[noja]

> I agree with the industry response here.

I don't. This sentence serves no purpose other than distraction and needs to stop being used: "there is presently no evidence of the vulnerabilities being used".

It's a standard sentence that is rolled out for any security event or breach usually to misdirect blame. It needs to go away.

[zwp]

I disagree: for defenders trying to establish veracity of flaws and prioritizing defense this is useful information. "Active exploits seen in wild" is a strong signal.

Picking two potentially high impact announcements from the last month or so:

1. There is a severe flaw in the RSA cryptosystem. 2. There is a remote code exec vulnerability in Microsoft Exchange.

One of these was a sketch of an incremental improvement to an attack that remains mostly of theoretical interest. The other was being actively exploited, was tragically simple for 3rd parties to replicate post-announcement and resulted in widespread pain.

There is some (non-linear) scale here (theoretical flaw/poc/weaponized poc/public poc/public weaponized poc/exploited, but limited actors or targets/widely exploited/HAVOC). MS for example uses just "less likely to be exploited", "more likely to be exploited" "being exploited". It's coarse and somewhat subjective but there is value even so.

"This flaw is being actively exploited in the wild" is the best line I can take upstairs. I don't want that to go away just because some parties might misuse it.

[stefan_]

That assumes this statement is made out of some sort of particular knowledge. When a Google Zero researcher finds an exploit, then goes through Google crash logging to determine if it's been abused in the wild, there is a reasonable basis for speculation on their part to say if this is an active exploit in the wild or not.

When an sales busybody like the WiFi alliance makes that statement, it comes from ignorance and CYA.