I've been doing a bit of reading around zero day attacks.

Just wondering if anyone has heard of a genuine zero day attack , that is the actual "in the wild" usage of an exploit that a vendor did not know about at that time .

Cheers
J

1) Internet Explorer 0-day exploit
http://isc.sans.org/diary.html?storyid=874

Reports on IE exploit
http://isc.sans.org/diary.html?storyid=914

I did not find a site to test.


2) Windows WMF 0-day exploit in the wild
http://isc.sans.org/diary.html?storyid=972

Test:

http://www.urs2.net/rsj/computing/tests/wmf/



3) Adobe Reader/Acrobat Unspecified Buffer Overflow Vulnerability
http://www.wilderssecurity.com/showthread.php?t=233881

Test:

http://www.wilderssecurity.com/attachment.php?attachmentid=208020


----
rich

Absolutely. For me they normally come in email attachments (which are run in a test machine VM for verification of the file being malicious). It's interesting seeing which of the AV's I have installed will pick it up the soonest.

Thanks , those are very interesting , esp 2).

Thats anti-executable thats blocking 2) in the screenshots ?

Yes. If my memory serves me, this was also blocked by those using ProcessGuard and Software Restriction Policies.

This was more than 4 years ago and was the beginning of the realization for some of us that all of these drive-by exploits so called have the same objective: to install a malware executable, which can be easily blocked by White List protection, negating the need to detect by a signature. Hence 0-day, 50-day - it is irrelevant.

----
rich