| For another example, [this story](https://www.bleepingcomputer.com/news/security/north-korean-... ) describes another zero-day that was allegedly found to have been exploited for weeks before discovery. Apparently the timeline was: ????-??-??: The bug was discovered and exploited. 2022-01-04: Earliest identified exploitation (according to the linked article). 2022-02-10: Google TAG discovered the vulnerability. 2022-02-14: Google Chrome was patched. ????-??-??: Hopefully most folks have updated by now, such that that particular attack isn't getting anyone anymore. According to the article: > Google’s Threat Analysis Group (TAG) attributed two campaigns exploiting the recently patched CVE-2022-0609 (described only as “use after free in Animation” at the moment) to two separate attacker groups backed by the North Korean government. Generally, "use-after-free" vulnerabilities could be prevented by using more secure memory-management systems. To be clear: this is easy to do, programming-wise; presumably the vulnerability was able to occur because the software-design favored performance over security. |