A vulnerability affecting Microsoft Silverlight 5 is live and infecting PCs that visit compromised or malicious websites.
Developed by Microsoft, Silverlight is a framework for rich Internet applications and in many ways can be compared to Flash, although the latter has become more dominant.
The flaw, which exists in versions prior to 5.1.20125.0, allows attackers to execute arbitrary code on the affected systems without any user interaction. Microsoft patched the flaw (CVE-2013-0074) on March 12, 2013.
The Silverlight exploit was first spotted in the Angler exploit kit by @EKWatcher and later documented by Kafeine. The screenshot below summarizes the attack (click to enlarge):
Screenshot courtesy of Kafeine http://malware.dontneedcoffee.com/2013/11/cve-2013-0074-silverlight-integrates.html
Upon landing on the exploit page, the Angler exploit kit will determine if Silverlight is installed and what version is running.
If the conditions are right, a specially crafted library is triggered to exploit the Silverlight vulnerability.
As with all exploit kits, leveraging vulnerabilities is just an intermediary step for the real motive: pushing malware to the victims' machine.
The Silverlight web plugin is not installed by default but is required to view content on certain websites.
As pointed out by Timo Hirvonen, Netflix, which has 40 million subscribers, requires Silverlight for its paid streaming video service.
Netflix requires Silverlight: https://t.co/2fjx3yNxFO. That's about 40 million potential victims for the Silverlight exploit in Angler EK.If you want to watch Netflix on your PC, you will need to use Silverlight. “If you do not already have Microsoft Silverlight plug-in installed, you will be prompted to download and install the free plug-in for your web browser. Just follow the instructions to get started,” prompted Netflix.
— Timo Hirvonen (@TimoHirvonen) November 14, 2013
Fortunately, those that do not have the plugin yet will be redirected to download the latest (and safe) version.
However, those that already have and older version of Silverlight can still watch Netflix and may not be aware that their computers are at risk.
Please ensure that you are running the latest version available (5.1.20913.0) and that it is set to install updates automatically:
We can expect this CVE to be integrated into other exploit kits soon, so it is important to make sure you patch all your machines now.
Even if you don’t watch Netflix, you may have installed Silverlight in the past and forgotten about it. If you don’t need Silverlight (or other plugins), simply remove it altogether as that will help to reduce your surface of attack.
Jerome Segura (@jeromesegura) is a senior security researcher at Malwarebytes.