One question that security engineers are currently facing concerns Microsoft’s Silverlight. As you may have noticed, MS just patched a critical vulnerability in Silverlight in January 12’s Patch Tuesday:
MS16-006: Security Update for Silverlight to Address Remote Code Execution, also available as KB 3126036
This is the official description of MS16-006 given by MS in the security bulletin:
This security update resolves a vulnerability in Microsoft Silverlight. The vulnerability could allow remote code execution if a user visits a compromised website that contains a specially crafted Silverlight application. An attacker would have no way to force users to visit a compromised website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email or instant message that takes users to the attacker’s website.
Learn More about January 12 Patch Tuesday
What troubles security experts, like the researchers at Kaspersky Lab, is that even though Silverlight exploits have been used in small number of attacks, it will not take long before such attacks become wide-spread. As pointed out by experts, Microsoft has said little about the exploits of Silverlight.
Why are Silverlight vulnerabilities a potential threat?
Silverlight vulnerabilities may be way too similar to security bugs in Flash Player. They would allow well-trained malware actors to attack victims running various browsers and platforms. Researchers at Kaspersky have observed such attacks and for now attackers target only Windows computers. However, with only few adjustments, attackers could begin targeting Mac OS X and other platforms. What would generally happen is a user is tricked into a spear-phishing scheme or becomes a victim of a drive-by download. In both scenarios, the malware actor would have dropped a malicious Silverlight app on a vulnerable websver.
Why is the Silverlight exploit such a big deal? This is what Kaspersky Lab’s researcher Brian Bartholomew says:
It’s a big deal; Silverlight vulnerabilities don’t’ come around that often. Exploitation of the zero day itself is fairly technical, but once a proof-of-concept falls into the hands of someone who knows what they’re doing and reverse engineers the patch, it’s not that difficult to produce a weaponized version of it.
Furthermore, an exploit applied in targeted attacks could also be ‘forwarded’ to currently active exploit kits and made available for various malicious operations.
The Silverlight bug was reported to Microsoft by Kaspersky Lab’s researchers Costin Raiu and Anton Ivanov. Their attention was caught by an email sent by a Russian hacker (Vitaliy Toropov) to Hacking Team during their infamous breach, claiming that he had a Silverlight zero-day vulnerability for sale. Moreover, the bug was at least two years old in 2013. The hacker even believed that the zero-day could go undetected for a longer period.
This is part of the communication with Vitaliy published by ArsTechnica:
I recommend you the fresh 0day for iOS 7/OS X Safari or my old Silverlight exploit which was written 2.5 years ago and has all chances to survive further in next years as well.
Is the patched Silverlight exploit the only one?
According to Bartholomew, Kaspersky’s researchers found an older Silverlight vulnerability and proof of concept that was also credited to Toropov and was submitted to Packet Storm (a security information portal). The archive could be downloaded and contained enough information for Kaspersky to write a YARA rule for the DLL file that triggered the exploit.
What Is YARA?
YARA is a tool mainly used by malware researchers to identify and classify malware samples. YARA is applied to create descriptions of malware families based on textual or binary patterns. Every description (or rule) is a set of strings.
Once the YARA rule was ready, it was deployed to Kaspersky’s customer computers. Everything seemed to be okay until late November 2015. That is when an alert was triggered on a user’s computer by one of the generic detections for the 2013 exploit. Analysis showed that the malicious file was created on July 21, almost two weeks after the Hacking team breach took place and stolen data was made public online. The exploit was reported to Microsoft, and was patched within the January 12 2016 Patch Tuesday.
What remains unclear to researchers is whether the patched zero day exploit is the same one disclosed by the Hacking Team breach (the one proposed for sale by Toropov), or a new exploit written afterwards.
Kaspersky’s Bartholomew says there are similarities in both samples that point to Toropov:
Not many people write Silverlight zero days, so the field is narrowed significantly,” Bartholomew said. “On top of that, there are some error strings used in his old exploit from 2013 that we latched on to and thought were unique. These were the basis of our rule.
Finally, the dangerous thing about Silverlight zero-day exploits is that they have the potential to become widespread.