Read the newspapers, or How public information helps with 0day bug-busting

Microsoft has just patched a zeroday vulnerability in its Silverlight web multimedia technology, which was investigated by Kaspersky Lab.

Microsoft has just patched a zeroday vulnerability in its Silverlight web multimedia technology, which was investigated by Kaspersky Lab. The story of this investigation shows how important it is to be watchful of public information.

Read the newspapers

It all started with a great and curious article on Ars Technica, which, in turn, was published on the trail of a grand scandal with Hacking Team. The Italian “legal spyware vendor” got hacked itself, and roughly 400 GB of data, including some very sensitive information, made its way to BitTorrent.

Ars Technica took a special interest in an exchange with a certain distinguished gentleman going by the name Vitaly Toropov, from Russia, who offered a “bulk sale” of exploits he had engineered for the vulnerabilities he discovered. All of those exploits were zerodays (thus vendors did not know about them), and targeted Flash Player, Silverlight, Java and Safari on Windows, OS X and iOS.

Hacking Team selected an Adobe Flash exploit and purchased it. According to the internal comments, the selected exploit was “perfectly engineered, easy to customize, fast and stable.” Such praises for a malicious software…

While Ars Technica focused mostly on the exchange and payment history, there was some detail that drew attention from Kaspersky Lab’s researchers. Toropov mentioned his own “old Silverlight exploit which was written 2.5 years ago and has a chance to survive for years.”

That’s where our experts interest was immediately sparked.

Silverlight

Silverlight is Microsoft’s own technology for displaying Web multimedia content, created several years ago in order to compete with the then (and still) ubiquitous Adobe Flash.

It wasn’t a major success for Microsoft: its adoption level was always much lower than that of Flash, and while some AAA-level web services (Netflix, for instance) used it back in the day, currently they are moving to HTML5.

The platform itself was launched in 2007, its end-of-life was announced in 2012, and next year all development, save for patches and bug fixes, will be wrapped up. Silverlight is no longer supported in Chrome on OS X, support for Silverlight in Chrome on all other operating systems was disabled by default in the Spring of 2015 and was removed completely by the Fall.

Regardless, it’s still in use – which means exploits for its vulnerabilities can be used against the users. Besides, it’s still supported (until 2021, according to Microsoft). Hence a vendor should be informed, but first it should have been discovered and analyzed.

Mr. Toropov traded with multiple entities. In his exchange with Hacking Team, he said the initial price he offered was an exclusive sale, otherwise it would be three times higher.

It meant that he could have already shared – in a mutually beneficial way, of course, – his exploit with someone other than Hacking Team – someone who put this exploit to us.

This assumption appeared to be correct.

Discovery

Mr. Toropov, aside from being a highly skilled code-writer and a good salesman, proved to be a very active contributor to Open Source Vulnerability Database (OSVDB), a place where anyone can post information about vulnerabilities.

By analyzing his public profile on OSVBD.org, Kaspersky Lab researchers discovered that in 2013, Toropov had published a proof-of-concept (POC) which described yet another bug in the Silverlight technology. The vulnerability in question was long patched. What was important here was the manner of Toporov’s code writing. During the analysis performed by Kaspersky Lab experts, some unique strings in the code really stood out.

Detection really rules

Using this information, researchers created several detection rules for Kaspersky Lab protection technologies: once a user, who agreed to share threat data with the Kaspersky Security Network (KSN), encountered malicious software that demonstrated the behavior covered by those special detection rules, the system would flag the file as highly suspicious and a notification would be sent to the company for analysis.

Several months after implementation of the special detection rules, a Kaspersky Lab customer was targeted in an attack that used a suspicious file with those characteristics.

Several hours after that, someone (possibly a victim of the attacks) from Laos uploaded a file with the same characteristics to a multiscanner service.

Kaspersky Lab experts analyzed the attack to discover that it was actually exploiting an unknown bug in the Silverlight technology. The information about the bug was promptly reported to Microsoft for validation.

Kaspersky Lab researchers can’t be 100% positive that it is exactly the same bug Toropov mentioned, but there are strong reasons to believe it is indeed.

“Comparing the analysis of this file with the previous work of Vitaliy Toropov makes us think that the author of the recently discovered exploit, and the author of POCs published on OSVDB in the name of Toropov, is the same person. At the same time we do not completely exclude the possibility that we found yet another zero-day exploit in Silverlight. Overall, this research helped to make cyberspace a little safer by discovering a new zero-day and responsibly disclosing it. We encourage all users of Microsoft products to update their systems as soon as possible to patch this vulnerability,” said Costin Raiu, Director of the Global Research and Analysis Team at Kaspersky Lab.

Kaspersky Lab products detect the CVE-2016-0034 exploit with the following detection name: HEUR:Exploit.MSIL.Agent.gen.

Yesterday, on Patch Tuesday, Microsoft released the appropriate update with a handful of other fixes. The update for Silverlight is considered “critical” as it allows remote code execution “if a user visits a compromised website that contains a specially crafted Silverlight application”. Windows users may see the warning that updates are due to be installed automatically by the end of the day.

More technical details are available on Securelist.

Tips