Sunday, 10 December 2006

0-days and the Hollywood movies

It is more and more common to see the term '0-day' or 'zero day' in the marketing stuff, most cases from IDS and/or IPS vendors. This is something that they easily claim but they never tell anything more about it. Yes, I know, 0-days is a cool and nifty word and if you say to your customers that your appliance protects from '0-days' in the moment you deploy it, it is something that will increase your sales rate, ooooopppsss!!!

But, what is a 0-day? According to the Wikipedia: 'Zero day or 0day refers to software, videos, music, or information unlawfully released or obtained on the day of public release'. In summary, something that you get even before it gets released. The Wikipedia has also another definition more related to this post subject: 'Zero-Day exploits are released before, or on the same day the vulnerability — and, sometimes, the vendor patch — are released to the public. The term derives from the number of days between the public advisory and the release of the exploit'. So in this case it is a well-known vulnerability (with its exploit) that has not a patch available from the vendor. Hmm, and what about the private vulnerabilities that even the vendors don't know anything about? Not only the individual's exploits, but the companies focused on this market (iDefense, Tippingpoint, ...) Because both those individuals and companies have vulnerabilites during some period of time without notifying the vendors. Do all the IDS/IPS/Anti-XXX protect their customers from those vulns? Come on product managers, try not to make up your statements.

Regarding to the 0-days, there is an innitiative from some known security guys (ZERT) that provides some patches for those vulnerabilities that are public but the vendor hasn't released the patch. Although their effort is something worth, I don't think is something valid. I wouldn't rely on applying those unofficial patches to my boxes, that it is something that I would leave to my vendor (and something that I would complain about and request the support if needed). I'd prefer other workarounds that could protect me against those vulnerabilities, even using those IPS that announces the 0-day protection if they can be customed to protect me (that is another BIG problem nowadays, they can effectively detect a new vulnerability if they have the signature, but they can be easily faked).

Anyway, if you are interested about the public 0-days, there is an interesting page from Eeye that lists them all: Zero day tracker

No comments: