Point-in-time research, 2004 to 2008

Security Advisories

This is not a CVE leaderboard. It is a curated record of research published when the attack class, the target, or the technique was still considered niche, theoretical, or uninteresting by the broader industry. Each item is included for what it documented at the time, not for the size of its identifier.

Research doctrine

There is no rule of thumb for individual research and the goal was never a checklist. Looking back across these advisories, a few recurring instincts are worth calling out.

Target the doubt, not the score

Pick issues where the industry disputes the impact. XSS in 2004, PDF JavaScript in 2008, Office as a malware carrier in 2006. Prove the impact concretely before the industry consensus catches up to the finding.

Surface forgotten primitives

Old operating system mechanisms keep returning as attack vectors. DDE, COM interop, OLE embedding. Document them properly the first time so they are not rediscovered a decade later under a different name.

Challenge category-defining claims

When a product class markets a guarantee, personal firewalls, virtual keyboards, anti-piracy attestation, test the guarantee rather than the product. The shape of the bypass usually outlives the vendor that shipped it.

Publish for the learner, not the leaderboard

Every advisory is written so a researcher reading it years later still extracts a transferable pattern. The CVE identifier is only the receipt, the writeup itself is the artifact worth keeping.

Landmark research

Selected entries with outsized point-in-time impact
CriticalExploit Author
Nov 2008

Microsoft Windows Netapi32 Insecure Path Canonicalization Exploit

MS08-067
Why it mattered then

Released within days of MS08-067 going public, when no reliable independent exploit existed outside of vendor and a handful of closed circles. The same primitive later powered Conficker. At that moment the choice was: wait for someone else, or write it.

Research insight

Reliability beats novelty when the window of relevance is days. Studying the canonicalization primitive taught more about Windows path parsing than any of the dozens of follow-up writeups that came months later.

HighExploit Author
Nov 2008

Adobe Reader 'util.printf()' Function Buffer Overflow Exploit

CVE-2008-2992
Why it mattered then

Published when public Adobe Reader exploit code was almost non-existent. PDF was still considered a 'safe document format' by most enterprises. JavaScript-in-PDF was a niche even within client-side research.

Research insight

The interesting surface is rarely the parser, it is the embedded interpreter. JavaScript engines bolted onto document readers became the dominant client-side attack class for the next decade.

HighExploit Author
Oct 2008

Adobe Acrobat 'Collab.collectEmailInfo' Function Buffer Overflow

CVE-2007-5659
Why it mattered then

Another NDA-bound exploit. Released as a recorded PoC. One of the first widely circulated demonstrations of a malicious-PDF chain triggering code execution end to end.

Research insight

Method-name fingerprinting inside embedded JS APIs is a productive hunting ground. The same pattern (a long-deprecated method still reachable) recurred across multiple PDF and Office bugs for years.

▶ Watch exploit demo
HighDiscovery & Exploit
Jun 2006

Microsoft Excel Embedded Shockwave Flash Object Code Execution

CVE-2006-3014
Why it mattered then

Reported in mid-2006, during the very first wave of Excel zero-days to draw mainstream attention, and the third Excel issue surfaced in that early sequence. Awareness that an Office document could be a delivery vehicle for backdoors and malicious code was almost non-existent at the time: enterprises still treated .xls and .doc as inert content, antivirus engines barely parsed embedded OLE streams, and Office attacks were assumed to mean VBA macros. This advisory documented something different: cross-application code execution via an OLE-hosted Shockwave Flash object living inside the spreadsheet, so the foreign runtime, not Excel itself, carried the payload.

Research insight

Composite document formats are an attack surface union, not an intersection. Each embedded runtime drags its own bugs in, and the host application inherits them. The work was published as a need-of-the-hour awareness piece: Office-as-malware-carrier became one of the defining client-side attack patterns of the following decade, from targeted .xls droppers to the macro and DDE waves that followed years later.

MediumDiscovery & PoC
Nov 2005

Zone Labs Products Advance Program Control Bypass

CVE-2005-3560
Why it mattered then

Personal firewalls were the dominant endpoint control of the era. Showing that 'Advanced Program Control' could be sidestepped from inside a trusted process challenged a category-defining marketing claim.

Research insight

A security product that runs in the same trust domain as the threat cannot reliably enforce a policy against it. The argument predated and applies to today's userland EDR debates.

