A Look at CVE-2014-1776 via Windows Crash Reports
Posted by AlexWatson on 29 April 2014 03:12 AM
As we mentioned in our last blog entry, a new vulnerability has been discovered by researchers at FireEye in Microsoft Internet Explorer affecting Internet Explorer versions 6 through 11. Current reported attacks are targeting only Internet Explorer 9 through 11. The vulnerability allows attackers to remotely execute arbitrary code on the target machine by having the user visit a malicious website. The vulnerability has been assigned reference CVE-2014-1776. The vulnerability lies in the way Internet Explorer handles Vector Markup Language and vector graphics rendering, when Internet Explorer accesses a related object in memory that has been deleted or improperly allocated. This allows the attacker to execute arbitrary code in the context of the current user.
Microsoft has released an advisory with recommendations about how users can take steps to mitigate their vulnerability while a patch is prepared. There has been quite a bit of discussion about the impact of the vulnerability, including recommendations from both the US Department of Homeland Security and UK governments that government users avoid the use of Internet Explorer until a bug patch is released by Microsoft.
In spite of the ongoing discussions and mitigation options, not many details exist about how the exploit targets Microsoft Internet Explorer, and where it is being seen in the wild. In this blog post, we will examine application crash reports from Microsoft Windows computers that are sent via the WER (Windows Error Reporting) framework, to see if we can learn anything about possible vulnerabilities that are being exploited and/or where attacks are occurring.
Comparison to known exploits
Microsoft's threat advisory for CVE-2014-1776 recommends disabling the VGX.DLL library as a mitigation option against the exploit. This library is a core library for Internet Explorer's "Vector Markup Language" (VML) capability -- a deprecated vector graphics format that was primarily used in Microsoft Office Applications. It is interesting to see that VGX.DLL has been linked to other vulnerabilities from 2013, including CVE-2013-2551 and CVE-2013-0030, which both use memory corruption techniques that could theoretically be used to compromise IE. We have previously discussed how Microsoft Windows Error Reporting (WER), a.k.a. Dr. Watson, is an opt-out program that exists in Windows XP, Vista, 7, and 8 that sends detailed telemetry to Microsofteach time an application crashes or fails to update, or a hardware change occurs on the network. This data is incredibly valuable to Microsoft and application vendors, to help debug their applications and prioritize fixes on a massive scale. More information on how you can harness intelligence from Windows crash reports, which are sent from over 80% of PCs globally, can be found in our whitepaper.
Today, we will search crash reports for evidence of exploit-type activity happening in the VGX.DLL library within Internet Explorer. This can be used to help identify possible vulnerabilities that are being exploited by CVE-2014-1776, and can hint at possible geographic locations that are being targeted during attacks. These application crashes are generated for one of three reasons:
1. Normal application failure, such as running out of memory
2. Crash triggered during normal application use, which may be a vulnerability
3. Failed exploit activity
Searching for needles in the haystack
Let's start by looking at Windows Error Reporting application crashes that we have seen occur in the past 6 months. Out of a total of 19.8 million error reports, the following crashes occurred in Internet Explorer versions 6 - 11 inside the VGX.DLL library
We see a significant uptick in crashes starting around February 10th, 2014. Let's take a closer look to see if we can learn anything from the crash reports. Of 39 crashes observed, there are 15 distinct crash reports, grouped by the crash offset location. Two distinct crash reports emerge as being interesting.
Labs Research: Using Anomalies in Crash Reports to Detect Unknown Threats
Posted by AlexWatson on 19 February 2014 10:30 AM
Websense Research Report Details New Targeted Campaigns and Unreported POS Systems Attack
Today, we released a research white paper detailing the use of Windows Error Reporting (WER) to detect advanced targeted campaigns in the wild, including: a campaign against a government agency; a major cellular network provider; and a previously unreported campaign targeting point-of-sale (POS) systems at retailers with a new variety of malware. The white paper, entitled “Using Anomalies in Crash Reports to Detect Unknown Threats,” can be downloaded here: www.websense.com/crashAPTreport
Alexander Watson, Director of Security Research, Websense, will present advanced findings related to this research at the 2014 RSA Conference in San Francisco. Join us for our session, "Use Anomalies to Detect Advanced Attacks Before Bad Guys Use It Against You" on Tuesday, February 25, 2014, at 4 p.m. PT.
In a previous blog post, we discussed how Microsoft Windows Error Reporting (WER), a.k.a. Dr. Watson, sends detailed telemetry to Microsoft each time an application crashes or fails to update, or a hardware change occurs on the network. By correlating the data, we demonstrated how an attacker who was capable of intercepting this data could create a precise blueprint of the target’s hardware and software network. Attackers can use this intelligence to create tailored attacks with a high probability of success.
But those reports also got us thinking about ways we could use that wealth of data to enable security. Our first step in that direction involved releasing source code on GitHub that allows organizations to use Dr. Watson telemetry reports to identify incidents that could lead to data loss.
One of the biggest challenges in security today is the persistence of targeted attacks. How many highly publicized attacks were detected quickly? The fact is that most stay on a system for a long time before detection. We wanted to take our research a step further to see if we could create a new method of identifying previously unknown threats – attacks that have made it past organizations’ defenses – in a manner never before accomplished.
We hope this research encourages the industry to continue looking beyond analytic and signature-based defenses that are based on expert knowledge of known attacks, and begin integrating advanced anomaly and threat intelligence capabilities. This integration brings the ability to reveal new and targeted threats that pose an incredibly high risk to organizations.
Read more »