Zero-day exploits usually make their way into light after an attacker uses it to breach a company. However, a team of researchers used small clues to trace similarities in an exploit writer’s style, allowing them to uncover a rather critical remote code execution vulnerability in Silverlight.

On Tuesday, Microsoft patched a critical vulnerability in Silverlight that could allow attackers to remotely execute code after tricking users into visiting a site that loads up a maliciously crafted Silverlight application. While Silverlight isn’t quite as popular as Adobe Flash, this is still a serious vulnerability that needed to be patched.

“A remote code execution vulnerability exists when Microsoft Silverlight decodes strings using a malicious decoder that can return negative offsets that cause Silverlight to replace unsafe object headers with contents provided by an attacker,” Microsoft said in their security bulletin published Tuesday.

The update patched how Microsoft Silverlight validates decoder results in Microsoft Silverlight 5, Microsoft Silverlight 5 Developer Runtime for Mac and all supported versions for Windows.

Closer look at the Silverlight Vulnerability

If attackers successfully exploited the Silverlight vulnerability they would obtain the same permission as the currently logged-on user, making this problematic for privileged users. If a user on a privileged system were to get compromised in say an enterprise environment, the attacker would have full control over that system. From that point forward attackers would be able to coordinate attacks by installing, removing and modifying data throughout the system.

The attack could come in many different forms experts warned, even including specially crafted advertisements displayed on a website or spam links blasted via email and social media. While Silverlight may not be quite as popular as Adobe Flash it is still a widely used plugin with Netflix alongside dozens of other providers using the plugin to deliver streaming content to viewers.

Microsoft said they are unaware of any active attacks targeting this Silverlight vulnerability. While Microsoft claims they are unaware of any attacks Kaspersky Lab’s claims the contrary, stating that is may have been used in an extremely limited number of highly targeted attacks, which is what led to the discovery in the first place.

Hunting for the looming zero-day (CVE-2016-0034)

Security and antivirus firm Kaspersky Labs initially became aware of the potential zero-day vulnerability looming in Silverlight after someone breached the Hacking Team networks and dumped a massive 400GB trove of confidential files, malware samples, customer lists and more.

During the leak most news centered around multiple Adobe Flash zero-day vulnerabilities that the Italian surveillance company had acquired, and rented out to governments. However after Costin Raiu, head of Kaspersky’s Global Research and Analysis Team, combed through the data more precisely, an email exchange in 2013 between a zero-day seller who identified himself as a 33-year-old Russian man named Vitaliy Toropov intrigued him.

Throughout emails Toropov offered the Hacking Team “my old Silverlight exploit which was written 2.5 years ago and has all chances to survive further in next years as well.” While Toropov said he never sold his Silverlight exploit the Hacking Team data dumps do show that the researcher and Hacking Team negotiated a successful sale of $45,000 for a Flash Exploit.

After completing his first sale with Hacking Team, Toropov, like all good businessman, tried to sell more to the Hacking Team, offering discounts if the surveillance company bought in bulk. He offered a $5,000 discount if they purchased a second zero-day from him and another $10,000 discount if the firm purchased a third.

Of course Raiu was instantly intrigued after reading that a critical 5-year-old bug in Silverlight may exist, and the words were coming from a well-vetted expert bug hunter. However Raiu had no idea where to start since he didn’t have the exploit code or know anything about what it targeted.

Torpov is a skilled bug hunter and exploit writer, who up until 2013 was an active participant in dozens of bug bounty programs, a type of program that allows hackers to scan websites for vulnerabilities and responsibility disclose them to the company for compensation. Between 2011 and 2013, Toropov had disclosed more than 40 vulnerabilities to these programs, according to a page on the Packet Storm Security site.

Howver in October of 2013 Toropov’s disclosures started to became scarce after he had disclosed two vulnerabilities in Silverlight to Microsoft. The same month when he began to market his exploits to the Hacking Team, including one Silverlight exploit he had kept from Microsoft in order to sell to customers who desired to breach targeted systems.

Of the two vulnerabilities one was a 2013 exploit that took advantage of invalid typecast and memory disclosure flaws in Silverlight leading to code execution. Toropov had provided a proof-of-concept attack and the flaws source code along with a well documented readme file highlighting the flaw.

“With exploit developers they have [code]libraries they build and they keep reusing them from one exploit to another in order to simplify their work,” Raiu wrote. “I said, what if his other Silverlight exploits are similar to this proof-of concept one he wrote in 2013?”

Toropov’s technique reveals 5-year-old Silverlight exploit

Researchers were convinced that they could find Toropov’s exploit in the wild by looking for patterns in his exploit techniques released in his proof-of-concept code.

Raiu used YARA, a tool designed by VirusTotal founder Victor Manual Alvarez, that allows users to search for malicious files that carry the same patterns of code across networks and systems. Kaspersky then created several YARA rules to detect the Silverlight exploit and found a match on a customer system exploited on November 25. There were enough details left behind that indicated the malware sample was one of Toropov’s exploits, although it may not be the same exploit he offered Hacking Team.

“There is no way to be sure and there might be several Silverlight exploits out there,” the researchers warned.

Did Toropov really write the exploit?

Wired reached out to Toropov to see if he had written the exploit that targets a BinaryReader bug in Silverlight. After disclosed technical details to him he said he wasn’t familiar the the vulnerability.

“I didn’t [know]about this particular BinaryReader bug,” Toropov wrote to wired. He further asked if the exploit included any code from his previous exploits, which it did.

“I would like to have this 0day, but unfortunately it’s not mine,” he said upon examination. “Anyway it was interesting to find the parts of my calc poc in this shellcode, thanks for sharing.”

His term “calc poc” refers to the calculator proof-of-concept code he published in 2013 for his previous Silverlight vulnerability he had disclosed to Microsoft.

Raiu says it doesn’t make sense for someone else to include Toropov’s public proof-of-concept code in their exploit, but its not out of the question. Whether or not the exploit was written by Toropov, Raiu still deserves recognition for discovering a highly-technical and critical bug.

Now that such a technique was proven successful, it may be possible to examine more code from Toropov’s previous exploits and uncover additional zero-days that may be active.