News Categories
(34)Malware (39)Malicious emails (11)Web 2.0 (24)Facebook (22)Social Networks (44)Spam (2)Defensio (1)Comment Spam (15)Phishing (9)Web spam (4)Click-jacking (38)Compromise (20)Analysis (38)Exploits (14)Research (3)Presentations (3)Conferences (4)security conference (9)Mass Injection (10)Rogue AV (4)Blackhat SEO (2)Neosploit (23)Targeted attacks (7)Video (14)Zeus (5)Microsoft (4)Monthly Reports (1)twitter (3)Google (18)Vulnerabilities (9)Adobe (12)Java (4)Mobile (4)Apple (1)hacked (1)TAB (1)Black Hat USA 2011 (1)Google+ (20)0-day (1)CVE-2010-2884 (1)CVE-2011-1255 (1)Worm (14)Blackhole exploit kit (1)Incognit Exploit kit (2)Tuesday Patch (6)APT (6)Typosquatting (3)Vulnerability Analysis (1)CVE-2011-3402 (4)Web Research (4)Predictions (3)Adult (5)News (3)Black Hat SEO (6)Data loss (8)Scam (1)QR codes (6)Twitter (1)CVE-2012-0003 (1)CVE-2011-3389 (1)CVE-2012-0004 (1)Phoenix Exploit Kit (1)CrimePack (3)Reverse Engineering (2)Captcha (1)Valentine's day (2)Kelihos (1)SC Magazine Award Winner (1)Wordpress (1)MS12-010 (1)CVE-2012-0002 (1)Infosec (2)CVE-2012-0507 (8)Toolkits (1)Skywiper (2)Flame (1)Flamer (2)Passwords (1)freedom of expression (1)censorship (2)Plugins (3)Malvertising (14)Exploit (1)CVE-2012-1723 (1)CSI (2)ThreatSeeker (2)Adventures in Spam (1)CVE-2012-4681 (1)LBS (2)RAT (1)module Apache/2 (1)Cyber Monday (1)Black Friday (1)Pastebin (4)CVE-2012-4792 (1)iPad (1)super bowl (1)iPhone (2)iOS (4)Spear Phishing (1)Threat Report (3)ThreatScope (1)Dynamic DNS (1)China (1)SSL (1)APT1 (2)DLP (3)Hack (1)CVE-2012-4969 (2)threat lifecycle (1)ThreatSeeker Network (1)ACE (10)exploit kit (1)blackhole (2)Black Hole (1)DNS poisoning (1)RedKit Exploit Kit (4)exploit kits (1)threat stages (1)Certificates (1)Topical (1)Waterhole (1)CVE-2013-2463 (1)Neutrino exploit kit (1)CVE-2013-2473 (1)CVE-2013-3893 (2)Collective Threat Intelligence (1)CVE-2013-3963 (1)Targeted Attack (3)Advanced Malware (1)CVE-2013-3897 (1)Tor (5)cyber-crime (1)Mevade (2)Ransomware (3)Social Engineering (1)CookieBomb (2)LinkedIn (1)CVE-2013-3906 (2)Pony (3)Cryptolocker (2)Upatre (1)application telemetry (1)meta-data (3)dr. watson (1)windows error reporting (1)big data (2)data theft prevention (1)DTP (1)telemetry (2)CVE-2014-0322 (2)MSIE 0-day (1)Deputy Dog (1)Ephemeral Hydra (1)CVE-2013-0074 (1)CVE-2013-3896 (1)Silverlight (2)crash reports (1)POS (1)anomaly detection (1)goon (4)angler (1)ru:8080 (1)magnitude (3)flash (1)CVE-2013-2465 (1)malicious iframes (1)FIESTA (1)Exploits Kit (1)iframe (3)CVE-2014-0160 (2)OpenSSL (3)Heartbleed (3)Citadel (2)CVE-2014-1776 (1)VGX.DLL (1)necrus (1)cutwail (2)gameover (3)vulnerability (3)zbot (1)control panel (1)carberp (1)zberp (1)Caphaw (2)Nuclear exploit kit (1)Shylock (1)Dragonfly (1)Zeus PIF (1)bitly (1)fraud (2)RIG Exploit Kit (1)POS malware (1)Point Of Sale Malware (1)Ukraine (1)Russia (1)Shellshock (1)CVE-2014-6271 (1)poodle (1)cve-2014-3566 (1)sslv3 (1)Ebola (1)CVE-2014-4114 (1)CPA (1)Regin (1)CVE-2015-0311 (1)CVE-2015-0235 (1)linux (1)GHOST (1)CVE-2015-0072 (1)Internet Explorer (1)XSS (1)IE (1)TorrentLocker (1)Product Information (1)Money Laundering (1)APSA10-05 (1)Skype spam
RSS Feed
A Look at CVE-2014-1776 via Windows Crash Reports
Posted by AlexWatson on 29 April 2014 03:12 AM



