After analyzing public vulnerabilities and exploit trends in the first half of 2014, Bromium Labs concluded that Internet Explorer is the \u201csweet spot for attackers.\u201d\u201cInternet Explorer was the most patched and also one of the most exploited products,\u201d the report (pdf) states. Microsoft\u2019s browser \u201cset a record high for reported vulnerabilities in the first half of 2014\u201d and also \u201cleads in publicly reported exploits.\u201dAdobe Flash player has been another prime target. \u201cFlash exploits require DEP and ASLR bypass for successful execution.\u201dThere\u2019s no slowdown of zero-day exploitation, with attacks targeting end-user apps like web browsers and productivity apps like Microsoft Office.Typically these attacks are launched leveraging users as bait using classic spear-phishing tactics. The notable aspect for this year thus far in 2014 is that Internet Explorer was the most patched and also one of the most exploited products, surpassing Oracle Java, Adobe Flash and others in the fray. Bromium Labs believes that the browser will likely continue to be the sweet spot for attackers.Action Script Virtual Machine attacks and ROP bypass using Action Script Spray are emerging zero-day exploitation techniques, according to Bromium.So far in 2014, the following three \u201csevere\u201d vulnerabilities were exploited for Action Script Virtual Machine (ASVM) attacks: CVE-2014-0497, CVE-2014-0502, CVE- 2014-0515. \u201cUnlike the first two exploits, CVE-2014-0515 used a relatively new technique to bypass ASLR allowing dynamic crafting of ROP chain called Action Script Spray.\u201dBromium reports, \u201cAlmost all Internet Explorer memory corruption exploits now use de facto ROP (Return Oriented Programming) techniques for bypassing the default Operating System security mechanisms (ASLR, DEP). Both the IE zero days exploits leveraged \u2018Action Script Spray\u2019 technique to bypass ASLR.\u201dRegarding ROP bypass using Action Script Spray, Bromium noted, \u201cBoth IE exploits released in 2014 (CVE-2014-1776, CVE-2014-0322) used Flash to build the ROP chain and launch shellcode. This technique leverages the way dense arrays are allocated in memory.\u201d Attacks leveraging Action Script Sprays are \u201cmore complex than a traditional heap spray, which indicates that cybercriminals are ready to invest more time and resource s into development of new techniques in response to ever increasing protection measures.\u201dJava, surprisingly, had no reported zero-days in the first half of 2014, \u201cdespite its past notorious reputation.\u201d Disabling Java is likely the reason attackers were forced to switch targets.While Internet Explorer and Adobe Flash have been \u201cthe targets of choice in the first half of 2014,\u201d web browser plugins are the \u201cweak link that is just waiting for exploitation in the future.\u201d Bromium added that \u201cthe prevalence of IE+Flash is much higher than IE+Java JRE, so this provides the attackers with a bigger opportunity.\u201dBromium concluded:Web browser release cycles are compressing and the interval between the general availability of a new release and the appearance of the first security patches has been decreasing recently. This may represent greater efforts on the part of software manufacturers to secure their products, or it may represent products being released to market with less security testing than earlier versions received. Notably \u2018Use - After - Free\u2019 type vulnerabilities were the favorite of zero day attackers.