Microsoft IE zero day and recent exploitation trends (CVE-2014-1776)

 

Microsoft released an advisory last weekend on a new IE (Internet Explorer) zero-day in the wild, CVE-2014-1776. It is believed that the attack was used in a form of a spear-phishing. The VGX.DLL, which is used for VML (Vector Markup Language) rendering on IE was used for exploitation. IE 6 to IE 11 are vulnerable and according to a report from FireEye, the exploit found in the wild was targeting IE 9 to IE 11. While there is no further technical detail publically available on the vulnerability at this time (except that the vulnerability type is use-after-free) I thought that looking back into recent exploitation trends on the related component (VGX.DLL) would be interesting even when it is not direct source of the vulnerability. And indeed, VGX.DLL has a history of exploitation going back to 2006.

Table 1 shows a summary of recent vulnerabilities related to VGX.DLL. You can see that it has been exploited a number of times since 2006.

Bulletin

CVE-ID

Vulnerability   type

Patched   methods

MS06-055

CVE-2006-4868

Heap overflow

_IE5_SHADETYPE_TEXT::TOKENS::Ptok

MS07-004

CVE-2007-0024

Integer overflow

CVMLRecolorinfo::InternalLoad

FGetBuiltInOPT

MS07-050

CVE-2007-1749

Integer underflow

CDownloadSink::OnDataAvailable

MS11-052

CVE-2011-1266

Concurrency issue

GDIBlip::GDIBlip

GDIBlip::~GDIBlip

GEBlip::GEBlip

CSafeBrush::~CSafeBrush

CSafePen::~CSafePen

FMakePathLineEffectForPen

MS13-010

CVE-2013-0030

Buffer overrun

CVMLShape::FSavePathV

SavePathSeg

MS13-028

Unknown

Use-after-free

CVMLShapeView::FreeView

CVMLShapeView::InvalidateView

MS13-037

CVE-2013-2551

Use-after-free

COALineDashStyleArray::put_length

ORG::FAppendRange

N/A

CVE-2014-1776

Use-after-free

Unknown

Table 1 VGX.DLL related vulnerability history

(Just for your information, in order to capture this detail we used a tool called DarunGrim to perform analysis on each security update.)

 

MS06-055 (CVE-2006-4868)

When Microsoft released MS06-055, they fixed a lot of undocumented issues (see Figure 1). The full details for CVE-2006-4868 were already disclosed at the time of the patch. The vulnerable method name is _IE5_SHADETYPE_TEXT::TOKENS::Ptok. This vulnerability is somewhat well-known for the unusual release of a private patch from a third party organization called ZERT (Zeroday Emergency Response Team). Details on this private patch are available in this paper.

 

 fig01.png                      

Figure 1 Patch analysis of MS06-055

 

I’m not going to reiterate all the details here, but Figure 2 illustrates the nature of this vulnerability very well. The block added with the security update (in red) shows that an additional bounds check was added. This implies that the vulnerability was an out of bounds issue.

 

 fig02.png

Figure 2 Patch for CVE-2006-4868. A bounds-check block was  added (in red).

 

MS07-004 (CVE-2007-0024)

MS07-004 addressed CVE-2007-0024, which was an integer overflow issue. For MS07-004, the exploit was developed using a patch analysis method and the issue was fixed by adding a simple range check (see Figure 3).

 

 fig03.png

Figure 3 CVMLRecolorinfo::InternalLoad patch  for CVE-2007-0024 (in red)

 

MS07-050 (CVE-2007-1749)

MS07-050 addressed CVE-2007-1749, an integer underflow. The full details of this vulnerability were released on a security mailing list. In summary though, the code handling compressed data performed a miscalculation when subtracting a processed data length. When the decompressed data was smaller than the compressed data, it could lead to an integer underflow causing heap corruption. The entire code from the CDownloadSink::OnDataAvailable method was re-written (see Figure 4).

 

fig04.png

Figure 4 Vulnerable code from CDownloadSink::OnDataAvailable.
Red blocks were replaced with new code when the patch was applied.

