article/07/01/17/HNsymantecsonar_1.html to http://www.infoworld.com/article/07/01/17/HNsymantecsonar_1.html
• Added archive http://web.archive.org/web/20120803213309/http://securitywatch.eweek.com/virus_and_spyware/antivirus_is_dead_dead_dead.html to http://securitywatch.eweek.com/virus_and_spyware/antivirus_is_dead_dead_dead.html
• Added archive http://web.archive.org/web/20090324082620/http://www.infoworld.com:80/article/07/02/15/HNzerodayinword_1.html to http://www.infoworld.com/article/07/02/15/HNzerodayinword_1.html

When you have finished reviewing my changes, please set the checked parameter below to true or failed to let others know (documentation at {{Sourcecheck}}).

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 18 January 2022).

• If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
• If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 11:17, 21 July 2016 (UTC)

Removed advertising-like sentence

Hey,

By reading this article a sentence related to Symantec antivirus seemed more like advertising than objective knowledge to me. I deleted it, feel free to restore it if you feed like it was not but in this case justify yourself here please.

(talk)

0~Day

Zero-Day 41.47.143.81 (talk) 01:44, 10 August 2022 (UTC)

Requested move 26 August 2022

The following is a closed discussion of a requested move. Please do not modify it. Subsequent comments should be made in a new section on the talk page. Editors desiring to contest the closing decision should consider a move review after discussing it on the closer's talk page. No further edits should be made to this discussion.

The result of the move request was: no consensus. (closed by non-admin page mover) Extraordinary Writ (talk) 17:20, 10 September 2022 (UTC)

---

Zero-day (computing) → Zero-day – This article is the primary topic, between all the options on the Zero day disambiguation page. That page should be moved to Zero day (disambiguation) and Zero day should become a redirect to Zero-day. PhotographyEdits (talk) 12:27, 26 August 2022 (UTC) — Relisting. – robertsky (talk) 16:24, 2 September 2022 (UTC)

• My first thought would be that zero-day exploit is the better title. The article deals more with exploiting of the vulnerabilities, than the concept of the vulnerability itself. -- Netoholic @ 13:15, 26 August 2022 (UTC)
• Oppose. No primary topic here. -- Necrothesp (talk) 12:33, 31 August 2022 (UTC)

Neutral/Support. This Zero day page is the most popular page on the Zero day disambiguation page (by pageviews in the last 30 days). It has a wikitionary definition as well with alternative spellings like "zero day", so a redirect would be appropriate and I do support moving Zero day to Zero day (disambiguation). I do not support removing (computing) from the title because I believe Google's infobox uses that information for clearer presentation and classification.

Gett Numbers (talk) 03:28, 1 September 2022 (UTC)

The (computing) suffix does not matter for Google. Even without that suffix, Google can infer that the article is about computing using other means PhotographyEdits (talk) 12:19, 6 September 2022 (UTC)

Note: WikiProject Computing has been notified of this discussion. – robertsky (talk) 16:24, 2 September 2022 (UTC)

Note: WikiProject Computer Security has been notified of this discussion. – robertsky (talk) 16:24, 2 September 2022 (UTC)

• Oppose - No clear primary topic here. Zero-day (computing) pageviews are not greater than the others combined. ~Kvng (talk) 15:07, 5 September 2022 (UTC)

The discussion above is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.

Requested move 1 April 2024

The following is a closed discussion of a requested move. Please do not modify it. Subsequent comments should be made in a new section on the talk page. Editors desiring to contest the closing decision should consider a move review after discussing it on the closer's talk page. No further edits should be made to this discussion.

The result of the move request was: moved. Per consensus – robertsky (talk) 10:23, 10 April 2024 (UTC)

---

Zero-day (computing) → Zero-day vulnerability – If there is no consensus to make this the primary topic, at least we should use a natural disambiguation that is more precise about what the topic of the article is—undisclosed or unpatched vulnerabilities that may be used in exploits. Buidhe paid (talk) 19:57, 1 April 2024 (UTC)

Support — "zero-day" as a noun is merely a shorthand, when used that way it's always short for something like "zero-day vulnerability", "zero-day exploit", or "zero-day patch". (Which one depends on context.) This article, specifically, is about zero-day vulnerabilities. FeRDNYC (talk) 01:38, 4 April 2024 (UTC)

Support per FeRDNYC. Just using "Zero-day" as a title sounds weird to me. Arnav Bhate (talk) 13:03, 4 April 2024 (UTC)

