[greiskul]

A non zero click remote code execution would be for example the attacker sends the victim a message, with a link or attachment, that if the victim interacts with it, the attacked gets to run code they wrote in the victims device.

A zero click remote code execution, would be for example where the attacker send a message, and their phone just processing the message on it's own is enough for the attacker to execute code on the victims device.

A non zero click vulnerability can be mitigated by being cautious. A zero click vulnerability cannot.

[rosndo]

> A non zero click vulnerability can be mitigated by being cautious. A zero click vulnerability cannot.

No amount of caution will save you when the exploit is injected into a major website.

Why bother with such meaningless distinction? Does your browser never hit any http:// resources?

[derkades]

An exploit that achieves remote code execution just by a browser performing an HTTP request (for example a malicious ad) would be considered a zero-click exploit.

[rosndo]

But then most exploits that involve sending links would also be zero-click, just not deployed in that manner.

I think this just goes to show how silly this new terminology is.

[staticassertion]

The terms are all stupid and were made up 40 years ago. Trying to tease out nuance is pointless.

You get owned without clicking hence zero click. Is it different from RCE? A subset? Doesn't matter. Title could have said RCE.