Hacking Team's Leak Helped Researchers Hunt Down a Zero-Day

[InfoSec News <alerts () infosecnews org>]

http://www.wired.com/2016/01/hacking-team-leak-helps-kaspersky-researchers-find-zero-day-exploit/

By Kim Zetter
Security
Wired.com
01/13/16

ZERO-DAY EXPLOITS ARE a hacker’s best friend. They attack vulnerabilities 
in software that are unknown to the software maker and are therefore 
unpatched. Criminal hackers and intelligence agencies use zero day 
exploits to open a stealth door into your system, and because antivirus 
companies also don’t know about them, the exploits can remain undetected 
for years before they’re discovered. Until now, they’ve usually been 
uncovered only by chance.

But researchers at Kaspersky Lab have, for the first time, discovered a 
valuable zero-day exploit after intentionally going on the hunt for it. 
And they did so by using only the faintest of clues to find it.

The malware they found is a remote-code execution exploit that attacks a 
vulnerability in Microsoft’s widely used Silverlight software—a browser 
plug-in Netflix and other providers use to deliver streaming content to 
users. It’s also used in SCADA and other industrial control systems that 
are installed in critical infrastructure and industrial facilities.

The vulnerability, which Microsoft called “critical” in a patch released 
to customers on Tuesday, would allow an attacker to infect your system 
after getting you to visit a malicious website where the exploit 
resides—usually through a phishing email that tricks you into clicking on 
a malicious link. The attack works with all of the top browsers except 
Chrome—but only because Google removed support for the Silverlight plug-in 
in its Chrome browser in 2014.

[...]

--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/