More zero-day vulnerabilities were discovered in 2013 than any other year Symantec has tracked. The 23 zero-day vulnerabilities discovered represent a 61 percent increase over 2012 and are more than the two previous years combined. Zero-day vulnerabilities are coveted because they give attackers the means to silently infect their victim without depending on social engineering. And by applying these exploits in a watering-hole attack they avoid the possibility of anti-phishing technology stopping them. Unfortunately legitimate web sites with poor patch management practices have facilitated the adoption of watering hole attacks. 77 percent of legitimate websites had exploitable vulnerabilities and 1-in-8 of all websites had a critical vulnerability. This gives attackers plenty of choices in websites to place their malware and entrap their victims. Typically cutting-edge attackers stop using a vulnerability once it is made public. But this does not bring an end to their use. Common cyber criminals rapidly incorporate zero-day vulnerabilities to threaten all of us. Even though the top five zero-day vulnerabilities were patched on average within four days, Symantec detected a total of 174,651 attacks within 30 days of these top five becoming known.