I am trying to keep this updated, but life intervenes. Please let me know if I’ve missed some (browser/office vulns?). Note the animated cursor bug in April ’07 does not fit the definition.

19 total since 1988.

Latest Additions:

Old List:

• 11/3/06 – XMLHTTP 4.0 ActiveX Control
• 9/23/06 – cPanel (credit: Dave via Adam, Ilja)
• 9/19/06 – Internet Explorer VML (public info)
• 9/3/06 – MS Word 0Day (Symantec)
• 8/16/06 – Ichitaro (Symantec)
• 7/11/06 – Powerpoint 0day. (public information)
• 12/29/05 – WMF. (public information)
• 2/7/05 – Mailman directory traversal. (credit: ilja van Sprundel)
• 2/4/05: Minix FTP Vulnerability (credit: Ilja van Sprundel, confirmed by Al Woodhull)
• 11/16/04 – Twikis search.pm. (credit: ilja van Sprundel)
• 12/04/03 – Rsync. (credit: David Goldsmith, Matasano)
• 11/20/03 – do_brk() overflow. (credit: David Goldsmith, Matasano)
• 3/18/03 – WebDAV. (publicly available information)
• 12/9/99 – Solaris sadmind (credit: Steve Christey)
• 9/3/98 – SunOS ToolTalk. (credit: TQBF, who never got the beer…)
• 4/24/96 – rpc.statd. (double credit: TQBF – thanks again.)
• 11/2/88 – Sendmail (credit: David Goldsmith, Matasano)
• 11/2/88 – Fingerd (credit: David Goldsmith, Matasano)

Honorable Mention (which don’t quite make the list because the vulnerability information was not discovered due to an active exploit):

• RealServer ../../../ overflow
• Any of the Immunity VSC releases (Mac OS X Kernel Local, anyone?)
• Samba bug that HDM got hacked with… [this may get elevated, I am not sure]
• [Credits: Dave Aitel and Anton Chuvakin for the information]

Definitions:

Undercover Vulnerability: A vulnerability that was generally unknown (e.g. not published on any lists, not discussed by “above ground” security folks) until it was actively exploited in the wild. The vulnerability was discovered through evidence of tampering or other means, not through the usual bugfinding ritual.

Undercover Exploit: The event and/or code used to compromise a resource running the vulnerable software in the wild.

*Note: the “credit” given is not to the person who discovered the exploit/vuln, but to the person who pointed me in the right direction. Thanks, all.