News Categories
(34)Malware (39)Malicious emails (11)Web 2.0 (24)Facebook (22)Social Networks (44)Spam (2)Defensio (1)Comment Spam (15)Phishing (9)Web spam (4)Click-jacking (38)Compromise (20)Analysis (38)Exploits (14)Research (3)Presentations (3)Conferences (4)security conference (9)Mass Injection (10)Rogue AV (4)Blackhat SEO (2)Neosploit (23)Targeted attacks (7)Video (14)Zeus (5)Microsoft (4)Monthly Reports (1)twitter (3)Google (18)Vulnerabilities (9)Adobe (12)Java (4)Mobile (4)Apple (1)hacked (1)TAB (1)Black Hat USA 2011 (1)Google+ (20)0-day (1)CVE-2010-2884 (1)CVE-2011-1255 (1)Worm (14)Blackhole exploit kit (1)Incognit Exploit kit (2)Tuesday Patch (6)APT (6)Typosquatting (3)Vulnerability Analysis (1)CVE-2011-3402 (4)Web Research (4)Predictions (3)Adult (5)News (3)Black Hat SEO (6)Data loss (8)Scam (1)QR codes (6)Twitter (1)CVE-2012-0003 (1)CVE-2011-3389 (1)CVE-2012-0004 (1)Phoenix Exploit Kit (1)CrimePack (3)Reverse Engineering (2)Captcha (1)Valentine's day (2)Kelihos (1)SC Magazine Award Winner (1)Wordpress (1)MS12-010 (1)CVE-2012-0002 (1)Infosec (2)CVE-2012-0507 (8)Toolkits (1)Skywiper (2)Flame (1)Flamer (2)Passwords (1)freedom of expression (1)censorship (2)Plugins (3)Malvertising (14)Exploit (1)CVE-2012-1723 (1)CSI (2)ThreatSeeker (2)Adventures in Spam (1)CVE-2012-4681 (1)LBS (2)RAT (1)module Apache/2 (1)Cyber Monday (1)Black Friday (1)Pastebin (4)CVE-2012-4792 (1)iPad (1)super bowl (1)iPhone (2)iOS (4)Spear Phishing (1)Threat Report (3)ThreatScope (1)Dynamic DNS (1)China (1)SSL (1)APT1 (2)DLP (3)Hack (1)CVE-2012-4969 (2)threat lifecycle (1)ThreatSeeker Network (1)ACE (10)exploit kit (1)blackhole (2)Black Hole (1)DNS poisoning (1)RedKit Exploit Kit (4)exploit kits (1)threat stages (1)Certificates (1)Topical (1)Waterhole (1)CVE-2013-2463 (1)Neutrino exploit kit (1)CVE-2013-2473 (1)CVE-2013-3893 (2)Collective Threat Intelligence (1)CVE-2013-3963 (1)Targeted Attack (3)Advanced Malware (1)CVE-2013-3897 (1)Tor (5)cyber-crime (1)Mevade (2)Ransomware (3)Social Engineering (1)CookieBomb (2)LinkedIn (1)CVE-2013-3906 (2)Pony (3)Cryptolocker (2)Upatre (1)application telemetry (1)meta-data (3)dr. watson (1)windows error reporting (1)big data (2)data theft prevention (1)DTP (1)telemetry (2)CVE-2014-0322 (2)MSIE 0-day (1)Deputy Dog (1)Ephemeral Hydra (1)CVE-2013-0074 (1)CVE-2013-3896 (1)Silverlight (2)crash reports (1)POS (1)anomaly detection (1)goon (4)angler (1)ru:8080 (1)magnitude (3)flash (1)CVE-2013-2465 (1)malicious iframes (1)FIESTA (1)Exploits Kit (1)iframe (3)CVE-2014-0160 (2)OpenSSL (3)Heartbleed (3)Citadel (2)CVE-2014-1776 (1)VGX.DLL (1)necrus (1)cutwail (2)gameover (3)vulnerability (3)zbot (1)control panel (1)carberp (1)zberp (1)Caphaw (2)Nuclear exploit kit (1)Shylock (1)Dragonfly (1)Zeus PIF (1)bitly (1)fraud (2)RIG Exploit Kit (1)POS malware (1)Point Of Sale Malware (1)Ukraine (1)Russia (1)Shellshock (1)CVE-2014-6271 (1)poodle (1)cve-2014-3566 (1)sslv3 (1)Ebola (1)CVE-2014-4114 (1)CPA (1)Regin (1)CVE-2015-0311 (1)CVE-2015-0235 (1)linux (1)GHOST (1)CVE-2015-0072 (1)Internet Explorer (1)XSS (1)IE (1)TorrentLocker (1)Product Information (1)Money Laundering (1)APSA10-05 (1)Skype spam
RSS Feed
A Look at CVE-2014-1776 via Windows Crash Reports
Posted by AlexWatson on 29 April 2014 03:12 AM



