Hackers Find Flaw in Microsoft Silverlight, Millions of Users Now at Risk [Updated]

[Lee J <lee () riskbasedsecurity com>]

http://news.softpedia.com/news/Hackers-Find-Flaw-in-Microsoft-Silverlight-Millions-of-Users-Now-at-Risk-400666.shtml

Microsoft Silverlight users are again vulnerable to attacks, as hackers
have found a new way to infiltrate into Windows computers through a flaw in
this particular software solution.

Malwarebytes Senior Security Researcher Jerome Segura found the flaw and
warned that cybercriminals across the world are using the Angler exploit
kit to break into computers running the vulnerable version of Silverlight.

It turns out that all builds prior to 5.1.20125.0 are vulnerable to
attacks, so it’s critical for all users to update to the latest version as
soon as possible.

“The flaw, which exists in versions prior to 5.1.20125.0, allows attackers
to execute arbitrary code on the affected systems without any user
interaction,” he was quoted as saying by V3.

“Upon landing on the exploit page, the Angler exploit kit will determine if
Silverlight is installed and what version is running. If the conditions are
right, a specially crafted library is triggered to exploit the Silverlight
vulnerability. As with all exploit kits, leveraging vulnerabilities is just
an intermediary step for the real motive: pushing malware onto the victim's
machine.”

At the same time, the security researcher warns that the Silverlight flaw
could soon be part of other exploit kits that would become more popular
among hackers looking for ways to break into Windows computers.

“We can expect this CVE to be integrated into other exploit kits soon, so
it is important to make sure you patch all your machines now. If you don't
need Silverlight – or other plugins – simply remove it altogether as that
will help to reduce your surface of attack,” he explained.

Silverlight is at this point used by millions of consumers across the
world, so it’s very important to install the latest version as soon as
possible. Until Microsoft rolls out more details on this, download
Microsoft Silverlight to stay on the safe side.

Update: Microsoft has told us that this vulnerability was actually patched
in March, so all users who applied the fixes should be on the safe side.
Redmond has confirmed however that exploit kits trying to use this
vulnerability are out there in the wild.

"We are aware of reports that an exploit kit has included a previously
patched Silverlight vulnerability. This issue was fully addressed in the
March Security Bulletin Release, via MS13-022 and customers with automatic
updates enabled are protected from this issue and do not need to take any
action," a company spokesperson said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.