A Microsoft Silverlight security vulnerability is something of a rarity. The application framework may be similar to Adobe Flash, but it does not contain nearly as many security vulnerabilities. In fact, it is exceptionally rare for a bug to be discovered. In this case, Kaspersky Lab identified the security flaw which could potentially allow remote code execution.
Microsoft has now addressed the security flaw (CVE-2016-0034) in its latest MS16-006 patch which was released on Tuesday. Kaspersky Lab has now published an analysis of the security flaw.
It is essential for the patch to be installed. While the vulnerability is not believed to have already been exploited, it is possible for the patch to be reverse engineered. According to Brian Bartholomew of Kaspersky Lab, “it’s not that difficult to produce a weaponized version of it.”
Rare Microsoft Silverlight security vulnerability investigated by Kaspersky Lab researchers
Kaspersky Lab researchers may not have been the first people to have discovered the Microsoft Silverlight security vulnerability. They decided to investigate a potential Microsoft Silverlight security vulnerability that had alledgedly been discovered by Russian hacker Vitaliy Toropov. He claimed to have written an exploit for the Microsoft Silverlight security vulnerability, which he was trying to get Hacking Team to buy. At the time they were more interested in Adobe Flash zero-day exploits and ignored the Microsoft Silverlight security vulnerability.
Kaspersky Lab decided to investigate due to the potential damage that could be caused by a Silverlight bug. The vulnerability could potentially be used to attack both Windows and OS X devices running Microsoft Silverlight 5 or Microsoft Silverlight 5 Developer Runtime. Users could be targeted with a phishing email and convinced to visit a website where a drive-by download would occur and load a malicious Silverlight application, regardless of the browser they were using.
Kaspersky Lab did discover it the security vulnerability, although whether it is the same vulnerability that Toropov had managed to develop an exploit for is not known. However, it is one less security issue to worry about now that it has been patched by Microsoft.
