Undercover Vulnerability List – Request for Updates

There has been a bit of activity on one of my old undercover vulnerability list pages. Here is the current list but I am fairly sure it is outdated. Note that these are undercover vulnerabilities that were discovered (by the good guys) via an exploit in the wild.

Anyway, here is the current list:

20 total since 1988.

Honorable Mention (which don't quite make the list because the
vulnerability information was not discovered due to an active exploit):

  • RealServer ../../../ overflow
  • Any of the Immunity VSC releases (Mac OS X Kernel Local, anyone?)
  • Samba bug that HDM got hacked with… [this may get elevated, I am not sure]
  • [Credits: Dave Aitel and Anton Chuvakin for the information]


Undercover Vulnerability: A vulnerability that was generally
unknown (e.g. not published on any lists, not discussed by "above
ground" security folks) until it was actively exploited in the wild.
The vulnerability was discovered through evidence of tampering or other
means, not through the usual bugfinding ritual.

Undercover Exploit: The event and/or code used to compromise a resource running the vulnerable software in the wild.

*Note: the "credit" given is not to the person who discovered the
exploit/vuln, but to the person who pointed me in the right direction.
Thanks, all.

3 comments for “Undercover Vulnerability List – Request for Updates

  1. August 22, 2008 at 4:41 pm

    “Undercover”? I’ve never heard that term before in relation to a vulnerability or exploit… Don’t you mean “0day”? If so, why are you trying to coin new terminology for things which already have well-established terminology for them?

    Fun Fact: Once it’s discovered in the wild and disclosed to the public, such as to a ‘undercover list page’, it’s no longer 0day.

  2. Pete Lindstrom
    August 23, 2008 at 12:00 am

    @Druid -

    I think 0day would have been a great term except it got abused a few years back and so now people think of something other than what I mean. Many people consider “0day vulnerabilities” those vulnerabilities that don’t have a patch available when they are disclosed, regardless of how they are discovered. (There are plenty of so-called “0days” that have never actually been exploited.)

    I think “0day vulnerability” is a misnomer because 0day implies an attack, not simply a vuln.

    Anyway, undercover vulnerabilities are only those vulns that were identified due to exploits in the wild – a subset of the common 0day definition (though I would dispute the notion that it is well-established).

  3. October 27, 2008 at 9:08 am

    Undercover Exploits and Vulnerabilities – 10-27-08

    Looks like we have a confirmed addition to the undercover exploit list (old list). That makes 21 total since 1988. 10/27/08 – MS08-067 RPC vulnerability (public info). 11/23/07 – Xunlei Thunder PPlayer ActiveX control (credit: Symantec*) 4/5/07 – DNS R…

Comments are closed.