MediumDiscovery & Exploit
Sep 2005

Bypassing Zone Alarm Firewall Using DDE-IPC

ZoneAlarm DDE
Why it mattered then

Used Dynamic Data Exchange (DDE), an IPC mechanism nearly forgotten by 2005, to make an allowed process speak on a blocked process's behalf. Most personal firewalls of the era assumed a 1-to-1 process-to-network mapping.

Research insight

Old, dusty OS primitives are a permanent gift to attackers. DDE itself resurfaced as an Office attack vector more than a decade later. Nothing legacy in operating systems is ever fully retired.

Full archive in context

Every advisory, grouped by year, with the climate it landed in
20084 advisories
CriticalExploit Author
Nov 2008

Microsoft Windows Netapi32 Insecure Path Canonicalization Exploit

MS08-067
Context at release

Released within days of MS08-067 going public, when no reliable independent exploit existed outside of vendor and a handful of closed circles. The same primitive later powered Conficker. At that moment the choice was: wait for someone else, or write it.

Insight

Reliability beats novelty when the window of relevance is days. Studying the canonicalization primitive taught more about Windows path parsing than any of the dozens of follow-up writeups that came months later.

HighExploit Author
Nov 2008

Adobe Reader 'util.printf()' Function Buffer Overflow Exploit

CVE-2008-2992
Context at release

Published when public Adobe Reader exploit code was almost non-existent. PDF was still considered a 'safe document format' by most enterprises. JavaScript-in-PDF was a niche even within client-side research.

Insight

The interesting surface is rarely the parser, it is the embedded interpreter. JavaScript engines bolted onto document readers became the dominant client-side attack class for the next decade.

HighExploit Author
Nov 2008

RealPlayer ierpplug.dll ActiveX Control Buffer Overflow

CVE-2007-5601▶ Watch exploit demo
Context at release

Exploit developed under contract with a vendor NDA. Code could not be released, so a PoC video was published instead to document the work and the technique.

Insight

Not every piece of useful research can ship as code. A captured demonstration is still primary evidence of capability, and worth more than a silent CVE bullet.

HighExploit Author
Oct 2008

Adobe Acrobat 'Collab.collectEmailInfo' Function Buffer Overflow

CVE-2007-5659▶ Watch exploit demo
Context at release

Another NDA-bound exploit. Released as a recorded PoC. One of the first widely circulated demonstrations of a malicious-PDF chain triggering code execution end to end.

Insight

Method-name fingerprinting inside embedded JS APIs is a productive hunting ground. The same pattern (a long-deprecated method still reachable) recurred across multiple PDF and Office bugs for years.

20071 advisory
MediumDiscovery & PoC
Jan 2007

Defeating Microsoft Office Genuine Advantage (OGA) Check

OGA Bypass
Context at release

Anti-piracy and licensing checks were treated as out-of-scope by mainstream security research at the time. Defeating OGA documented that client-side validation of trust state is structurally broken, not just OGA-broken.

Insight

Wherever a vendor pushes a 'trust this client to attest to itself' check, the same class of bypass keeps reappearing: DRM, license servers, mobile attestation, supply-chain signing. The shape of the bug outlives the product.

20067 advisories
MediumDiscovery & PoC
Dec 2006

Google AdWords Multiple HTTP Response Splitting

CRLF-AdWords
Context at release

HTTP Response Splitting (Klein, 2004) was still treated by most application security teams as a theoretical curiosity. Demonstrating it inside Google's flagship ads product made it operationally undeniable.

Insight

When industry calls a vulnerability class 'theoretical', it usually means nobody has weaponised it inside a recognisable brand yet. Picking the right target is half the research.

MediumDiscovery & Exploit
Oct 2006

Multiple HTTP Response Splitting Vulnerabilities in SHOP-SCRIPT

CVE-2006-5566
Context at release

Companion work to the AdWords advisory, showing the same primitive in a mid-market e-commerce platform two months earlier. Documented the class across the size spectrum, not just in a marquee target.

Insight

Patterns generalise. If a category of bug exists at scale in Google, look for it next in the open-source stacks that share the same HTTP handling assumptions.

HighDiscovery & Exploit
Jun 2006

Microsoft Excel Embedded Shockwave Flash Object Code Execution

CVE-2006-3014
Context at release

Reported in mid-2006, during the very first wave of Excel zero-days to draw mainstream attention, and the third Excel issue surfaced in that early sequence. Awareness that an Office document could be a delivery vehicle for backdoors and malicious code was almost non-existent at the time: enterprises still treated .xls and .doc as inert content, antivirus engines barely parsed embedded OLE streams, and Office attacks were assumed to mean VBA macros. This advisory documented something different: cross-application code execution via an OLE-hosted Shockwave Flash object living inside the spreadsheet, so the foreign runtime, not Excel itself, carried the payload.

