Debug code cracked case in hunt for mystery Silverlight zero day
Kaspersky reveals story behind nasty Patch Tuesday fix
Kaspersky has revealed how it tracked an exploit developer's debug signature over months to find and report to Microsoft a dangerous, then zero-day vulnerability in Silverlight that could have placed millions of users at risk of compromise.
The Russian security outfit reported (CVE-2016-0034) the bug late last year which was crushed in this week's Patch Tuesday update.
Kaspersky threat-throttlers Costin Raiu and Anton Ivanov write that the vulnerability was found after analysing leaked Hacking Team emails that reveal Russian hacker Vitaliy Toropov attempted to sell multiple zero days to the flayed Italian firm.
Toropov successfully sold a since-patched Flash exploit for US$45,000 and attempted to flog an iOS and Silverlight exploit. The latter had gone unpatched in the 36 months to June 2013 and was likely to "survive" for the next few years, Toropov pitched to the hacking company.
This exchange piqued the interest of the Kasperksy researchers who examined Toropov's proof-of-concept exploit code for a separate Silverlight vulnerability patched in late 2013.
"[This] story immediately spiked our attention," the pair write.
"If that was true, it would be a heavyweight bug, with huge potential to successfully attack a lot of major targets.
"For instance, when you install Silverlight, it not only registers itself in Internet Explorer, but also in Mozilla Firefox, so the attack vector could be quite large."
They hoped to find hallmarks in that public code that they could use to find the mysterious Silverlight exploit Toropov had attempted to sell.
It paid off. Debugging code left over in that exploit was discovered, written into a YARA rule, and plugged into the Kaspersky global threat network where it sat silent for months.
The YARA detection for the Silverlight bug
On 25 November it scored a hit with a customer infection and hours later an IP address in Laos uploaded a sample containing the code to VirusTotal.
Toropov told Wired he did not sell the Silverlight exploit and says the one Kasperky found is not his.
This leaves open the possibility that another hacker reused his published code.
Kaspersky has written a technical analysis of the Silverlight bug.®