  • Through analyzing Windows Error Reports (a.k.a. Dr. Watson logs), we have identified two possible vulnerabilities (anomalous crashes) in VGX.DLL that may be linked to MSIE 0-day CVE-2014-1776.
  • We have seen a significant spike in crashes of Internet Explorer versions 8 and 9 that fail in VGX.DLL, starting in February 2014. These crashes are indicators of application vulnerabilities that may be exploited.
  • Anomalous application crashes from VGX.DLL have been observed originating from the USA, UK, and Brazil. Specific industries with anomalous application crashes include telecommunications, tier-1 financial and municipal government.


As we mentioned in our last blog entry, a new vulnerability has been discovered by researchers at FireEye in Microsoft Internet Explorer affecting Internet Explorer versions 6 through 11. Current reported attacks are targeting only Internet Explorer 9 through 11. The vulnerability allows attackers to remotely execute arbitrary code on the target machine by having the user visit a malicious website. The vulnerability has been assigned reference CVE-2014-1776.  The vulnerability lies in the way Internet Explorer handles Vector Markup Language and vector graphics rendering, when Internet Explorer accesses a related object in memory that has been deleted or improperly allocated. This allows the attacker to execute arbitrary code in the context of the current user.


Microsoft has released an advisory with recommendations about how users can take steps to mitigate their vulnerability while a patch is prepared. There has been quite a bit of discussion about the impact of the vulnerability, including recommendations from both the US Department of Homeland Security and UK governments that government users avoid the use of Internet Explorer until a bug patch is released by Microsoft.


In spite of the ongoing discussions and mitigation options, not many details exist about how the exploit targets Microsoft Internet Explorer, and where it is being seen in the wild. In this blog post, we will examine application crash reports from Microsoft Windows computers that are sent via the WER (Windows Error Reporting) framework, to see if we can learn anything about possible vulnerabilities that are being exploited and/or where attacks are occurring.


Comparison to known exploits


Microsoft's threat advisory for CVE-2014-1776 recommends disabling the VGX.DLL library as a mitigation option against the exploit. This library is a core library for Internet Explorer's "Vector Markup Language" (VML) capability -- a deprecated vector graphics format that was primarily used in Microsoft Office Applications. It is interesting to see that VGX.DLL has been linked to other vulnerabilities from 2013, including CVE-2013-2551 and CVE-2013-0030, which both use memory corruption techniques that could theoretically be used to compromise IE. We have previously discussed how Microsoft Windows Error Reporting (WER), a.k.a. Dr. Watson, is an opt-out program that exists in Windows XP, Vista, 7, and 8 that sends detailed telemetry to Microsofteach time an application crashes or fails to update, or a hardware change occurs on the network. This data is incredibly valuable to Microsoft and application vendors, to help debug their applications and prioritize fixes on a massive scale. More information on how you can harness intelligence from Windows crash reports, which are sent from over 80% of PCs globally, can be found in our whitepaper.


Today, we will search crash reports for evidence of exploit-type activity happening in the VGX.DLL library within Internet Explorer. This can be used to help identify possible vulnerabilities that are being exploited by CVE-2014-1776, and can hint at possible geographic locations that are being targeted during attacks. These application crashes are generated for one of three reasons:

1. Normal application failure, such as running out of memory

2. Crash triggered during normal application use, which may be a vulnerability

3. Failed exploit activity



Searching for needles in the haystack


Let's start by looking at Windows Error Reporting application crashes that we have seen occur in the past 6 months. Out of a total of 19.8 million error reports, the following crashes occurred in Internet Explorer versions 6 - 11 inside the VGX.DLL library


  • November 2013: 2 crashes
  • December 2013: 1 crash
  • January 2014: 3 crashes
  • February 2014: 13 crashes
  • March 2014: 9 crashes
  • April 2014: 12 crashes



We see a significant uptick in crashes starting around February 10th, 2014. Let's take a closer look to see if we can learn anything from the crash reports. Of 39 crashes observed, there are 15 distinct crash reports, grouped by the crash offset location. Two distinct crash reports emerge as being interesting.

