I disagree with this interpretation. It remains 0 day until it is patched or has a work around (disabling the service). Further still the date aging starts begins when the bug is disclosed publicly, or broadly if not publicly. Internal disclosure doesn't count. It remains 0day even if you share it with a friend. The measurement of days has to do with its usefulness (to an attacker) and that begins to diminish after wide disclosure. Then again, the term is also completely irrelevant.
The problem with what you're trying to put forward here is that you think this is an interpretation. It's not. A 0-day has a very strict definition.
You can't just choose random words or expressions you don't understand without looking them up and decide they mean something else because you thought they did. Otherwise, the annals of medicine would look very different.
The actual usage is more fluid than that. It wouldn't be a common term if it actually only applied for the first day of every vulnerability being known.
"An attack on a software flaw that occurs before the software's developers have had time to develop a patch for the flaw is often known as a zero-day exploit."
The truth is that even with a strict definition, it is subject to change.
The meaning of a word or term today may not be the same tomorrow, languages evolve with the way people communicate, not with the way they get defined.
0-day is a good example, because people outside the security field only care about whether they're vulnerable or not, not about the intricacies of the term.
How about we all agree that you can't/shouldn't, though? Because taking a contrarian position for no other reason than the fact that you literally can does nothing to advance a discussion.
Do you have a source for that definition? Because every definition of zero-day I've ever seen has to do with the days it has been known to the vendor.
> A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application or operating system, one that developers have not had time to address and patch. It is called a "zero-day" because the programmer has had zero days to fix the flaw (in other words, a patch is not available)
So does that mean that it is no longer a zero-day after a day has passed? Or does it remain a zero-day because it first got released in the wild before vendors had any awareness of it?
Well, if you use a 0-day exploit to break into computer systems, but nobody discovers the hack, or they discover the hack but not the method used for the hack, I guess it remains a 0-day exploit...
Given the typical lead-time for an article to appear after the vendor is notified, the news begins to spread, publications take notice, assign someone to write a story, and the story appears, then you're arguing that the term "zero day" should, practically speaking, never appear in the press.
I'm not sure that's a helpful definition. It's pedantic to the point of no longer applying to any real-world situation and thus sort of pointless.
I don't have a source as reliable as Wikipedia. I base my definition on how it is used in the field of reverse engineering which I've been in for a long time. In any case, people can stick with the wiki definition. Not important.
Some words are ambiguous enough that a dictionary cannot fully describe. I think this is one of those. Second, wikipedia is a horrible source to trust for anything debatable.
It's debatable that the definition of "zero day exploit" is debatable. Do you also mistrust what Wikipedia has to say about immunization, global warming, homeopathy and evolution?
He asked "Do you have a source for that definition?" and you said you didn't have a source as reliable as Wikipedia, then attacked the reliability of wikipedia, which leaves your source in doubt. So what IS you source?
That's what he asked in the first place, and now that you're hopefully done casting doubt upon his source, you still haven't answered what your source is yet, except to say that it's less reliable than "a horrible source to trust for anything debatable". So please give us a link to your source, so we can see it ourselves.
Note that parenthetical contradicts the "zero days to fix" definition. (No patch available is not zero days to fix "in other words".) That suggests the term as commonly understood is a bit fuzzy.
Personally, I've noticed more use of "zero-day" to mean "exploits are now public but no patch is yet available" than to mean literally "programmers just learned of the bug today".
Not sure where the downvoters are coming off - while, logically, I agree with most that "zero day" should mean the vendor has had zero days to patch the bug, in practice, I frequently see it to mean a vulnerability for which no vendor patch or workaround exists. I realize that is nonsensical, but it's a common usage. It's basically a short hand for saying, "There is no way to defend yourself against this other than completely shutting down or removing the subsystem."
What if the vendor already knew? If Apple reveals 2 years from now that they had discovered it on their own 15 days before Google reported the exploit, does it become a 90 + 15 = 105 day, retroactively?
Yes, that would be 105 day. And it would show Apple in bad light, because they had 105 days to fix it and still did not do it, just like this vulnerability is 90-day.
0-day basically means the that the vendor learned about the vulnerability the same day everyone else did, it should not be used in situation when vendor was notified promptly, yet still ignored it and didn't fixed it. I don't understand so many people have problem with this.
Because it becomes a definition that's excruciatingly precise, but useless to almost everyone in the world.
I'm probably not the programmer responsible for fixing a bug in my OS; hardly any of us are. But we're all at the mercy of that bug being fixed. So aside from PR, there's literally no reason why I should care how long the vendor has known about it. I care how long everyone else has known about it prior to a fix being available.
If there's going to a be a widely-used term for one or the other, language is going to evolve such that the term covers the latter case because we have practically no reason to care about or refer to the former.
I would also argue that you should choose a word to describe such serious flaws in such a way that the "flaw" doesn't appear to go away if nothing changes except the passage of a very small amount of time. I don't want vendors saying, "we have no zero-day exploits" simply because they waited 10 hours to make the statement.