Insight

Composite document formats are an attack surface union, not an intersection. Each embedded runtime drags its own bugs in, and the host application inherits them. The work was published as a need-of-the-hour awareness piece: Office-as-malware-carrier became one of the defining client-side attack patterns of the following decade, from targeted .xls droppers to the macro and DDE waves that followed years later.

MediumDiscovery & PoC
May 2006

IETab Plugin for Firefox Browser Null Pointer Dereference

CVE-2006-2538
Context at release

Plugin and add-on security was a blind spot. The browser core was getting attention, the third-party extensions wrapping foreign engines inside it were not.

Insight

Trust boundaries dissolve at integration points. Any plugin that embeds a second rendering engine inside the first inherits both threat models and protects against neither.

HighDiscovery & Exploit
Mar 2006

Microsoft ASP.NET w3wp.exe COM Component DoS

CVE-2006-1364
Context at release

Server-side .NET was being marketed as a managed, safer replacement for classic ASP. Triggering a worker process crash through COM interop showed managed runtimes do not erase the unmanaged surface underneath.

Insight

Managed runtimes are a thin film. Wherever they call into native code (COM, P/Invoke, FFI, JNI, ctypes), the old class of bugs comes back unchanged.

MediumDiscovery & Exploit
Feb 2006

Google Reader 'preview' and 'lens' Script Improper Feed Validation

Google Reader
Context at release

RSS aggregators were a brand-new class of product. Almost no one was modelling 'untrusted feed content rendered inside a logged-in session' as a threat. This advisory put it on the map.

Insight

Any pipeline that ingests third-party content and renders it inside an authenticated context is an XSS factory by default. The pattern repeats today in AI tool calls and MCP servers.

MediumDiscovery
Feb 2006

phpMyChat Authentication Bypass

phpMyChat
Context at release

Auth logic in mid-2000s PHP applications was routinely written by hand. Demonstrating a structural bypass in a widely deployed package was about pointing at the pattern, not the project.

Insight

Authentication is almost never broken by cryptography. It is broken by control-flow assumptions about what a request 'must' have done before reaching a code path.

20053 advisories
MediumDiscovery & PoC
Nov 2005

Zone Labs Products Advance Program Control Bypass

CVE-2005-3560
Context at release

Personal firewalls were the dominant endpoint control of the era. Showing that 'Advanced Program Control' could be sidestepped from inside a trusted process challenged a category-defining marketing claim.

Insight

A security product that runs in the same trust domain as the threat cannot reliably enforce a policy against it. The argument predated and applies to today's userland EDR debates.

MediumDiscovery & Exploit
Sep 2005

Bypassing Zone Alarm Firewall Using DDE-IPC

ZoneAlarm DDE
Context at release

Used Dynamic Data Exchange (DDE), an IPC mechanism nearly forgotten by 2005, to make an allowed process speak on a blocked process's behalf. Most personal firewalls of the era assumed a 1-to-1 process-to-network mapping.

Insight

Old, dusty OS primitives are a permanent gift to attackers. DDE itself resurfaced as an Office attack vector more than a decade later. Nothing legacy in operating systems is ever fully retired.

MediumDiscovery & PoC
Aug 2005

Defeating Citi-Bank Virtual Keyboard Protection

Citibank VK
Context at release

Virtual keyboards were being adopted across global retail banking as anti-keylogger controls. The advisory demonstrated that the threat model (keystroke loggers only) ignored every other input observation channel a hostile process has.

Insight

Anti-keylogger UI controls solve the easiest attack and leave the rest. The same flawed shape now appears in 'security questions', SMS OTP, push-only MFA. Threat models that only block yesterday do not age well.

20041 advisory
LowDiscovery & PoC
Aug 2004

CuteNews 'archive' Parameter XSS Vulnerability

CuteNews XSS
Context at release

Reported in 2004, two years before the Samy worm. At the time, XSS was widely dismissed as 'just a JavaScript issue' with no real impact. Explaining session theft, CSRF amplification and worm potential was an uphill argument with vendors and editors alike.

Insight

Whole classes of vulnerabilities get dismissed for years before a public incident forces the industry to take them seriously. The window to do quiet, foundational research on a class is before the worm, not after.

A note on counts. The list above is intentionally short. Where a single, well-argued advisory documented a class, the class itself is the contribution. Stacking duplicates of the same bug in a hundred different targets is a scoreboard exercise, not research.

← Back to the homepage summary