That would be "in the wild exploits against undercover vulnerabilities," what I formerly called 0day attacks, but have corrected myself. (The distinction being that 0days today include exploits against known/disclosed vulnerabilities simply if there isn’t a patch. It is probably also worth noting that in my mind 0day should reflect an attack/exploit and not simply a vulnerability.)
The WMF vulnerability is the latest entrant on the list. Now some questions:
- How did we catch it without a standard discovery/disclosure/patch lifecycle?
- How much damage is it doing?
- What are we doing about the "next" WMF which currently lay sleeping on our systems?
Here’s my list so far:
- 12/29/05 – WMF.
- 3/18/03 – WebDAV. (publicly available information)
- 9/3/98 – SunOS ToolTalk. (credit: TQBF, who never got the beer…)
- 4/24/96 – rpc.statd. (double credit: TQBF – thanks again.)
Honorable Mention (which don’t quite make the list because the vulnerability information was not discovered due to an active exploit):
- RealServer ../../../ overflow
- Any of the Immunity VSC releases (Mac OS X Kernel Local, anyone?)
- Samba bug that HDM got hacked with… [this may get elevated, I am not sure]
- [Credits: Dave Aitel and Anton Chuvakin for the information]
Any and all help to further this list is appreciated.