Microsoft Silverlight exploit spotted in Angler kit

A dangerous exploit for a Silverlight vulnerability has been discovered in the popular Angler exploit kit.
Written by Charlie Osborne, Contributing Writer

Attacks based on a Microsoft Silverlight vulnerability have been discovered packaged away in the Angler exploit kit which is used worldwide to compromise computer systems.

The vulnerability, CVE-2016-0034, is a rare example of a vulnerability impacting Microsoft's Silverlight technology. Also assigned the name MS16-006, the Silverlight vulnerability affects both Windows and Mac systems and allows attackers to hijack a system if a user is logged in as an administrator.

Silverlight is an application and Web browser plugin which is a rival to Adobe Flash and used as a means to view content-rich media and animations on the Internet. Silverlight is compatible with major operating systems and browsers including Mozilla Firefox, Google Chrome and Apple Safari.

The Silverlight exploit was first spotted by Kaspersky after private exploit seller Hacking Team suffered a data breach which exposed a number of unknown vulnerabilities affecting popular software including Microsoft and Adobe products.

In January, Kaspersky Lab researcher Brian Bartholomew commented:

"It's a big deal; Silverlight vulnerabilities don's come around that often. Exploitation of the zero-day itself is fairly technical, but once a proof-of-concept falls into the hands of someone who knows what they're doing and reverse engineers the patch, it's not that difficult to produce a weaponized version of it."

In a post on Malware don't need Coffee, blogger Kafeine said they received confirmation from a number of security experts that attacks hidden within the recently updated Angler kit are based on CVE-2016-0034, which was patched by the Redmond giant in the January 2016 Patch Tuesday release, a little over a month ago.

The Angler exploit kit has increased in popularity following the death of Blackhole. The kit has been recorded on thousands of landing pages online, lying in wait until a victim clicks on a malicious link to these pages and unwittingly downloads the malware package.

Angler uses a variety of techniques to work out which attack is most likely to be successful to compromise a system, including anti-sandbox checks and poking around for browser vulnerabilities.

On 18 February this year, Kafeine realized the landing page of Angler had been tweaked to include a piece of code linked to Silverlight. If Silverlight is installed on an unpatched computer belonging to a potential victim who has visited a page containing the exploit kit, then a call is sent to drop malware which exploits the security flaw.


The malware in question that the Angler exploit kit drops is TeslaCrypt, which is a particularly nasty strain of ransomware. This family of malware enters systems through vulnerable software before locking systems and forcing victims to pay a ransom in virtual currency to retrieve access to their files.

See also: TeslaCrypt flaw opens the door to free file decryption

The researcher attempted the pass with Silverlight 5.1.41212.0 -- the latest, patched version -- and found that the pass was clean and their system remained safe from compromise.

In order to avoid becoming a victim of Angler's latest attack module, you should ensure your system is fully patched and up-to-date.

Top tips to stay safe on public Wi-Fi networks

Read on: Top picks

Editorial standards