• Support My instinct is to support this concept being WP:PRIMARYTOPIC and moved to simply Zero-day, because that is how I know the term and it seems to be the only use of the term in the disambiguation page. I checked Oxford English dictionary and it says that "zero day" is a military invasion term in use from the 1910s and attested in publication in 1917. Wikipedia has no military zero-day articles, but has Zero Hour military articles. I am not sure that "zero-day" is still a military term outside of computing. This article is top 1% popularity by pageviews and more popular than all the other zero day articles put together, so I support it not having parenthetical disambiguation. "Zero-day vulnerability" is certainly the clearer option. "Zero-day attack" seems like an option too supported by some sources. I could support simply "zero-day" too. Bluerasberry (talk) 17:50, 8 April 2024 (UTC)

  The only difference between a zero-day attack and other cyberattacks is that the former takes advantage of a zero-day vulnerability. That is why my instinct is that the main topic is the vulnerability. Buidhe paid (talk) 21:45, 8 April 2024 (UTC)

• Support as nominated. A hyphenated "Zero-day" implies an adjective describing a follow-on noun, which is not present, so I think leaving Zero-day as a redirect is best. Not necessarily opposed to changing the redirect target to this page instead of the dab since all entries on the dab page are un-hyphenated, but that can be handled outside this RM on the Talk page or at RfD. -2pou (talk) 23:01, 8 April 2024 (UTC)

The discussion above is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.

Undone changes 4th may 2023 / Attack vectors

Why?

"Unrelated to topic" seems to be a weak excuse. 0-Days can be funneld into your system via add-banners, it should be mentioned as a possible attack vector.

Also;

Physical access is the worst case, as any known and unfixed, unknown or made up instance of a 0-day (wich is unknown, thus 0-days-to-fix) may end up in an active vulnerabillity of the end customer.

Reguarding my typing:

Non-Native-English. Brew this one as however you like. 2003:C7:1F2D:9898:FCBE:F250:9EFE:6C4D (talk) 17:07, 4 May 2023 (UTC)

Zero-day attacks rely on software vulnerabilities (bugs etc). It has nothing to do with physical access to the computer. Ad banners normally come from web pages accessed via a network connection. Again, nothing to do with physical access. CodeTalker (talk) 17:27, 4 May 2023 (UTC)

My original statement mentioned that even thrusted webpages may have includet web-banners, wich may, on purpose or not, contain mallicious code containing 0-days, wich again may or may not be included by maliccious means. THIS part is entirely disconnected from Physical access.

Physical access is the wet dream for any user and any hacker. Twist and turn and solder and readout however you want. Physical access is a privacy-danger in and of itselfe and can not be mentioned often enough, in my opinion. Also; 0-Days that wont work via TCP/IP may very well work with an USB-Stick inside your physical Plug&Play device.2003:C7:1F2D:9898:FCBE:F250:9EFE:6C4D (talk) 17:39, 4 May 2023 (UTC)

Definition of a zero-day vulnerability

The current definition in the page: "A zero-day (also known as a 0-day) is a vulnerability in a computer system that was previously unknown to its developers or anyone capable of mitigating it." does miss some of the key points that (at least I) think are relevant for the term. First, it does not address if the vulnerability is publicly known or not. This would suggest that any vulnerability, at any time of software development, would be a zero-day. Furthermore it does not state that the vulnerability is exploitable, leaving it open if the vulnerability is actually deployed ever. So according to the definition, any development-time SW bugs with security aspects are zero days. Thinking in these terms, it would actually be hard to find a software vulnerability that was not a zero day: any vulnerability, at some point in time, is not known by any developer. What comes to exploitability, I would not state it is a requirement for a 0-day. Note that exploitability is a trait that may change in time, e.g. with new implementations themselves being secure may expose the vuln. Then, the notion that it is not known by any developer; how can you ever know if this is the case? There could very well be people that know there is a problem but did not have the time or means to fix it. Quickly googling the internet, I find a better definition in "https://www.trendmicro.com/vinfo/us/security/definition/zero-day-vulnerability": "A zero-day vulnerability is a vulnerability in a system or device that has been disclosed but is not yet patched." I think that definition escapes many of the problems we have in this wiki definition today. Sure it can be polished, e.g. by stating "...for which there is no patch available yet" instead of possible misunderstanding that a non-patched system would have 0-days, just because an appropriate patch is not applied yet. To me, this discussion of the real and proper definition of a 0-day is important. The term is used often when talking about the security of software systems, and with various meanings. For example, if your strategy to mitigate 0-day (risks) would be to have the latest patches in the system, you would have totally missed the point. In the field of security we should use concise text to disseminate the real(istic) problems and risks, and to have matching mitigations for the risks assessed. 84.249.75.64 (talk) 11:19, 27 October 2023 (UTC)

I'll largely copy my second bullet point from the #Edit request discussion below, for my thoughts on the definition question.

