Technology / Zero-day flaw discovered in Silverlight web app could endanger millions of users

Zero-day flaw discovered in Silverlight web app could endanger millions of users

A serious vulnerability has been discovered in multimedia web app Silverlight, putting countless devices at risk of remote attack.

web browsers thinkstock

Security firm Kaspersky Lab has discovered a zero-day vulnerability in Silverlight that could allow remote attacks to be conducted without user knowledge, including theft of sensitive information and surveillance activities.

Kaspersky Lab said Silverlight, which is a multimedia web application developed by Microsoft to support and display information-rich online content, is used across multiple browsers and operating systems meaning “the attack vector could be quite large”.

The vulnerability, labelled CVE-2016-0034, was discovered after Ars Technica reported a data breach suffered by Italian spyware and surveillance firm Hacking Team linked them to independent exploit writer Vitaliy Toropov.

Among the discoveries that surfaced when the Hacking Team breach occurred in July 2015 was the revelation that Toropov had tried to sell the firm a Microsoft Silverlight zero-day vulnerability.

Kaspersky Lab salvaged information about the vulnerability from the breach and further research led the firm to a proof of concept posed by Toropov to the Open Source Vulnerability Database in 2013.

This provided the link between Toropov and the Hacking Team and enabled Kaspersky Lab to arrive at a series of unique string samples in the code that could be used to identify the exploits capitalising on the flaw.

After several months, one of Kaspersky Lab’s customers was targeted using a code that contained some of the unique strings matching the samples.

Further analysis demonstrated that this exploit originated from a Silverlight vulnerability.

Kasperksy Lab reported their findings to Microsoft and CVE-2016-0034 was patched in this month’s Microsoft Patch Tuesday on January 12th 2016.

Researchers at the security firm said that the exploit is likely to still be active in the wild, and Microsoft advised all Windows users to update their software as soon as possible.

“If Toropov tried to sell a zero-day exploit to Hacking Team, it was highly probable that he did the same with other spyware vendors,” the firm said.

“As a result of this activity, other cyber espionage campaigns could be actively using it in the wild to target and infect unsuspecting victims.”

Full details of Kasperky Lab’s findings are available on the firm’s blog.

TEISS banner


Get our latest features in your inbox

Join our community of business leaders