Google Researcher Issues How-To On Attacking XP

theodp writes "A Google engineer Thursday published attack code that exploits a zero-day vulnerability in Windows XP, giving hackers a new way to hijack and infect systems with malware. But other security experts objected to the way the Google engineer disclosed the bug — just five days after it was reported to Microsoft — and said the move is more evidence of the ongoing, and increasingly public, war between the two giants."

I Don't Think Zero-Day Means What You Think

[eldavojohn]

exploits a zero-day vulnerability

Zero-Day would mean that Microsoft had zero days to fix it or no time at all to patch the system that had the security vulnerability between the time they release the software to the time the bug goes public. By that definition this would be best described as a "five day exploit" or more in fact if they knew about it before Ormandy's notice.

Re:Zero days notice

[drinkypoo]

I have been led to believe that "Zero-day" refers to the amount of time that exists between public knowledge of an exploit and when you see it being used in the wild.

No, it's the time between public disclosure of the vulnerability and the time when the exploit is released. When you hear about it or when you see it is quite irrelevant.

It's kind of like "hacker" though, and gets thrown around to mean all sorts of shit that it does not.

Yes, as demonstrated by your comment. Zero-day cracks are cracks which come out on the release date, and Zero-day exploits are exploits which exist in the wild (whether you have detected them or not) the same day as the disclosure.