A Look at CVE-2014-1776 via Windows Crash Reports
Posted by AlexWatson on 29 April 2014 03:12 AM
As we mentioned in our last blog entry, a new vulnerability has been discovered by researchers at FireEye in Microsoft Internet Explorer affecting Internet Explorer versions 6 through 11. Current reported attacks are targeting only Internet Explorer 9 through 11. The vulnerability allows attackers to remotely execute arbitrary code on the target machine by having the user visit a malicious website. The vulnerability has been assigned reference CVE-2014-1776. The vulnerability lies in the way Internet Explorer handles Vector Markup Language and vector graphics rendering, when Internet Explorer accesses a related object in memory that has been deleted or improperly allocated. This allows the attacker to execute arbitrary code in the context of the current user.
Microsoft has released an advisory with recommendations about how users can take steps to mitigate their vulnerability while a patch is prepared. There has been quite a bit of discussion about the impact of the vulnerability, including recommendations from both the US Department of Homeland Security and UK governments that government users avoid the use of Internet Explorer until a bug patch is released by Microsoft.
In spite of the ongoing discussions and mitigation options, not many details exist about how the exploit targets Microsoft Internet Explorer, and where it is being seen in the wild. In this blog post, we will examine application crash reports from Microsoft Windows computers that are sent via the WER (Windows Error Reporting) framework, to see if we can learn anything about possible vulnerabilities that are being exploited and/or where attacks are occurring.
Comparison to known exploits
Microsoft's threat advisory for CVE-2014-1776 recommends disabling the VGX.DLL library as a mitigation option against the exploit. This library is a core library for Internet Explorer's "Vector Markup Language" (VML) capability -- a deprecated vector graphics format that was primarily used in Microsoft Office Applications. It is interesting to see that VGX.DLL has been linked to other vulnerabilities from 2013, including CVE-2013-2551 and CVE-2013-0030, which both use memory corruption techniques that could theoretically be used to compromise IE. We have previously discussed how Microsoft Windows Error Reporting (WER), a.k.a. Dr. Watson, is an opt-out program that exists in Windows XP, Vista, 7, and 8 that sends detailed telemetry to Microsofteach time an application crashes or fails to update, or a hardware change occurs on the network. This data is incredibly valuable to Microsoft and application vendors, to help debug their applications and prioritize fixes on a massive scale. More information on how you can harness intelligence from Windows crash reports, which are sent from over 80% of PCs globally, can be found in our whitepaper.
Today, we will search crash reports for evidence of exploit-type activity happening in the VGX.DLL library within Internet Explorer. This can be used to help identify possible vulnerabilities that are being exploited by CVE-2014-1776, and can hint at possible geographic locations that are being targeted during attacks. These application crashes are generated for one of three reasons:
1. Normal application failure, such as running out of memory
2. Crash triggered during normal application use, which may be a vulnerability
3. Failed exploit activity
Searching for needles in the haystack
Let's start by looking at Windows Error Reporting application crashes that we have seen occur in the past 6 months. Out of a total of 19.8 million error reports, the following crashes occurred in Internet Explorer versions 6 - 11 inside the VGX.DLL library
We see a significant uptick in crashes starting around February 10th, 2014. Let's take a closer look to see if we can learn anything from the crash reports. Of 39 crashes observed, there are 15 distinct crash reports, grouped by the crash offset location. Two distinct crash reports emerge as being interesting.
Microsoft Internet Explorer Zero-day - CVE-2014-1776
Posted by AToro on 28 April 2014 01:30 PM
A new vulnerability found in Microsoft Internet Explorer affects Internet Explorer versions 6 through 11. However, current reported attacks are targeting only Internet Explorer 9 through 11. The vulnerability allows attackers to remotely execute arbitrary code on the target machine by having the user visit a malicious website.
This vulnerability has been assigned reference CVE-2014-1776. The vulnerability lies in the way Internet Explorer handles Vector Markup Language and vector graphics rendering when Internet Explorer accesses a related object in memory which has been deleted or improperly allocated. This allows the attacker to execute arbitrary code in the context of the current user.
The Websense Approach
As with any vulnerability it is always best to apply vendor patches to ensure complete protection from exploit attempts. In this instance no patch or Fix It is available from Microsoft.
So, what now? The next best thing to do is to protect from the apparatus and delivery mechanisms used by the attackers. When reports of low volume targeted attacks surface it is often not long before the attacks become more widespread after code targeting the vulnerability is incorporated into exploit kits.
At the time of writing attack samples are sparse so we are exploring the telemetry within our ThreatSeeker® Intelligence Cloud looking for exemplars and Indicators of Compromise. We shall update this blog with additional insights as more become available, but for now it does not look like use of this vulnerability is widespread.
In the absence of a patch or Fix It from Microsoft various mitigation techniques are available, including:
More information about the vulnerability, and how to implement the aforementioned mitigation factors, can be found at Microsoft Security Advisory 2963983.
Further, now Windows XP is no longer supported by Microsoft this discovery leads prompts a timely reminder to consider alternatives to this still popular operating system, to better protect from vulnerabilities affecting Windows XP users.
Websense Security Labs will continue monitoring the situation and update this blog accordingly.
Read more »