Possible vulnerability affecting VGX.DLL in IE 9


We have seen the first cluster of application crashes affecting IE version 9 on Windows 7 -- consistent with the vulnerability observed in the wild. We have observed matching crash reports indicating possible failed exploit activity in the United States between March 22nd, 2014, and mid-April 2014.


  • 4 matches:


Buffer Overflow vulnerability affecting VGX.DLL in IE 8

A second interesting cluster of crash reports appears to be affecting IE 8 (via our telemetry).  We can see two distinct versions of IE 8 on Windows 7 affected below (8.0.7601.17514 and 8.0.7600.16385). The BEX error type indicates a buffer overflow happening in VGX.DLL, and it is somewhat unusual to see such a large percentage of application crashes being triggered via buffer overflow. While it has not been reported that IE 8 has been targeted via CVE-2014-1776 in the wild, errors like this are consistent with exploits that corrupt and overwrite memory. We have observed these crash reports occurring as early as February 17, 2014 in the United States, United Kingdom, and Brazil. 


  • 000000_0:
  • 000001_0:
  • 000001_0:
  • 000002_0:
  • 000003_0:
  • 000004_0:
  • 000009_0:


To conclude - this analysis is not intended to be conclusive, but to provide indicators of possible vulnerabilities in Internet Explorer's VGX.DLL that may be exploited by CVE-2014-1776. More info coming soon.


Contributors: Alex Watson

Read more »

Microsoft Internet Explorer Zero-day - CVE-2014-1776
Posted by AToro on 28 April 2014 01:30 PM

A new vulnerability found in Microsoft Internet Explorer affects Internet Explorer versions 6 through 11. However, current reported attacks are targeting only Internet Explorer 9 through 11. The vulnerability allows attackers to remotely execute arbitrary code on the target machine by having the user visit a malicious website.


This vulnerability has been assigned reference CVE-2014-1776.  The vulnerability lies in the way Internet Explorer handles Vector Markup Language and vector graphics rendering when Internet Explorer accesses a related object in memory which has been deleted or improperly allocated. This allows the attacker to execute arbitrary code in the context of the current user.


The Websense Approach


As with any vulnerability it is always best to apply vendor patches to ensure complete protection from exploit attempts.  In this instance no patch or Fix It is available from Microsoft.


So, what now? The next best thing to do is to protect from the apparatus and delivery mechanisms used by the attackers.  When reports of low volume targeted attacks surface it is often not long before the attacks become more widespread after code targeting the vulnerability is incorporated into exploit kits. 


At the time of writing attack samples are sparse so we are exploring the telemetry within our ThreatSeeker® Intelligence Cloud looking for exemplars and Indicators of Compromise. We shall update this blog with additional insights as more become available, but for now it does not look like use of this vulnerability is widespread.


Websense offers protection throughout the attack life cycle using the 7 Stages of Advanced Attacks model.  Typically we see the following scenario in such instances: a user will visit a website (most likely a compromised legitimate website, rather than one specifically registered by an attacker), thus initiating a Flash file download which sets the scene for a further call to a JavaScript payload.  This in turn triggers the vulnerability in Internet Explorer.  Attackers may use the opportunity of remote code execution to launch additional components within a reconnaissance or data theft attack. 



In the absence of a patch or Fix It from Microsoft various mitigation techniques are available, including:

  • Most importantly do not use Administrative account for general tasks such as web-browsing. As the attacker inherits the rights of the current user, using a non-privileged account is highly advisable.
  • Consider deploying Microsoft's Enhanced Mitigation Experience Toolkit (EMET v4.1) which is designed to make exploitation more difficult for attackers.
  • Turn on Enhanced Protected Mode (EPM) in Internet Explorer. It is available for IE 10 and 11.
  • Disabling Internet Explorer's Flash plugin will render the exploit non-functional.
  • Disabling VML (unregistering vgx.dll) will turn off the vulnerable library.  You should certainly consider this if you are using Windows XP (see note below).
  • For organisation's that are flexible on browser choice you should consider adopting an alternative browser to Internet Explorer, at least prior to applying a patch from Microsoft.


More information about the vulnerability, and how to implement the aforementioned mitigation factors, can be found at Microsoft Security Advisory 2963983.


Further, now Windows XP is no longer supported by Microsoft this discovery leads prompts a timely reminder to consider alternatives to this still popular operating system, to better protect from vulnerabilities affecting Windows XP users.


Websense Security Labs will continue monitoring the situation and update this blog accordingly.

Read more »