Curious Tale of a Microsoft Silverlight Zero Day

A Silverlight vulnerability patched yesterday by Microsoft could be tied to a Russian hacker who tried to sell a similar zero day to the Hacking Team.

Microsoft Silverlight vulnerabilities certainly don’t have the same hacker cred as bugs in Adobe Flash, for example, but nonetheless, that does not diminish their value, nor does that mean they should be ignored.

Microsoft patched a critical flaw in the application framework on Tuesday, and researchers at Kaspersky Lab’s Global Research and Analysis Team caution that while exploits have been used in limited targeted attacks—contrary to information in Microsoft’s bulletin—it may be a matter of time before attacks go mainstream.

“It’s a big deal; Silverlight vulnerabilities don’t’ come around that often,” said Kaspersky Lab researcher Brian Bartholomew. “Exploitation of the zero day itself is fairly technical, but once a proof-of-concept falls into the hands of someone who knows what they’re doing and reverse engineers the patch, it’s not that difficult to produce a weaponized version of it.”

That means that in short order, an exploit used in targeted attacks by sophisticated actors would likely be folded into the leading exploit kits and be available to criminal operations.

Kaspersky Lab’s Costin Raiu and Anton Ivanov disclosed the bug to Microsoft after doing some detective work on data exposed in the Hacking Team breach. Prompted by an email from a Russian hacker named Vitaliy Toropov to Hacking Team that was published in July by Ars Technica, Kaspersky researchers decided to pursue Toropov’s claims that he had a Silverlight zero day for sale that was at least two years old in 2013 and which he said could survive for a few more years without detection.

Silverlight bugs, like security flaws in Flash, allow attackers to hit victims regardless of the platform or browser they’re running. For now, Kaspersky’s Bartholomew said the attacks observed have targeted only Windows machine, but with tweaks, the possibility exists to extend attacks to the Mac OS X platform and others. Generally, victims are attacked via links in a spear-phishing email or in drive-by downloads, where the attacker has dropped a malicious Silverlight application on a vulnerable webserver.

Bartholomew told Threatpost that Kaspersky researchers were able to find an older Silverlight vulnerability and proof of concept exploit submitted to Packet Storm that was credited to Toropov. The archive was available for download and included enough resources for Kaspersky researchers this summer to write a YARA rule for the DLL that implemented the exploit.

The rule was deployed to Kaspersky customer machines and until late November there was nary a hit on the rule. That changed Nov. 25 when one of the generic detections for the 2013 exploit triggered an alert from a user’s machine. The file was compiled July 21, fewer than two weeks after the Hacking Team breach was disclosed and data stolen in the attack was dumped online. The zero day was analyzed and disclosed to Microsoft, which patched it yesterday; Kaspersky published a technical analysis of the flaw today.

The vulnerability serves to give an attacker an initial foothold on a compromised machine. From there, additional payloads are served to the infected computer and can lead to the loss of sensitive data or further network infiltration.

According to Microsoft, the vulnerability opens the door to remote code execution and affects Microsoft Silverlight 5 and Microsoft Silverlight 5 Developer Runtime; later builds after 5.1.41212.0 are not affected.

From the Microsoft bulletin MS16-006:

“A remote code execution vulnerability exists when Microsoft Silverlight decodes strings using a malicious decoder that can return negative offsets that cause Silverlight to replace unsafe object headers with contents provided by an attacker. In a web-browsing scenario, an attacker who successfully exploited this vulnerability could obtain the same permissions as the currently logged-on user.”

The question remains as to whether this zero day is the same one uncovered in the Hacking Team data dump that Toropov tried to sell, or a new one written after the leak. For example, Bartholomew said there are commonalities in both samples that are unique to Toropov.

“Not many people write Silverlight zero days, so the field is narrowed significantly,” Bartholomew said. “On top of that, there are some error strings used in his old exploit from 2013 that we latched on to and thought were unique. These were the basis of our rule.

“This exploit contains the same error strings a .NET application ID that is the same as the old one. Every time you build new app in .NET, you get a new ID. This has the old one. All of this adds to the pile of indicators that point to him.”

Hacking Team indicated in its email to Toropov that it was willing to pay him a $20,000 advance for the zero day. Zero day acquisition firm Zerodium posted a price list on its website, and while it does not list Silverlight specifically, remote code execution vulnerabilities for Flash pay in the $80,000 range—and likely more under ground.

“Silverlight zero days are a big deal,” Bartholomew said, “because of the potential impact and widespread usage that could happen from this.”

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.