Inside the Eye of a Microsoft 0-Day
FireEye discovered two of the most notorious zero-day vulnerabilities in recent months. How did the security company do it?
In the world of information security, a zero-day flaw is one of the most prized discoveries for any security researcher.
When one group is able to find not one, but two such flaws in Microsoft's Internet Explorer browser within a short period of time, it begs the question: How does a zero-day vulnerability get discovered in the first place?
In late December of 2012, security firm FireEye discovered a zero-day attack that affected Microsoft IE. Microsoft fixed the issue in an out-of-band MS13-008 emergency patch that was issued in January. In May of 2013, FireEye found yet another zero-day attack going after IE8. Microsoft provided a patch for the second zero-day discovery as part of the May Patch Tuesday update.
Zheng Bu, senior director of Security Research at FireEye, explained to eSecurity Planetthat the recent discoveries of the two zero-day flaws demonstrate the power of FireEye's technology. Bu noted that the FireEye platform uses multi-flow and multi-vector analysis to detect next generation threats that otherwise would go undiscovered.
"We are not like other security vendors who heavily rely on string matches," Bu said. "What we have here is a sandbox technology, with our own hypervisor to basically execute unknown objects in a controlled environment."
Bu added that if the unknown object is designed to do some kind of evil, the FireEye system is able to detect that inside of the secured sandbox. FireEye is also able to identify what the malware intends to do and the possible payload.
With the MS13-008 discovery, Bu said FireEye was able to detect what is known as a watering hole attack. In a watering hole attack, a site is infected with some form of malware that redirects users to download or execute malicious code from a third-party site.
"In that attack, the site was compromised and was hosting an IE zero-day," Bu said.
FireEye's technology leverages automated scanning as well as human intelligence to verify the existence and root cause of zero-day exploits. Bu said that when FireEye submitted its zero-day flaws to Microsoft, Microsoft requested information beyond what automated scanning and analysis is able to provide, which is where the human intervention comes into play.
"Most of the static analysis pieces have been automated in our zero-day discovery system," Bu said. "But there are still some things that cannot be done with a machine, and you have to do those things with humans."
Dealing with zero-day discoveries from a security research perspective is one thing, fixing them from a vendor perspective is quite another. Bu noted that he has been working with Microsoft for some time, and the company has improved its security response in recent years.
"When we reported the recent zero-days to Microsoft, they responded very quickly and accurately," Bu said.
Bu believes Microsoft is particularly responsive to FireEye's reports because they aren't based on common fuzzing, a simple and unsophisticated technique used by many security researchers to help identify sources of potential exploitation.
"There are many people writing fuzzers to discover vulnerabilities, but those aren't always vulnerabilities that are being exploited in the wild," Bu said. "The zero-day exploits we discover are different; we detect the in-the-wild exploits, and then we verify that they are zero-days."
In addition to zero-days in Microsoft IE, Bu said his firm has reported recent zero-days in Adobe PDF, Adobe Flash and Oracle's Java. While Bu has had a positive experience working with Microsoft, he said he believes Oracle could benefit from establishing closer ties with security researchers.
"We have made many suggestions to Oracle to improve their responsiveness. I think that Oracle can make use of a good vulnerability disclosure program and work with vendors to report and in return to get early notifications of security patches, similar to what Microsoft and Adobe have been doing."
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.
By Jeff Goldman
May 02, 2013
The malicious code collects system information and uploads it to a remote server, then downloads an additional payload.