UPDATE – Researchers at Websense said today they may have isolated two components within the VGX library that are being exploited by attackers targeting the latest Internet Explorer zero-day vulnerability.
By combing through millions of Windows crash reports sent via the Windows Error Reporting feature, researchers have discovered a spike in VGX.DLL crashes in two particular spots. Application crashes are indicators of exploit activity in some cases, and researchers believe that either one could be what is being exploited in the wild.
Researcher Alex Watson said more details on the vulnerable components could be available soon, and would fill in some gaps left open by advisories from Microsoft and FireEye that were scant in details about the exploits.
“We are searching those [two] and taking a deep look at our feeds to find other indicators of compromise,” Watson said.
Watson said researchers combed through six months of crash reports, close to 20 million in total, and found fewer than 40 crashes in IE 6 through IE 11 inside VGX; 13 of those happened in February, 9 in March and 12 this month.
Two stood out. The first affected IE 9 running on a Windows 7 machine, which is the same setup exploited in the attacks currently in the wild. Other matching crash reports indicate possible failed exploit activity in the U.S. between March 22 and mid-April, Websense said.
The second possible vulnerability affects IE 8, the researchers said. Two different versions of IE 8 running on Windows 7 indicate a buffer overflow vulnerability is present in VGX as early as Feb. 17, Websense said.
“It is somewhat unusual to see such a large percentage of application crashes being triggered via buffer overflow,” Watson said, calling it suspicious. “While it has not been reported that IE 8 has been targeted via CVE-2014-1776 in the wild, errors like this are consistent with exploits that corrupt and overwrite memory.”
The IE zero day set off alarm bells since it can be exploited all the way back to versions of IE compatible with Windows XP, which is no longer supported by Microsoft as of April 8. Microsoft issued an advisory and warned users that hackers were actively exploiting the use-after-free vulnerability in limited targeted attacks, although only in IE 9 through IE 11.
Researchers at FireEye also shared details on the exploit and said that it is used in conjunction with an Adobe Flash exploit to cause memory corruption and allow an attacker to run code remotely on the compromised computer. The vulnerability in IE is specific to the browser’s handling of the Vector Markup Language and vector graphics rendering. Microsoft advised as a temporary mitigation that admins disable the VGX.DLL; the library is crucial for proper graphics rendering and is used by IE as well as Office applications.
“When we looked at this DLL, we found it is not used often and likely shouldn’t be used at all,” Watson said. “It’s a deprecated vector processing library.”
Watson said researchers were prompted by news of the active exploits and started searching crash reports for evidence of exploit activity in the VGX library. Starting in February, spikes in crashes in IE 8 and IE 9 began, in particular from targets in the U.S., U.K., and Brazil, including telecoms, financial services organizations and municipal governments, Websense said.
Websense researchers use application crash reports from computers running Windows XP, Vista, 7 and 8 sent through the Windows Error Reporting framework to investigate the possibility of advanced attacks against organizations. Exploits often cause applications to crash and these reports, also known as Dr. Watson reports, are sent in the clear to Microsoft so that bugs can be prioritized and addressed, as well as user experience issues. The reports are triggered not only by crashes, but also when applications fail to update or when hardware changes are detected on a network.
This article was updated at 4 p.m. with clarifications throughout.