Recent Zero-Day Exploits

Standard defenses are powerless against zero-day threats

Zero-day attacks are cyber attacks against software flaws that are unknown and have no patch or fix.

It’s extremely difficult to detect zero-day attacks, especially with traditional cyber defenses. Traditional security measures focus on malware signatures and URL reputation. However, with zero-day attacks, this information is, by definition, unknown. Cyber attackers are extraordinarily skilled, and their malware can go undetected on systems for months, and even years, giving them plenty of time to cause irreparable harm.

Based on recently discovered types of zero-day attacks, it has become apparent that operating system level protection is becoming less effective, watering hole attacks are becoming more common, and cyber attacks are becoming more sophisticated and better at bypassing organizational defenses.

Recent zero-day exploits and vulnerabilities

2017 zero-day exploits

  • CVE-2017-0261 – EPS “restore” Use-After-Free FireEye detected a “restore” use-after-free vulnerability in Encapsulated PostScript (EPS) of Microsoft Office – CVE-2017-0261 – being used to deliver SHRIME malware from a group known as Turla, and NETWIRE malware from an unknown financially motivated actor.
  • CVE-2017-0262 – Type Confusion in EPS FireEye observed APT28 using a type confusion vulnerability in Encapsulated PostScript (EPS) of Microsoft Office – CVE-2017-0262 – to deliver a GAMEFISH payload.
  • CVE-2017-0263 - win32k!xxxDestroyWindow Use-After-Free FireEye observed APT28 using CVE-2017-0263 – a win32k!xxxDestroyWindow use-after-free vulnerability – to escalate privileges during the delivery of a GAMEFISH payload. This vulnerability was used in tandem with CVE-2017-0262.
  • CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler FireEye detected malicious Microsoft Office RTF documents leveraging CVE-2017-0199. The vulnerability allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a document containing an embedded exploit.

2016 zero-day exploits

2015 zero-day exploits

In 2015, FireEye discovered 8 of the 13 zero-day exploits.

2014 zero-day exploits

In 2014, FireEye discovered 6 of the 12 zero-day exploits.

  • CVE-2014-0322 A watering hole exploit that targeted IE 10 users visiting a malicious website.
  • Internet Explorer 9 through 11 Exploit: CVE-2014-1776  A vulnerability that affected IE 6-IE 11 users, but specifically affected IE 9-IE 11 users, bypassing standard cyber defenses and allowing arbitrary memory access.
  • CVE-2014-4148 A vulnerability that exploits the Windows Kernel, specifically in the Microsoft Windows TrueType Font (TTF) processing subsystem, using a Microsoft Office document to embed and deliver a malicious TTF to an international organization.
  • CVE-2014-4113 Another Windows Kernel vulnerability that renders Microsoft Windows 7, Vista, XP, Windows 2000, Windows Server 2003/R2, and Windows Server 2008/R2 vulnerable to a local Elevation of Privilege (EoP) attack.
  • CVE-2014-0502 A zero-day Adobe Flash exploit that affects the latest version of the Flash Player ( and 11.7.700.261).
  • CVE-2014-4114 SandWorm Zero Day Vulnerability Team impacting all versions of Microsoft Windows – used in Russian cyber-espionage campaign targeting NATO, European Union, Telecommunications and Energy sectors.

2013 zero-day exploits

In 2013, FireEye found 11 of the 15 zero-day exploits discovered.

  • CVE-2012-4792 Hidden on the website of the Council on Foreign Relations, this malicious Javascript code targeted IE users.
  • CVE-2013-0422 A Java 7-based vulnerability designed to lock Windows-based users out of their computers.
  • CVE-2013-0634 Malicious ActionScript code designed to attack Adobe Flash users on Windows, Mac, Linux, and Android systems.
  • CVE-2013-0640 / CVE-2013-0641 A pair of JavaScript-based PDF vulnerabilities designed to install a remote administration tool and bypass ASLR and DEP security.
  • CVE-2013-1493 A Java Runtime Environment vulnerability that allowed attackers to compromise the HotSpot virtual machine to give attackers control over the targeted systems.
  • CVE-2013-1347 This vulnerability in IE versions 6 through 8 targeted Windows XP users who visited the U.S. Department of Labor website.
  • CVE-2013-3918 / CVE-2014-0266 A pair of far-reaching and cleverly manipulated ActiveX vulnerabilities that affected Windows users as far back as Service Pack 2.
  • CVE-2013-5065 Combined with other vulnerabilities, this Window XP and Windows Server 2003 vulnerability allowed a standard user account to remotely execute code in the kernel.
  • CVE-2012-4681 Details the vulnerabilities of Java run-time environments i.e., JRE 1.7x.