Kaspersky Lab has discovered a zero-day vulnerability in Silverlight, a web technology used to display multimedia content. The vulnerability would allow an attacker to gain full access to a compromised computer and execute malicious code to steal secret information and perform other illegal actions. The vulnerability (CVE-2016-0034) was fixed in the latestPatch Tuesday update issued by Microsoft on January 12, 2016. The discovery was the result of an investigation that started over five months ago from an article published byArs Technica.
In the summer of 2015 a story about the hacker attack against the Hacking Team company (a known “legal spyware” developer) hit the news. One of the articles about the topic, published in Ars Technica, mentioned leaked correspondence allegedly between Hacking Team representatives and Vitaliy Toropov, an independent exploit-writer. Among other things, the article mentioned the correspondence in which Toropov tried to sell a particularly interesting zero-day to Hacking Team: a four-year old and still unpatched exploit in the Microsoft Silverlight technology. This piece of information piqued the interest of Kaspersky Lab researchers.
There was no additional information about the exploit in the article, so researchers started their investigation using the name of the seller. They quickly found that a user who named himself Vitaliy Toropov was a very active contributor to Open Source Vulnerability Database (OSVDB), a place where anyone can post information about vulnerabilities. By analyzing his public profile on OSVBD.org, Kaspersky Lab researchers discovered that in 2013, Toropov had published a proof-of-concept (POC) which described a bug in the Silverlight technology. The POC covered an old vulnerability that was known and currently patched. However, it also contained additional details which gave Kaspersky Lab researchers a hint about how the author of the exploit tends to write code.
During the analysis performed by Kaspersky Lab experts some unique strings in the code really stood out. Using this information they created several detection rules for Kaspersky Lab protection technologies: once a user, who agreed to share threat data with the Kaspersky Security Network (KSN), encountered malicious software that demonstrated the behavior covered by those special detection rules, the system would flag the file as highly suspicious and a notification would be sent to the company for analysis. The assumption behind this tactic was simple: if Toropov tried to sell a zero-day exploit to Hacking Team, it was highly probable that he did the same with other spyware vendors. As a result of this activity, other cyber espionage campaigns could be actively using it in the wild to target and infect unsuspecting victims.
The assumption was correct. Several months after implementation of the special detection rules, a Kaspersky Lab customer was targeted in an attack that used a suspicious file with the characteristics we were looking for. Several hours after that, someone (possibly a victim of the attacks) from Laos uploaded a file with the same characteristics to a multiscanner service. Kaspersky Lab experts analyzed the attack to discover that it was actually exploiting an unknown bug in the Silverlight technology. The information about the bug was promptly reported to Microsoft for validation.
“Although we don’t know if the exploit we discovered is in fact the one that was mentioned in the Ars Technica article, we have strong reasons to believe it is indeed the same. Comparing the analysis of this file with the previous work of Vitaliy Toropov makes us think that the author of the recently discovered exploit, and the author of POCs published on OSVDB in the name of Toropov, is the same person. At the same time we do not completely exclude the possibility that we found yet another zero-day exploit in Silverlight. Overall, this research helped to make cyberspace a little safer by discovering a new zero-day and responsibly disclosing it. We encourage all users of Microsoft products to update their systems as soon as possible to patch this vulnerability,” said Costin Raiu, Director of the Global Research and Analysis Team at Kaspersky Lab.
Kaspersky Lab products detect the CVE-2016-0034 exploit with the following detection name: HEUR:Exploit.MSIL.Agent.gen.