Michael Sutton on the 0day buzz. An interesting read about how old vulnerabilities can be a serious problem to lazy administrators, or for those who get distracted by the rush of so-called advisories and other linenoise. It's nothing new but it doesn't matter how many times you tell the monkey to stop throwing the banana peel to the floor. Monkeys only care on the banana itself.
The point is, that new vulnerabilities draw attention. The ones that scare me are the old ones, the ones that have been forgotten about. Targeted attacks require specific vulnerabilities but many, if not most attacks, choose not to discriminate. The attacker simply wants control of as many machines as possible to send spam, phish for credit card numbers, etc. In this case, any old vulnerability will do, so long as a multitude of machines remain unpatched.
HD already talked on similar stuff in the Metasploit Project blog, how old and relatively new web browser flaws are being used to spread malware (well, adware would be more appropriate).
This combination of automated fingerprinting followed by a targeted attack should serve as wake-up call to anyone who believes that a patched flaw is no longer a significant threat. The Java ByteVerifier bug used in this script was fixed in April of 2003, over three years ago, yet still works well enough to be a key component of this malware installer. The fact is that an advanced malware installer is capable of attacking almost any browser or operating system and still succeed against enough people to make money for the attacker.
The mandatory links to the news and references: