Security researchers reported that a recently fixed vulnerability in Microsoft’s Silverlight application framework to perform drive-by malware attacks on vulnerable visitor devices, has been exploited by some corrupted websites.
The critical vulnerability in the code-execution that was patched by Microsoft a month ago, was actively exploited for two years in attack code owned by Italy-based exploit broker Hacking Team.
The Silverlight exploit appeared as a result of the attack on Hacking Team’s network which exposed gigabytes worth of private e-mails and other data. Later on, security experts with the Russian antivirus provider Kaspersky Lab, discovered the vulnerability being exploited in the wild and privately informed Microsoft.
Currently, the exploit code for the patched vulnerability is being distributed through Angler, which is one of several toolkits that hackers use to seed websites with code that carry out drive-by attacks.
This week, the Silverlight attack was noticed by a security researcher who goes by the moniker Kafeine. The vulnerability is indexed as CVE-2016-0034.
Despite the fact that Kafeine’s post does not specify exactly what platforms are being targeted, Microsoft has been clear that exploits have the ability to remotely execute malicious code on both unpatched Windows and OS X devices.
Presently, it is also not clear if the Angler exploit was developed by reverse engineering the patch Microsoft released in January or if Angler developers obtained the code already available through Hacking Team.
Even though Silverlight vulnerabilities aren’t as numerous as security bugs in Adobe’s Flash or Oracle’s Java, the discovery made by Kafeine shows that the Microsoft framework has the potential to endanger a broad base of people using both Windows and OS X.
Users who can browse the Internet without Silverlight would better uninstall it. Everyone else should update Silverlight once the patches become available. Patched versions are 5.1.41212.0 or higher.