Casa > cibernético Notícias > Are Silverlight Zero-Days the New Flash Vulnerabilities?

Os dias zero do Silverlight são as novas vulnerabilidades do Flash?

Uma pergunta que os engenheiros de segurança estão enfrentando atualmente diz respeito ao Silverlight da Microsoft. Como você pode ter notado, A Microsoft acabou de corrigir uma vulnerabilidade crítica no Silverlight no Patch Tuesday de 12 de janeiro:

MS16-006: Atualização de segurança para o Silverlight para corrigir a execução remota de código, also available as KB 3126036

This is the official description of MS16-006 given by MS in the security bulletin:

This security update resolves a vulnerability in Microsoft Silverlight. The vulnerability could allow remote code execution if a user visits a compromised website that contains a specially crafted Silverlight application. An attacker would have no way to force users to visit a compromised website. Em vez de, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email or instant message that takes users to the attacker’s website.

Aprender mais sobre janeiro 12 patch Tuesday

What troubles security experts, like the researchers at Kaspersky Lab, is that even though Silverlight exploits have been used in small number of attacks, it will not take long before such attacks become wide-spread. Conforme apontado por especialistas, Microsoft has said little about the exploits of Silverlight.

Why are Silverlight vulnerabilities a potential threat?

Silverlight vulnerabilities may be way too similar to security bugs in Flash Player. They would allow well-trained malware actors to attack victims running various browsers and platforms. Researchers at Kaspersky have observed such attacks and for now attackers target only Windows computers. Contudo, with only few adjustments, attackers could begin targeting Mac OS X and other platforms. What would generally happen is a user is tricked into a spear-phishing scheme or becomes a victim of a drive-by download. In both scenarios, the malware actor would have dropped a malicious Silverlight app on a vulnerable websver.

Why is the Silverlight exploit such a big deal? This is what Kaspersky Lab’s researcher Brian Bartholomew says:

It’s a big deal; Silverlight vulnerabilities don’t’ come around that often. Exploitation of the zero day itself is fairly technical, but once a proof-of-concept falls into the hands of someone who knows what they’re doing and reverse engineers the patch, it’s not that difficult to produce a weaponized version of it.

além disso, an exploit applied in targeted attacks could also be ‘forwarded’ to currently active exploit kits and made available for various malicious operations.

Microsoft SilverlightThe Silverlight bug was reported to Microsoft by Kaspersky Lab’s researchers Costin Raiu and Anton Ivanov. Their attention was caught by an email sent by a Russian hacker (Vitaliy Toropov) to Hacking Team during their infamous breach, claiming that he had a Silverlight zero-day vulnerability for sale. Além disso, the bug was at least two years old in 2013. The hacker even believed that the zero-day could go undetected for a longer period.

This is part of the communication with Vitaliy published by ArsTechnica:

I recommend you the fresh 0day for iOS 7/OS X Safari or my old Silverlight exploit which was written 2.5 years ago and has all chances to survive further in next years as well.

Is the patched Silverlight exploit the only one?

According to Bartholomew, Kaspersky’s researchers found an older Silverlight vulnerability and proof of concept that was also credited to Toropov and was submitted to Packet Storm (a security information portal). The archive could be downloaded and contained enough information for Kaspersky to write a YARA rule for the DLL file that triggered the exploit.

What Is YARA?
YARA is a tool mainly used by malware researchers to identify and classify malware samples. YARA is applied to create descriptions of malware families based on textual or binary patterns. Every description (or rule) is a set of strings.

Once the YARA rule was ready, it was deployed to Kaspersky’s customer computers. Everything seemed to be okay until late November 2015. That is when an alert was triggered on a user’s computer by one of the generic detections for the 2013 explorar. Analysis showed that the malicious file was created on July 21, almost two weeks after the Hacking team breach took place and stolen data was made public online. The exploit was reported to Microsoft, and was patched within the January 12 2016 patch Tuesday.

What remains unclear to researchers is whether the patched zero day exploit is the same one disclosed by the Hacking Team breach (the one proposed for sale by Toropov), or a new exploit written afterwards.

Kaspersky’s Bartholomew says there are similarities in both samples that point to Toropov:

Not many people write Silverlight zero days, so the field is narrowed significantly,” Bartholomew said. “On top of that, there are some error strings used in his old exploit from 2013 that we latched on to and thought were unique. These were the basis of our rule.

Finalmente, the dangerous thing about Silverlight zero-day exploits is that they have the potential to become widespread.


Kaspersky Lab

Milena Dimitrova

Milena Dimitrova

Um escritor inspirado e gerente de conteúdo que está com SensorsTechForum desde o início do projeto. Um profissional com 10+ anos de experiência na criação de conteúdo envolvente. Focada na privacidade do usuário e desenvolvimento de malware, ela acredita fortemente em um mundo onde a segurança cibernética desempenha um papel central. Se o senso comum não faz sentido, ela vai estar lá para tomar notas. Essas notas podem mais tarde se transformar em artigos! Siga Milena @Milenyim

mais Posts

Me siga:

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

Compartilhar no Facebook Compartilhar
Compartilhar no Twitter chilrear
Compartilhar no Google Plus Compartilhar
Partilhar no Linkedin Compartilhar
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Partilhar no StumbleUpon Compartilhar