Zero-Day Maybe, Vulnerability No
I’m really getting annoyed by some of the scary headlines I’m seeing lately. There must be a lull in the Anti-Malware business if companies have more press releases about malware infections then they do announcing new products or features.
Last week F-Secure started a panic with comments like, “A significant network attack was launch globally… exploiting a timely widescale media event as the key mechanism for delivering its payload”. They even uploaded a scary video to YouTube to get more attention. Truth is, most Email systems filtered out this spam attachment and few reports exist of people actually downloading payload and activating it.
Now everyone is using “Zero-Day vulnerability” for just about any flaw out there. Symantec recently reported a new Microsoft Word 2000 Vulnerability. Many Office products have been found to have security flaws but I wouldn’t classify them as a “Vulnerability”. Secunia classifies this new Word report as “Extremely critical” but it suggests a solution; “Do not open untrusted Office documents”.
Vulnerable – “open to assault; difficult to defend; capable of being wounded or hurt”
In the above examples, the user must take some kind of non-recommended action before the install can take place. They all required the download and opening of some file attachment.
The WMF Exploit last year was a Zero-Day Vulnerability because you could become infected just by viewing a web page. MSBlaster was a zero-day vulnerability which could infect you just by being connected to the internet. This happen due to an open port vulnerability in a key system service within Windows(DCOM RPC).
Infoworld says…”A zero-day vulnerability refers to a security hole for which exploits are already available when it was discovered.”
Vulnerability? Not necessarily.