Security Firm Finds Zero-Day Flaw by Turning Users Into Honeypots
Kaspersky turned details of a Silverlight flaw into detection rules. When an attacker exploited the vulnerability, it had enough information to pinpoint the flaw.When emails leaked from surveillance tools vendor Hacking Team hinted at a critical vulnerability in Microsoft's Silverlight multimedia player, researchers at security firm Kaspersky Lab wondered if they would be able to find a way to catch an attacker exploiting the flaw. Turns out they could. On Jan. 12, Microsoft patched a critical vulnerability in its Silverlight player that Kaspersky was able to pinpoint after it caught an attacker using an exploit. The attack code is thought to be the same exploit that a 30-something Russian bug finder, Vitaliy Toropov, attempted to sell to Hacking Team, as revealed by leaked emails. "He had sold multiple vulnerabilities to Hacking Team in the past," Brian Bartholomew, a senior security researcher at Kaspersky Lab, told eWEEK. "We thought it likely that if Hacking Team didn't buy it, he may have sold it to someone else."
The fact that Kaspersky could detect the attack is impressive, since the company knew very little about the exploit. By taking two pieces of information—the name of the exploit developer and his focus on a Silverlight vulnerability—Kaspersky researchers found an older Silverlight exploit created by the same developer, reverse-engineered the older attack and used unique strings in the code to developed rules that would likely match a future attack.