Looks like we have a confirmed addition to the undercover exploit list (old list). That makes 21 total since 1988.
- 10/27/08 – MS08-067 RPC vulnerability (public info).
- 11/23/07 – Xunlei Thunder PPlayer ActiveX control (credit: Symantec*)
- 4/5/07 – DNS RPC Vuln (confirmed by Bill O'Malley who also discovered it)
- 11/3/06 – XMLHTTP 4.0 ActiveX Control
- 9/23/06 – cPanel (credit: Dave via Adam, Ilja)
- 9/19/06 – Internet Explorer VML (public info)
- 9/3/06 – MS Word 0Day (Symantec)
- 8/16/06 – Ichitaro (Symantec)
- 7/11/06 – Powerpoint 0day. (public information)
- 12/29/05 – WMF. (public information)
- 2/7/05 – Mailman directory traversal. (credit: ilja van Sprundel)
- 2/4/05: Minix FTP Vulnerability (credit: Ilja van Sprundel, confirmed by Al Woodhull)
- 11/16/04 – Twikis search.pm. (credit: ilja van Sprundel)
- 12/04/03 – Rsync. (credit: David Goldsmith, Matasano)
- 11/20/03 – do_brk() overflow. (credit: David Goldsmith, Matasano)
- 3/18/03 – WebDAV. (publicly available information)
- 12/9/99 – Solaris sadmind (credit: Steve Christey)
- 9/3/98 – SunOS ToolTalk. (credit: TQBF, who never got the beer…)
- 4/24/96 – rpc.statd. (double credit: TQBF – thanks again.)
- 11/2/88 – Sendmail (credit: David Goldsmith, Matasano)
- 11/2/88 – Fingerd (credit: David Goldsmith, Matasano)
Honorable Mention (which don't quite make the list because the
vulnerability information was not discovered due to an active exploit):
- RealServer ../../../ overflow
- Any of the Immunity VSC releases (Mac OS X Kernel Local, anyone?)
- Samba bug that HDM got hacked with… [this may get elevated, I am not sure]
- [Credits: Dave Aitel and Anton Chuvakin for the information]
Undercover Vulnerability: A vulnerability that was generally
unknown (e.g. not published on any lists, not discussed by "above
ground" security folks) until it was actively exploited in the wild.
The vulnerability was discovered through evidence of tampering or other
means, not through the usual bugfinding ritual.
Undercover Exploit: The event and/or code used to compromise a resource running the vulnerable software in the wild.
*Note: the "credit" given is not to the person who discovered the
exploit/vuln, but to the person who pointed me in the right direction.