Zero-day attacks can strike anywhere, anytime. Here are five example of recent zero-day exploits:
- Windows: In May, Google security engineer Tavis Ormandy announced a zero-day flaw in all currently supported releases of the Windows OS. According to his claim, the troubled code is more than 20 years old, which means “pre-NT”.
- Java: In March, Oracle released emergency patches for Java to address two critical vulnerabilities, one of which was actively used by hackers in targeted attacks. They received the highest possible impact score from Oracle and can be remotely exploited without the need for authentication such as a username and password. The risk applies to both Windows and Mac devices.
- Acrobat Reader: In February, a zero-day exploit was found that bypasses the sandbox anti-exploitation protection in Adobe Reader 10 and 11. According to Costin Raiu, director of Kaspersky Lab's malware research and analysis team, the exploit is highly sophisticated; it is likely either a cyber-espionage tool created by a nation state or one of the so-called lawful interception tools sold by private contractors to law enforcement and intelligence agencies for large sums of money.
- The Elderwood Project: Symantec reported that in 2012 the Elderwood Project used a seemingly “unlimited number of zero-day exploits, attacks on supply chain manufacturers who service the target organization, and shift to ‘watering hole’ attacks” on websites likely visited by the target organization. The report went on to say that the resources needed could only be provided by a large criminal organization supported by a nation state.
- Various Game Engines: In May, Computerworld blogger Darlene Storm reported that thousands of potential attack vectors in game engines put millions of gamers at risk. The article talked about zero-day vulnerabilities in CryEngine 3, Unreal Engine 3, id Tech 4 and Hydrogen Engine.