What is a “zero day vulnerability”? It’s a term that is frequently used in the vulnerability disclosure ecosystem. I have blogged on this topic frequently and reading some of this will give more history and context, so I won’t rehash everything. If you read one blog, make it “No One Will Burn A Zero Day On You” perhaps. At the top I say that the term zero day “refers to zero day vulnerabilities, ones that are not publicly known at all.” More specifically, ones that are not publicly known until they are discovered actively being used in the wild. In 2022 I defined it as:
Zero-days (0-days and other variations) are exploitable vulnerabilities that the general public is unaware of—often being known by only one or few people.
However, I qualified that to show that the definition meant an incredible number of vulnerabilities are zero-days, and that all vulnerabilities are at some point. Bottom line, historically, a zero-day meant it was a vulnerability that was either “not known to anyone” in so many words, or “not known to anyone until it popped a company“. The hacking and security scene in the 90’s and 00’s, as best I recall, favored the latter.
You might think that after decades, this term would not be in contention, but unfortunately it is. As I was writing this blog, Patrick Garrity asked me about my “general thoughts on the term ‘zero day’ and the use of it.” So why am I writing about the topic, yet again? Because several media outlets have seemingly decided to change the definition slightly, and all at the same time apparently. Before we get to the media outlets, let’s take a look at how others in the industry define a zero day, in the order Google search showed me. Note that Wikipedia was not first, showing that SEO is still alive and well.
- Trend Micro: A zero-day vulnerability is a vulnerability in a system or device that has been disclosed but is not yet patched. An exploit that attacks a zero-day vulnerability is called a zero-day exploit.
- HPE: A zero-day vulnerability is an undiscovered flaw in an application or operating system, a gap in security for which there is no defense or patch because the software maker does not know it exists—they’ve had “zero days” to prepare an effective response.
- IBM: A zero-day exploit is a cyberattack vector that takes advantage of an unknown or unaddressed security flaw in computer software, hardware or firmware. “Zero day” refers to the fact that the software or device vendor has zero days to fix the flaw because malicious actors can already use it to access vulnerable systems.
- Crowdstrike: The term “Zero-Day” is used when security teams are unaware of their software vulnerability, and they’ve had “0” days to work on a security patch or an update to fix the issue.
- Wikipedia: A zero-day (also known as a 0-day) is a vulnerability or security hole in a computer system unknown to its owners, developers or anyone capable of mitigating it.
From the first definition we can see problems. Trend Micro’s two sentence definition is actually a bit contradictory. The first sentence literally applies to many thousands of vulnerabilities every year, while the second sentence seriously qualifies it and drops it to hundreds. HPE is akin to the first Trend sentence and again, applies to a ridiculous number of vulnerabilities. IBM is accurate but it is subtle and could be read two ways. Specifically “that takes advantage of” could be interpreted as being exploited in the wild, or more generically and we’re back to applying to thousands. Crowdstrike and even Wikipedia are in the HPE camp and again, not accurate to me and many others.
Using the more generic definition of any vulnerability that is public without a patch just dilutes the meaning. Amusingly, we’ll see how it leads to a circular reference and contradiction here shortly. Let’s take CVE-1999-0317 as an example and see if it is a zero day according to the definitions above. “Buffer overflow in Linux su command gives root access to local users.” Not much to go on since it doesn’t include much, but it is a public vulnerability and there is no patch. The CVE Editorial Board comments are more informative than the CVE ID in this case. So what’s the verdict, zero day or not?
The answer is no. First, it isn’t a valid vulnerability as no one could confirm it, except for the original poster allegedly. Second, to VulnDB, this is “Myth/Fake” meaning it wasn’t a failure in technical analysis and legitimate mistake as best we can tell, rather, it was just bogus from the start. Third, there clearly is no active exploitation of this issue. However, per some of the zero day definitions above, this 25 year old “vulnerability” would qualify. Pretty ridiculous, right?
So here we are, where the definition of a zero day has blurred seriously, even leading to the actual subject matter of this blog. Let’s look at some recent articles that cover the “sixth zero day” in Google Chrome that was recently patched. First and foremost, it is important to note that none of the articles actually define the term. Apparently, each outlet including Forbes thinks that their readers know what it means, and does not understand there are multiple definitions of the term.
Let’s begin with the simple question, does Google Chrome have six zero day vulnerabilities patched this year? Again, it completely depends on the definition you use, unless you are one of these media outlets where several literally break both definitions. Where I take issue with these articles specifically, is that of the six “zero day” vulnerabilities, three were disclosed at a Pwn2Own competition where the vendors had access to the information. Per Wikipedia, and this is the important part, “with ZDI reporting vulnerabilities to vendors before going public with the hacks.” The fact that the researcher, ZDI, and the vendor all know about the vulnerability before it is made public means these are not zero day vulnerabilities.
That means the articles don’t define “zero day”, not all of them mention some were disclosed via Pwn2Own, and all of them get the number of 2024 Google Chrome zero-days wrong. Here are the offenders:
Dark Reading: Dangerous Google Chrome Zero-Day Allows Sandbox Escape
“It’s the second zero-day that Google has patched in the past week, and the sixth for the year so far.“
BleepingComputer: Google fixes fifth Chrome zero-day exploited in attacks this year
“Google has released a security update for the Chrome browser to fix the fifth zero-day vulnerability exploited in the wild since the start of the year.“
[This may be the biggest offender, as Pwn2Own most certainly isn’t “in the wild”.]
BleepingComputer: Google Chrome emergency update fixes 6th zero-day exploited in 2024
“This latest Google Chrome vulnerability is the sixth zero-day bug discovered and fixed in the popular web browser since the start of the year.“
SC Magazine: Google patches fifth Chrome zero-day of 2024
“Google on Thursday released a patch for the Chrome browser for Mac and Windows, the fifth zero-day exploited for Chrome in 2024.“
Ars Technica: Google patches its fifth zero-day vulnerability of the year in Chrome
“Counting this latest vulnerability, Google has fixed five zero-days in Chrome so far this year.”
Leave a Reply