  • Through analyzing Windows Error Reports (a.k.a. Dr. Watson logs), we have identified two possible vulnerabilities (anomalous crashes) in VGX.DLL that may be linked to MSIE 0-day CVE-2014-1776.
  • We have seen a significant spike in crashes of Internet Explorer versions 8 and 9 that fail in VGX.DLL, starting in February 2014. These crashes are indicators of application vulnerabilities that may be exploited.
  • Anomalous application crashes from VGX.DLL have been observed originating from the USA, UK, and Brazil. Specific industries with anomalous application crashes include telecommunications, tier-1 financial and municipal government.


As we mentioned in our last blog entry, a new vulnerability has been discovered by researchers at FireEye in Microsoft Internet Explorer affecting Internet Explorer versions 6 through 11. Current reported attacks are targeting only Internet Explorer 9 through 11. The vulnerability allows attackers to remotely execute arbitrary code on the target machine by having the user visit a malicious website. The vulnerability has been assigned reference CVE-2014-1776.  The vulnerability lies in the way Internet Explorer handles Vector Markup Language and vector graphics rendering, when Internet Explorer accesses a related object in memory that has been deleted or improperly allocated. This allows the attacker to execute arbitrary code in the context of the current user.


Microsoft has released an advisory with recommendations about how users can take steps to mitigate their vulnerability while a patch is prepared. There has been quite a bit of discussion about the impact of the vulnerability, including recommendations from both the US Department of Homeland Security and UK governments that government users avoid the use of Internet Explorer until a bug patch is released by Microsoft.


In spite of the ongoing discussions and mitigation options, not many details exist about how the exploit targets Microsoft Internet Explorer, and where it is being seen in the wild. In this blog post, we will examine application crash reports from Microsoft Windows computers that are sent via the WER (Windows Error Reporting) framework, to see if we can learn anything about possible vulnerabilities that are being exploited and/or where attacks are occurring.


Comparison to known exploits


Microsoft's threat advisory for CVE-2014-1776 recommends disabling the VGX.DLL library as a mitigation option against the exploit. This library is a core library for Internet Explorer's "Vector Markup Language" (VML) capability -- a deprecated vector graphics format that was primarily used in Microsoft Office Applications. It is interesting to see that VGX.DLL has been linked to other vulnerabilities from 2013, including CVE-2013-2551 and CVE-2013-0030, which both use memory corruption techniques that could theoretically be used to compromise IE. We have previously discussed how Microsoft Windows Error Reporting (WER), a.k.a. Dr. Watson, is an opt-out program that exists in Windows XP, Vista, 7, and 8 that sends detailed telemetry to Microsofteach time an application crashes or fails to update, or a hardware change occurs on the network. This data is incredibly valuable to Microsoft and application vendors, to help debug their applications and prioritize fixes on a massive scale. More information on how you can harness intelligence from Windows crash reports, which are sent from over 80% of PCs globally, can be found in our whitepaper.