 

MS11-052 (CVE-2011-1266)

This one was more related to an issue with objects. Multiple classes were patched with this update. The constructors and destructors for GDIBlip, CSafeBrush, CSafePen classes were patched. Mostly, concurrency-related functions were added. (Figure 5)

 

fig05.png

Figure 5 GDIBlip::~GDIBlip patch

 

MS13-010 (CVE-2013-0030)

CVE-2013-0030 was a memory corruption issue. The main patched functions were CVMLShape::FSavePathV and SavePathSeg. The SavePathSeg function is called from CVMLShape::FSavePathV. SavePathSeg’s prototype was changed to add an additional parameter for a length check on the targeted memory buffer. Figure 6 shows one of the areas where additional length checks were added inside the SavePathSeg function.

 

 fig06.png

Figure 6 An additional length check was added to the SavePathSeg function

 

MS13-028

The patched methods were CVMLShapeView::FreeView and CVMLShapeView::InvalidateView. SafeRef and SafeRefTo class codes were added for each method. The SafeRef and SafeRefTo classes are used to maintain reference counts for an object’s lifecycle, preventing the accidental deletion of an object. This fix prevented use-after-free issues.

 

fig07.png

Figure 7 CVMLShapeView::FreeView patch

 

MS13-037 (CVE-2013-2551)

This vulnerability was used in the 2013 PWN2OWN contest and there is a detailed write-up available. The vulnerability affects the COALineDashStyleArray object - when a negative length is provided to the COALineDashStyleArray::put_length method, it shrinks the array, setting the total array length to a huge positive value when a signed integer is later converted to an unsigned short integer. The patch checks if the array length provided is negative or not (see Figure 8).

 

fig08.png

Figure 8 Patch to filter out negative array length

 

The ZDI Factor

As the premier bug bounty program HP’s Zero Day Initiative (ZDI) is no stranger to the various types of vulnerabilities found in Microsoft’s flagship browser. Specific to this comparison both CVE-2011-1266 and   CVE-2013-2551 were disclosed to Microsoft through the program. Just four months into 2014 and the ZDI has published 116 advisories. More than 20% of these are against Microsoft IE with all but three being Use-After-Free (UAF). Continuing the theme of protecting customers before attackers can leverage there are 41 IE vulnerabilities reported to Microsoft and awaiting patches - 33 are UAFs and six are internal discoveries.

 

Conclusion

VGX.DLL is a VML component for Internet Explorer and has a history of being exploited. Some of the vulnerabilities discussed were 0-day at the time of disclosure and some of them were even being used by malware in the wild. While arithmetic overflow and underflow were common in the past, use-after-free is now more of an issue. From this analysis, we can see that trends for vulnerability types can change over time – even for the same component.

At the time of publishing, Microsoft had not provided a security update to address this issue. Consider choosing an alternative web browser until the patch becomes available, or use the workaround provided by the vendor in their advisory.

 

Comments
Anonymous123 | ‎04-30-2014 10:20 AM

This vulnerability isn't in VGX.DLL, though. You may wish to reconsider this entry.

Matt_Oh ‎04-30-2014 03:38 PM - edited ‎05-02-2014 03:04 PM

@Anonymous123: Yes, we got to know that after we worked on our post. Just for the record, more details can be found here: http://blogs.technet.com/b/srd/archive/2014/04/30/protection-strategies-for-the-security-advisory-29...

anonymous321 | ‎05-01-2014 01:55 PM

What about the discussion of the flash component? Is this blog post even remotely related to CVE-2014-1776?

Matt_Oh ‎05-01-2014 07:32 PM - edited ‎05-02-2014 03:05 PM

@anonymous321: At the time of writing, everything was assumed that the vulnerability is related to VGX.DLL. You can now view this blog as more of a VGX.DLL patch history. Flash component was not under consideration when we worked on this material.

 

Also, ZDI data and even VGX.DLL vulnerability type data show that use-after-free is dominant these days. The original intention of the material was emphasising the trend of dominant vulnerability type changning. In that sense the blog serves it's purpose.

 

Thanks.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Twitter: @ohjeongwook .
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.