The Ashimmy Blog

Patrick Clawson, CEO of Patchlink comes out swinging, "... calling bullshit on the whole zero day thing" according to this story in ITWeek. Here is the funny thing, I don't necessarily disagree with him.  Now before you go jumping to conclusions, hear me out.  First of all here is his complete quote:

“I’m calling bullshit on the whole zero day thing. These vulnerabilities are announced on that day, not released, it’s in the year running up to that date where they cause problems. By the time something like Slammer becomes well known, it is a nuisance, but [as an IT manager] what you have to worry about, is what you don’t know."

I think Patrick is right on. The issue is what is your definition of zero day. Today I think most people think of zero day as the time from when a vulnerability is announced through the time there is a patch for it.  This intervening period is known as the zero day period and a whole cottage industry has grown up around it.  From third party patches to responsible disclosure forums and lists and most of all the behavior based or heuristic products are milking this for all it is worth. This was not always the case and in fact is not really the case.  Patrick is right on, it is BS. Patrick's point, if I may be so bold, is that the real dangerous period is the one year or so before a vulnerability becomes known but not patched.  Really unknown vulnerabilities that fall in this area are the real threat.  The bad news is I don't think there is a great defense for these other than locking down as much as you can, training people to adhere to safe and secure policies and be ever vigilant.  Also, as long as this remains the case, the work of the security person will never be easy.  Good Luck!