Security researchers usually get their first glimpse of a zero-day vulnerability after someone uses it in an attack. But a team of researchers successfully looked for similarities with an exploit writer's coding style to find a critical remote code execution vulnerability in Silverlight.
Microsoft patched a critical vulnerability in Silverlight that could let attackers remotely execute code after tricking users into visiting a compromised website hosting a specially crafted Silverlight application. While Silverlight may not be as common as Adobe Flash, it is still serious and requires immediate patching.
"A remote code execution vulnerability exists when Microsoft Silverlight decodes strings using a malicious decoder that can return negative offsets that cause Silverlight to replace unsafe object headers with contents provided by an attacker," Microsoft said in its security bulletin.
The update corrected how Microsoft Silverlight validates decoder results in Microsoft Silverlight 5, Microsoft Silverlight 5 Developer Runtime for Mac, and all supported releases of Windows.
Silverlight flaws are bad news
Attackers like Silverlight vulnerabilities because like Flash, the attacks can be cross-platform and largely browser independent. Silverlight registers itself in both Internet Explorer and Mozilla Firefox, for example. Google removed support for the plug-in from Chrome in 2014 to protect users.
A successful exploit of this bug would result in the attacker obtaining the same permissions as the currently logged-on user, Microsoft said. If the user is logged in as an administrator user -- a distressing situation still common in enterprises -- the attacker would have complete control over the user's system. The attacker would be able to install and remove programs, view and modify data, and create new user accounts with full administrator privileges.
The attack could come in the form of a specially crafted Web advertisement displayed on a page or a spam link sent via email or social media. And while Silverlight may not be as popular as Adobe Flash, it's still widely used. Netflix and other providers use Silverlight to deliver streaming content to their viewers.
Microsoft said it was unaware of any attack attempting to exploit this vulnerability. That statement is at odds with Kaspersky Lab's claim that it may have been used in limited targeted attacks, which is how the researchers discovered the bug in the first place.
The hunt for the zero-day
Kaspersky Lab researchers initially became aware of a potential zero-day vulnerability in Silverlight after someone dumped documents stolen from Hacking Team over the summer. Most of the attention at the time centered on multiple Adobe Flash zero-days the Italian surveillance software company had acquired, which later was added to multiple crimeware kits. One of the email exchanges exposed in that breach offered the company a two-and-a-half-year-old Silverlight exploit, at a discount.
Independent exploit writer Vitaliy Toropov offered Hacker Team "my old Silverlight exploit which was written 2.5 years ago and has all chances to survive further in next years as well."
Hacking Team doesn't appear to have taken up the offer from Toropov, but Kaspersky researchers found the reference very interesting.
"Microsoft Silverlight exploit written more than two years ago and may survive in the future? If that was true, it would be a heavyweight bug, with huge potential to successfully attack a lot of major targets," they wrote in the blog post.
Researchers found examples of other exploits written by Toropov on the Packet Storm security site and the Open Source Vulnerability Database. One was a 2013 exploit taking advantage of invalid typecast and memory disclosure vulnerabilities in Silverlight to achieve code execution. Toropov had provided a proof-of-concept and its source code along with a well-written readme file describing the bug.
The code gave Kaspersky a starting point. Most software developers reuse portions of their code, such as custom error strings and functions, and have a personal style in how they name variables, create modules, or debug their code.
Exploit writers are no different.
The researchers were betting on the fact that they could find Toropov's exploits in the wild by looking for patterns similar to the proof-of-concept they already had.
YARA, a tool designed VirusTotal founder Victor Manual Alvarez, can search for malicious files and look for same patterns of code across networks and systems. Kaspersky Lab created several YARA rules to detect files similar to the 2013 Silverlight exploit and found a match on a customer system in Laos on Nov. 25. There were enough clues -- such as custom error strings -- to indicate the malware sample was one of Toropov's exploits, although it may not be the exact one he offered Hacking Team.
"There is no way to be sure and there might be several Silverlight exploits out there," the researchers said.
Of course, there is always the possibility another exploit writer could have repurposed Toropov's previously published code. YARA simply helps find patterns in code, and considering the ubiquity of code-sharing, it is difficult to definitively identify a developer as the actual author.
Apply that update as soon as possible
The origins and author of the exploit aside, organizations need to move fast to apply the update. Exploit writers reverse-engineer security updates to create new attacks that they incorporate into existing crimeware kits. Since many organizations fall behind on their patching schedules, these kits can successfully compromise systems even when the security fix is available. Silverlight may not be as ubiquitous as Flash, but deprioritizing this patch can have severe consequences.