What is a "zero-day"?

Once again, it seems misguided reporters have appropriated a technical term and are misusing it in ways to confuse the field. "Hacker" was not the first term they ruined, but it is still the one that irks me the most. The primary definition of "Hacker," is of course "a person who creates and modifies computer software and computer hardware, including computer programming, administration, and security-related items" according to Wikipedia.

Now it appears that reporters unwilling to actually understand the terminology they use are in the process of destroying the term "zero-day." We have been reading over the past few days about a "zero-day" vulnerability in Symantec Anti-virus, which Marc Maiffret, probably to protect the world in his own trademark way, made public. Unfortunately (or maybe fortunately), this is not a zero-day, unless zero-day has somehow been redefined to mean "new."

Zero-day, as it pertains to vulnerabilities, means a vulnerability that was exploited before anyone, other than the criminal using it, knew about it. This definition is perfectly in line with the definition of zero-day as something for which information is not publicly available. By definition, the fact that Marc was nice enough to alert the world to Symantec's flaw means that it is not a zero-day, unless Marc went and exploited it before he advised the world of the flaw, and we have no indication that he did that.

It may sound like a rant, and of course it is, but it is really important that we keep these terms straight. A zero-day vulnerability is a security professional's worst nightmare. By diluting the term to refer to any vulnerability for which a patch is not available we dilute the language of our field, and lose a very important definition that we need to be able to discuss without ambiguity. It is unfortunate that reporters write about something without bothering to understand the terms of the field they report on. Those reporters give a bad name to those dedicated reporters who take care, and work hard to do a public service in understanding and documenting a field that is important to illuminate. Inaccurate use of important terminology muddy the waters for those of us who are charged with actually taking the field forward.

We do need a term for a vulnerability, like the current Symantec one, which has been publicly announced, but for which a patch is not yet available, I have in the past used "0.5-day" to describe such an issue, but that term does not yet seem to stick.