I'm not sure a vulnerability in a system or device that has been disclosed but is not yet patched is really a useful definition from the end-user perspective. A zero-day vulnerability doesn't stop being a zero-day vulnerability when the vendor learns of it, nor when they release a patch.

This article by Paul Ducklin really cuts to the heart of it: zero-days, by definition, are bugs that the Bad Guys found first, so that there were zero days on which you could have patched proactively. What matters is not if the vendor knows about the vulnerability or has patched it. The important thing is when they knew about and patched it. Zero-day vulnerabilities are ones which the vendor was made aware of, and (hopefully!) for which they eventually release a patch, only after users' systems had already been exposed to possible attack. FeRDNYC (talk) 16:02, 6 April 2024 (UTC)

Edit request

Please replace the content of this page with User:Buidhe paid/zeroday.

To fix the issue in the tag—unsourced text—as well as outdated sources, I've rewritten according to reliable sources. I also expanded the article with more information about the zero-day market, how the danger of exploits changes over the window of vulnerability. I replaced the US government section with a history section to be less US-centric, and added two public domain charts to illustrate the article. Buidhe paid (talk) 07:12, 5 April 2024 (UTC)

There are some definite improvements in that version of the article. However, I feel there are some issues with it that should be addressed before it's adopted:

• Extraordinary claims like "States are the primary users of zero-day vulnerabilities" really need to be cited, the fact that this statement is made in an entirely citation-free lead section is troubling.

• With respect to the cited sources (primarily the Rand Corp. authors), I'm not sure a vulnerability in software or hardware that is typically unknown to the vendor and for which no patch or other fix is available is really a useful definition from the end-user perspective — nor does the timeline graphic in the proposed version of the article really bear that definition out. A zero-day vulnerability doesn't stop being a zero-day vulnerability when the vendor learns of it, nor when they release a patch.

  This article by Paul Ducklin really cuts to the heart of it: zero-days, by definition, are bugs that the Bad Guys found first, so that there were zero days on which you could have patched proactively. That definition jibes with the timeline chart. What matters is not if the vendor knows about the vulnerability or has patched it. The important thing is when they knew about and patched it. Zero-day vulnerabilities are ones which the vendor was made aware of, and for which they released a patch, only after users' systems had already been exposed to possible attack.

• Speaking of the charts — while I have no trouble accepting that commons:Threshold of originality#Charts says that those images are freely available for our use, since they're PNG images of primarily-textual data they're still not ideal for inclusion.
  • The timeline chart would be far better re-created in {{Graphical timeline}}, so that its information is accessible to more readers.
  • The pricing chart could also benefit from a vector re-creation, at a minimum, but that's kind of a secondary issue. I'm not convinced it belongs in this article at all. (Because...)
• I kind of feel like the whole "Market" section is excessively detailed, and given WP:UNDUE prominence — especially since there's an entire Market for zero-day exploits article. That means that most of the information should live there instead; what appears in this article should be focused on how it relates to zero-day vulnerabilities. Anything that's more about the market itself (characteristics of the buyers and sellers, for example) should be in the other article instead.

FeRDNYC (talk) 15:53, 6 April 2024 (UTC)

Hi, thanks for restonding.

• First of all the lead is not cited because all the information is cited in the body. See WP:CITELEAD.
• Second, while neither of the graphics are perfect, I think they are better than no having them. Improvements to the graphics can occur at a later date.
• If the software is not released (or the bug is discovered by a vendor?) it does not have the same security risk and therefore may not be called a vulnerability. Zero day vulnerabilities are a subset of vulnerabilities and there are two main definitions found in published sources:
• Based on patch status:
  • "A zero-day vulnerability is one for which no patch has been developed" Defender's Dilemma p. xvi
  • "a vulnerability in the software that has never been made public and for which there is no known fix." (O'Harrow)
  • " a zero-day is a software or hardware flaw for which there is no existing patch " (Perlroth)
  • "Zero-day vulnerabilities are vulnerabilities for which no patch or fix has been publicly released" (Ablon & Bogart 2017)
• Based on knowledge status:
  • Zero-day vulnerabilities are "ones that are not publicly known" Sood & Enbody p.40 or "unknown to vendors and the general public" (116)
  • A zero-day vulnerability is "a security vulnerability that is not known to the software vendor or the wider security community." (Dellago, Simpson & Woods 2022)

Only one or two of the sources cited in the article suggest that the vulnerability must be discovered by someone other than the vendor to qualify.

The market section is prominent because that is an aspect dealt with at length in most of the sources, so I don't think it is UNDUE. In my view, it would make more sense to expand other parts of the article given that it is overall not long. Buidhe paid (talk) 19:41, 6 April 2024 (UTC)