Security Research
Showing results for 
Search instead for 
Do you mean 

Microsoft IE zero day and recent exploitation trends (CVE-2014-1776)

Matt_Oh ‎04-30-2014 08:37 AM - edited ‎04-30-2014 12:18 PM


Microsoft released an advisory last weekend on a new IE (Internet Explorer) zero-day in the wild, CVE-2014-1776. It is believed that the attack was used in a form of a spear-phishing. The VGX.DLL, which is used for VML (Vector Markup Language) rendering on IE was used for exploitation. IE 6 to IE 11 are vulnerable and according to a report from FireEye, the exploit found in the wild was targeting IE 9 to IE 11. While there is no further technical detail publically available on the vulnerability at this time (except that the vulnerability type is use-after-free) I thought that looking back into recent exploitation trends on the related component (VGX.DLL) would be interesting even when it is not direct source of the vulnerability. And indeed, VGX.DLL has a history of exploitation going back to 2006.

Table 1 shows a summary of recent vulnerabilities related to VGX.DLL. You can see that it has been exploited a number of times since 2006.



Vulnerability   type

Patched   methods



Heap overflow




Integer overflow





Integer underflow




Concurrency issue









Buffer overrun

















Table 1 VGX.DLL related vulnerability history

(Just for your information, in order to capture this detail we used a tool called DarunGrim to perform analysis on each security update.)


MS06-055 (CVE-2006-4868)

When Microsoft released MS06-055, they fixed a lot of undocumented issues (see Figure 1). The full details for CVE-2006-4868 were already disclosed at the time of the patch. The vulnerable method name is _IE5_SHADETYPE_TEXT::TOKENS::Ptok. This vulnerability is somewhat well-known for the unusual release of a private patch from a third party organization called ZERT (Zeroday Emergency Response Team). Details on this private patch are available in this paper.



Figure 1 Patch analysis of MS06-055


I’m not going to reiterate all the details here, but Figure 2 illustrates the nature of this vulnerability very well. The block added with the security update (in red) shows that an additional bounds check was added. This implies that the vulnerability was an out of bounds issue.



Figure 2 Patch for CVE-2006-4868. A bounds-check block was  added (in red).


MS07-004 (CVE-2007-0024)

MS07-004 addressed CVE-2007-0024, which was an integer overflow issue. For MS07-004, the exploit was developed using a patch analysis method and the issue was fixed by adding a simple range check (see Figure 3).



Figure 3 CVMLRecolorinfo::InternalLoad patch  for CVE-2007-0024 (in red)


MS07-050 (CVE-2007-1749)

MS07-050 addressed CVE-2007-1749, an integer underflow. The full details of this vulnerability were released on a security mailing list. In summary though, the code handling compressed data performed a miscalculation when subtracting a processed data length. When the decompressed data was smaller than the compressed data, it could lead to an integer underflow causing heap corruption. The entire code from the CDownloadSink::OnDataAvailable method was re-written (see Figure 4).


Figure 4 Vulnerable code from CDownloadSink::OnDataAvailable.
Red blocks were replaced with new code when the patch was applied.


MS11-052 (CVE-2011-1266)

This one was more related to an issue with objects. Multiple classes were patched with this update. The constructors and destructors for GDIBlip, CSafeBrush, CSafePen classes were patched. Mostly, concurrency-related functions were added. (Figure 5)


Figure 5 GDIBlip::~GDIBlip patch


MS13-010 (CVE-2013-0030)

CVE-2013-0030 was a memory corruption issue. The main patched functions were CVMLShape::FSavePathV and SavePathSeg. The SavePathSeg function is called from CVMLShape::FSavePathV. SavePathSeg’s prototype was changed to add an additional parameter for a length check on the targeted memory buffer. Figure 6 shows one of the areas where additional length checks were added inside the SavePathSeg function.



Figure 6 An additional length check was added to the SavePathSeg function



The patched methods were CVMLShapeView::FreeView and CVMLShapeView::InvalidateView. SafeRef and SafeRefTo class codes were added for each method. The SafeRef and SafeRefTo classes are used to maintain reference counts for an object’s lifecycle, preventing the accidental deletion of an object. This fix prevented use-after-free issues.


Figure 7 CVMLShapeView::FreeView patch


MS13-037 (CVE-2013-2551)

This vulnerability was used in the 2013 PWN2OWN contest and there is a detailed write-up available. The vulnerability affects the COALineDashStyleArray object - when a negative length is provided to the COALineDashStyleArray::put_length method, it shrinks the array, setting the total array length to a huge positive value when a signed integer is later converted to an unsigned short integer. The patch checks if the array length provided is negative or not (see Figure 8).


Figure 8 Patch to filter out negative array length


The ZDI Factor

As the premier bug bounty program HP’s Zero Day Initiative (ZDI) is no stranger to the various types of vulnerabilities found in Microsoft’s flagship browser. Specific to this comparison both CVE-2011-1266 and   CVE-2013-2551 were disclosed to Microsoft through the program. Just four months into 2014 and the ZDI has published 116 advisories. More than 20% of these are against Microsoft IE with all but three being Use-After-Free (UAF). Continuing the theme of protecting customers before attackers can leverage there are 41 IE vulnerabilities reported to Microsoft and awaiting patches - 33 are UAFs and six are internal discoveries.



VGX.DLL is a VML component for Internet Explorer and has a history of being exploited. Some of the vulnerabilities discussed were 0-day at the time of disclosure and some of them were even being used by malware in the wild. While arithmetic overflow and underflow were common in the past, use-after-free is now more of an issue. From this analysis, we can see that trends for vulnerability types can change over time – even for the same component.

At the time of publishing, Microsoft had not provided a security update to address this issue. Consider choosing an alternative web browser until the patch becomes available, or use the workaround provided by the vendor in their advisory.


0 Kudos
About the Author


Twitter: @ohjeongwook .

on ‎04-30-2014 10:20 AM

This vulnerability isn't in VGX.DLL, though. You may wish to reconsider this entry.

‎04-30-2014 03:38 PM - edited ‎05-02-2014 03:04 PM

@Anonymous123: Yes, we got to know that after we worked on our post. Just for the record, more details can be found here:

on ‎05-01-2014 01:55 PM

What about the discussion of the flash component? Is this blog post even remotely related to CVE-2014-1776?

‎05-01-2014 07:32 PM - edited ‎05-02-2014 03:05 PM

@anonymous321: At the time of writing, everything was assumed that the vulnerability is related to VGX.DLL. You can now view this blog as more of a VGX.DLL patch history. Flash component was not under consideration when we worked on this material.


Also, ZDI data and even VGX.DLL vulnerability type data show that use-after-free is dominant these days. The original intention of the material was emphasising the trend of dominant vulnerability type changning. In that sense the blog serves it's purpose.



27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all