Kaspersky Lab discovers Silverlight zero-day vulnerability

The dangerous flaw existed in technology used to display multimedia online and allowed the complete takeover of vulnerable systems.
Written by Charlie Osborne, Contributing Writer

Kaspersky Lab has discovered a dangerous zero-day vulnerability in Silverlight, potentially placing millions of users at risk.

In a blog post on Wednesday, the cybersecurity firm said the vulnerability would allow an attacker to gain full access to a compromised computer and execute malicious code to steal secret information, conduct surveillance and cause wholesale destruction if they so wished.

Silverlight is a web application framework developed by Microsoft for supporting and displaying information-rich content on the Web. Used by millions of PC owners worldwide across different operating systems, it is not common for security flaws in the framework to be reported -- but vulnerabilities could prove calamitous.

The vulnerability, CVE-2016-0034, was discovered after Ars Technica revealed an alleged link between exploit and surveillance tool seller Hacking Team and Vitaliy Toropov, an independent exploit-writer.

According to files released in a debilitating data breach experienced by the exploit seller last year, Toropov had attempted to sell Hacking Team a Microsoft Silverlight zero-day vulnerability.

The four-year-old flaw might not have caught Hacking Team's interest, but it did capture Kaspersky's.

According to the security firm, research revealed Toropov was an active contributor to Open Source Vulnerability Database (OSVDB), and in 2013, the researcher had published a proof-of-concept (POC) describing the Silverlight bug.

Kaspersky says that through analysis, some unique strings in the code stood out and acted as the sample for the firm's detection technology to scour the Web for traces of attacks exploiting the vulnerability.

"If Toropov tried to sell a zero-day exploit to Hacking Team, it was highly probable that he did the same with other spyware vendors," Kaspersky says. "As a result of this activity, other cyber espionage campaigns could be actively using it in the wild to target and infect unsuspecting victims."

Eventually, one of the company's customers were targeted through code which held some of the code strings the researchers were looking for. After Kaspersky analyzed the attack, the team discovered it was exploiting an unknown bug in Silverlight. The issue was then reported to Microsoft.

Costin Raiu, Director of the Global Research and Analysis Team at Kaspersky Lab commented:

"Although we don't know if the exploit we discovered is in fact the one that was mentioned in the Ars Technica article, we have strong reasons to believe it is indeed the same.

Comparing the analysis of this file with the previous work of Vitaliy Toropov makes us think that the author of the recently discovered exploit, and the author of POCs published on OSVDB in the name of Toropov, is the same person. At the same time we do not completely exclude the possibility that we found yet another zero-day exploit in Silverlight."

The CVE-2016-0034 exploit has been patched in the latest Microsoft Patch Tuesday update issued on January 12, 2016. Microsoft Windows users are urged to update their systems as soon as possible.

CES 2016: Meet this year's weird, wonderful and worst tech

Read on: Top picks

Editorial standards