Security Experts:

Connect with us

Hi, what are you looking for?



Hacking Team Leak Leads to Discovery of Silverlight Zero-Day

One of the vulnerabilities patched by Microsoft on Tuesday with the first round of security bulletins for 2016 was a Silverlight zero-day which Kaspersky Lab identified in November as a result of an investigation into Hacking Team’s exploits.

One of the vulnerabilities patched by Microsoft on Tuesday with the first round of security bulletins for 2016 was a Silverlight zero-day which Kaspersky Lab identified in November as a result of an investigation into Hacking Team’s exploits.

The Silverlight flaw, identified as CVE-2016-0034, was patched with the MS16-006 critical bulletin. According to Microsoft, the remote code execution vulnerability can be exploited by an attacker via a website set up to host a specially crafted Silverlight application.

If an attacker can get a user to visit the malicious website and the exploit is successful, the attacker can obtain the same permissions as the victim. If the victim has administrative privileges, the attacker can take complete control of the vulnerable system, Microsoft said.

The story of how Kaspersky Lab discovered the Silverlight zero-day starts in July 2015, shortly after a hacker leaked hundreds of gigabytes of data, including exploits for zero-day vulnerabilities, from the systems of controversial Italy-based spyware maker Hacking Team.

Among the more than one million emails published by WikiLeaks after the breach, Ars Technica discovered communications between a then 33-year-old Russian exploit developer named Vitaliy Toropov and Hacking Team.

In 2013, Toropov sold an Adobe Flash Player exploit to Hacking Team for $45,000 and also offered to sell a Silverlight exploit that he claimed was written two and a half years prior and had still not been discovered. It’s unclear if Hacking Team acquired this Silverlight exploit from the hacker.

This mysterious Silverlight exploit caught the attention of Kaspersky Lab researchers who started analyzing Toropov’s exploits. The Russian hacker had published details and exploits for many of the vulnerabilities he identified, including a Silverlight memory disclosure issue found in 2013.

Since the description of this Silverlight bug was also accompanied by a proof-of-concept written by Toropov, Kaspersky researchers created a YARA rule designed to detect specific strings taken from a DLL file that implemented the exploit.

YARA is a tool that allows researchers to identify and classify malware based on textual or binary patterns that are described in what are known as YARA rules. Security firms often use YARA to identify and track threats, including APT actors.

The YARA rule written by Kaspersky didn’t have any results until November 25, when a sample matching the description of the 2013 Silverlight exploit published by Toropov was detected on a user’s machine. Another sample of the exploit was uploaded later that day from Laos to a multiscanner service.

After analyzing the file, which had been compiled in July 21, 2015, shortly after the Hacking Team breach came to light, Kaspersky researchers determined that it was a new Silverlight exploit and reported it to Microsoft.

Microsoft says in its advisory that it’s unaware of any attacks attempting to exploit the vulnerability. However, Kaspersky Lab’s Costin Raiu told SecurityWeek that this is an inaccuracy which Microsoft plans on fixing.

It’s unclear if this flaw, which affects Silverlight versions prior to 5.1.41212.0, is the one that Toropov advertised in 2013.

“Several things make us think it’s one of [Toropov’s] exploits, such as the custom error strings. Of course, there is no way to be sure and there might be several Silverlight exploits out there. One thing is for sure though – the world is a bit safer with the discovery and patching of this one,” Kaspersky researchers wrote in a blog post.

*Updated with clarification from Costin Raiu that Microsoft’s advisory is inaccurate

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.