April 28, 2014

A Look at CVE-2014-1776 via Windows Crash Reports

Alexander Watson


  • Through analyzing Windows Error Reports (a.k.a. Dr. Watson logs), we have identified two possible vulnerabilities (anomalous crashes) in VGX.DLL that may be linked to MSIE 0-day CVE-2014-1776.
  • We have seen a significant spike in crashes of Internet Explorer versions 8 and 9 that fail in VGX.DLL, starting in February 2014. These crashes are indicators of application vulnerabilities that may be exploited.
  • Anomalous application crashes from VGX.DLL have been observed originating from the USA, UK, and Brazil. Specific industries with anomalous application crashes include telecommunications, tier-1 financial and municipal government. 

As we mentioned in our last blog entry, a new vulnerability has been discovered by researchers at FireEye in Microsoft Internet Explorer affecting Internet Explorer versions 6 through 11. Current reported attacks are targeting only Internet Explorer 9 through 11. The vulnerability allows attackers to remotely execute arbitrary code on the target machine by having the user visit a malicious website. The vulnerability has been assigned reference CVE-2014-1776.  The vulnerability lies in the way Internet Explorer handles Vector Markup Language and vector graphics rendering, when Internet Explorer accesses a related object in memory that has been deleted or improperly allocated. This allows the attacker to execute arbitrary code in the context of the current user.

Microsoft has released an advisory with recommendations about how users can take steps to mitigate their vulnerability while a patch is prepared. There has been quite a bit of discussion about the impact of the vulnerability, including recommendations from both the US Department of Homeland Security and UK governments that government users avoid the use of Internet Explorer until a bug patch is released by Microsoft.

In spite of the ongoing discussions and mitigation options, not many details exist about how the exploit targets Microsoft Internet Explorer, and where it is being seen in the wild. In this blog post, we will examine application crash reports from Microsoft Windows computers that are sent via the WER (Windows Error Reporting) framework, to see if we can learn anything about possible vulnerabilities that are being exploited and/or where attacks are occurring.

Comparison to known exploits

Microsoft's threat advisory for CVE-2014-1776 recommends disabling the VGX.DLL library as a mitigation option against the exploit. This library is a core library for Internet Explorer's "Vector Markup Language" (VML) capability -- a deprecated vector graphics format that was primarily used in Microsoft Office Applications. It is interesting to see that VGX.DLL has been linked to other vulnerabilities from 2013, including CVE-2013-2551 and CVE-2013-0030, which both use memory corruption techniques that could theoretically be used to compromise IE. We have previously discussed how Microsoft Windows Error Reporting (WER), a.k.a. Dr. Watson, is an opt-out program that exists in Windows XP, Vista, 7, and 8 that sends detailed telemetry to Microsoft each time an application crashes or fails to update, or a hardware change occurs on the network. This data is incredibly valuable to Microsoft and application vendors, to help debug their applications and prioritize fixes on a massive scale. More information on how you can harness intelligence from Windows crash reports, which are sent from over 80% of PCs globally, can be found in our whitepaper.

Today, we will search crash reports for evidence of exploit-type activity happening in the VGX.DLL library within Internet Explorer. This can be used to help identify possible vulnerabilities that are being exploited by CVE-2014-1776, and can hint at possible geographic locations that are being targeted during attacks. These application crashes are generated for one of three reasons:

1. Normal application failure, such as running out of memory

2. Crash triggered during normal application use, which may be a vulnerability

3. Failed exploit activity

Searching for needles in the haystack

Let's start by looking at Windows Error Reporting application crashes that we have seen occur in the past 6 months. Out of a total of 19.8 million error reports, the following crashes occurred in Internet Explorer versions 6 - 11 inside the VGX.DLL library

  • November 2013: 2 crashes
  • December 2013: 1 crash
  • January 2014: 3 crashes
  • February 2014: 13 crashes
  • March 2014: 9 crashes
  • April 2014: 12 crashes

We see a significant uptick in crashes starting around February 10th, 2014. Let's take a closer look to see if we can learn anything from the crash reports. Of 39 crashes observed, there are 15 distinct crash reports, grouped by the crash offset location. Two distinct crash reports emerge as being interesting.

Possible vulnerability affecting VGX.DLL in IE 9

We have seen the first cluster of application crashes affecting IE version 9 on Windows 7 -- consistent with the vulnerability observed in the wild. We have observed matching crash reports indicating possible failed exploit activity in the United States between March 22nd, 2014, and mid-April 2014.

  • 4 matches: http://watson.microsoft.com/StageOne/iexplore_exe/9_0_8112_16483/515df825/vgx_dll/9_0_8112_16483/515df802/c0000005/00026fed.htm?

Buffer Overflow vulnerability affecting VGX.DLL in IE 8

A second interesting cluster of crash reports appears to be affecting IE 8 (via our telemetry).  We can see two distinct versions of IE 8 on Windows 7 affected below (8.0.7601.17514 and 8.0.7600.16385). The BEX error type indicates a buffer overflow happening in VGX.DLL, and it is somewhat unusual to see such a large percentage of application crashes being triggered via buffer overflow. While it has not been reported that IE 8 has been targeted via CVE-2014-1776 in the wild, errors like this are consistent with exploits that corrupt and overwrite memory. We have observed these crash reports occurring as early as February 17, 2014 in the United States, United Kingdom, and Brazil. 

  • 000000_0:http://watson.microsoft.com/StageOne/Generic/BEX/iexplore_exe/8_0_7601_17514/4ce79912/vgx_dll_unloaded/0_0_0_0/52745e57/644481aa/c0000005/00000008.htm?
  • 000001_0:http://watson.microsoft.com/StageOne/Generic/BEX/iexplore_exe/8_0_7601_17514/4ce79912/vgx_dll_unloaded/0_0_0_0/52745e57/66bda6fa/c0000005/00000008.htm?
  • 000001_0:http://watson.microsoft.com/StageOne/Generic/BEX/iexplore_exe/8_0_7601_17514/4ce79912/vgx_dll_unloaded/0_0_0_0/4dba4373/6987f4b4/c0000005/00000008.htm?
  • 000002_0:http://watson.microsoft.com/StageOne/Generic/BEX/iexplore_exe/8_0_7601_17514/4ce79912/vgx_dll_unloaded/0_0_0_0/52745e57/6aa5b562/c0000005/00000008.htm?
  • 000003_0:http://watson.microsoft.com/StageOne/Generic/BEX/iexplore_exe/8_0_7601_17514/4ce79912/vgx_dll_unloaded/0_0_0_0/52745e57/5e3e8901/c0000005/00000008.htm?
  • 000004_0:http://watson.microsoft.com/StageOne/Generic/BEX/iexplore_exe/8_0_7601_17514/4ce79912/vgx_dll_unloaded/0_0_0_0/4dba4373/6987f4b4/c0000005/00000008.htm?
  • 000009_0:http://watson.microsoft.com/StageOne/Generic/BEX/IEXPLORE_EXE/8_0_7600_16385/4a5bc69e/vgx_dll_unloaded/0_0_0_0/4a5bdb2c/60dee4f3/c0000005/00000008.htm?

To conclude - this analysis is not intended to be conclusive, but to provide indicators of possible vulnerabilities in Internet Explorer's VGX.DLL that may be exploited by CVE-2014-1776. More info coming soon.


Contributors: Alex Watson

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.