BloombergBusinessweek article 7/17/2014
a. Discusses how Russian hackers infiltrated the NASDAQ network,
b. Placed malware on one of the NASDAQ webservers.
c. Thus creating a classic "watering hole" attack - where customers of NASDAQ were attacked by malware as they navigated NASDAQ websites.
d. The malware used 0-day vulnerabilities to hack the servers and network. In fact the article mentioned (2) 0-day vulnerabilities being used.
A 0-day vulnerability is called that, because it has not been patched yet. I.e. a vulnerability was found and the manufacturer has not had time to patch it. So even if the IT department did it's job and patched the new Microsoft patches on patch Tuesday (2nd Tuesday of the month)
So now there is a vulnerability that has no patch and the hackers can attack and own(hacker parlance for control) your computers at will.
Remember the heartbleed vulnerability?
This story makes one wonder if there is a third party doing any penetration testing for private company computers and networks.