Today, we will search crash reports for evidence of exploit-type activity happening in the VGX.DLL library within Internet Explorer. This can be used to help identify possible vulnerabilities that are being exploited by CVE-2014-1776, and can hint at possible geographic locations that are being targeted during attacks. These application crashes are generated for one of three reasons:

1. Normal application failure, such as running out of memory

2. Crash triggered during normal application use, which may be a vulnerability

3. Failed exploit activity



Searching for needles in the haystack


Let's start by looking at Windows Error Reporting application crashes that we have seen occur in the past 6 months. Out of a total of 19.8 million error reports, the following crashes occurred in Internet Explorer versions 6 - 11 inside the VGX.DLL library


  • November 2013: 2 crashes
  • December 2013: 1 crash
  • January 2014: 3 crashes
  • February 2014: 13 crashes
  • March 2014: 9 crashes
  • April 2014: 12 crashes



We see a significant uptick in crashes starting around February 10th, 2014. Let's take a closer look to see if we can learn anything from the crash reports. Of 39 crashes observed, there are 15 distinct crash reports, grouped by the crash offset location. Two distinct crash reports emerge as being interesting.

Possible vulnerability affecting VGX.DLL in IE 9


We have seen the first cluster of application crashes affecting IE version 9 on Windows 7 -- consistent with the vulnerability observed in the wild. We have observed matching crash reports indicating possible failed exploit activity in the United States between March 22nd, 2014, and mid-April 2014.


  • 4 matches:


Buffer Overflow vulnerability affecting VGX.DLL in IE 8

A second interesting cluster of crash reports appears to be affecting IE 8 (via our telemetry).  We can see two distinct versions of IE 8 on Windows 7 affected below (8.0.7601.17514 and 8.0.7600.16385). The BEX error type indicates a buffer overflow happening in VGX.DLL, and it is somewhat unusual to see such a large percentage of application crashes being triggered via buffer overflow. While it has not been reported that IE 8 has been targeted via CVE-2014-1776 in the wild, errors like this are consistent with exploits that corrupt and overwrite memory. We have observed these crash reports occurring as early as February 17, 2014 in the United States, United Kingdom, and Brazil. 


  • 000000_0:
  • 000001_0:
  • 000001_0:
  • 000002_0:
  • 000003_0:
  • 000004_0:
  • 000009_0:


To conclude - this analysis is not intended to be conclusive, but to provide indicators of possible vulnerabilities in Internet Explorer's VGX.DLL that may be exploited by CVE-2014-1776. More info coming soon.


Contributors: Alex Watson

Read more »

Labs Research: Using Anomalies in Crash Reports to Detect Unknown Threats
Posted by AlexWatson on 19 February 2014 10:30 AM

Websense Research Report Details New Targeted Campaigns and Unreported POS Systems Attack


Today, we released a research white paper detailing the use of Windows Error Reporting (WER) to detect advanced targeted campaigns in the wild, including: a campaign against a government agency; a major cellular network provider; and a previously unreported campaign targeting point-of-sale (POS) systems at retailers with a new variety of malware. The white paper, entitled “Using Anomalies in Crash Reports to Detect Unknown Threats,” can be downloaded here:

Alexander Watson, Director of Security Research, Websense, will present advanced findings related to this research at the 2014 RSA Conference in San Francisco. Join us for our session, "Use Anomalies to Detect Advanced Attacks Before Bad Guys Use It Against You" on Tuesday, February 25, 2014, at 4 p.m. PT.

In a previous blog post, we discussed how Microsoft Windows Error Reporting (WER), a.k.a. Dr. Watson, sends detailed telemetry to Microsoft each time an application crashes or fails to update, or a hardware change occurs on the network. By correlating the data, we demonstrated how an attacker who was capable of intercepting this data could create a precise blueprint of the target’s hardware and software network. Attackers can use this intelligence to create tailored attacks with a high probability of success.


But those reports also got us thinking about ways we could use that wealth of data to enable security. Our first step in that direction involved releasing source code on GitHub that allows organizations to use Dr. Watson telemetry reports to identify incidents that could lead to data loss.


One of the biggest challenges in security today is the persistence of targeted attacks. How many highly publicized attacks were detected quickly? The fact is that most stay on a system for a long time before detection. We wanted to take our research a step further to see if we could create a new method of identifying previously unknown threats – attacks that have made it past organizations’ defenses – in a manner never before accomplished.


We hope this research encourages the industry to continue looking beyond analytic and signature-based defenses that are based on expert knowledge of known attacks, and begin integrating advanced anomaly and threat intelligence capabilities. This integration brings the ability to reveal new and targeted threats that pose an incredibly high risk to organizations.

Read more »