Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Hacking Team Leak Leads to Discovery of Silverlight Zero-Day

One of the vulnerabilities patched by Microsoft on Tuesday with the first round of security bulletins for 2016 was a Silverlight zero-day which Kaspersky Lab identified in November as a result of an investigation into Hacking Team’s exploits.

One of the vulnerabilities patched by Microsoft on Tuesday with the first round of security bulletins for 2016 was a Silverlight zero-day which Kaspersky Lab identified in November as a result of an investigation into Hacking Team’s exploits.

The Silverlight flaw, identified as CVE-2016-0034, was patched with the MS16-006 critical bulletin. According to Microsoft, the remote code execution vulnerability can be exploited by an attacker via a website set up to host a specially crafted Silverlight application.

If an attacker can get a user to visit the malicious website and the exploit is successful, the attacker can obtain the same permissions as the victim. If the victim has administrative privileges, the attacker can take complete control of the vulnerable system, Microsoft said.

The story of how Kaspersky Lab discovered the Silverlight zero-day starts in July 2015, shortly after a hacker leaked hundreds of gigabytes of data, including exploits for zero-day vulnerabilities, from the systems of controversial Italy-based spyware maker Hacking Team.

Among the more than one million emails published by WikiLeaks after the breach, Ars Technica discovered communications between a then 33-year-old Russian exploit developer named Vitaliy Toropov and Hacking Team.

In 2013, Toropov sold an Adobe Flash Player exploit to Hacking Team for $45,000 and also offered to sell a Silverlight exploit that he claimed was written two and a half years prior and had still not been discovered. It’s unclear if Hacking Team acquired this Silverlight exploit from the hacker.

This mysterious Silverlight exploit caught the attention of Kaspersky Lab researchers who started analyzing Toropov’s exploits. The Russian hacker had published details and exploits for many of the vulnerabilities he identified, including a Silverlight memory disclosure issue found in 2013.

Since the description of this Silverlight bug was also accompanied by a proof-of-concept written by Toropov, Kaspersky researchers created a YARA rule designed to detect specific strings taken from a DLL file that implemented the exploit.

Advertisement. Scroll to continue reading.

YARA is a tool that allows researchers to identify and classify malware based on textual or binary patterns that are described in what are known as YARA rules. Security firms often use YARA to identify and track threats, including APT actors.

The YARA rule written by Kaspersky didn’t have any results until November 25, when a sample matching the description of the 2013 Silverlight exploit published by Toropov was detected on a user’s machine. Another sample of the exploit was uploaded later that day from Laos to a multiscanner service.

After analyzing the file, which had been compiled in July 21, 2015, shortly after the Hacking Team breach came to light, Kaspersky researchers determined that it was a new Silverlight exploit and reported it to Microsoft.

Microsoft says in its advisory that it’s unaware of any attacks attempting to exploit the vulnerability. However, Kaspersky Lab’s Costin Raiu told SecurityWeek that this is an inaccuracy which Microsoft plans on fixing.

It’s unclear if this flaw, which affects Silverlight versions prior to 5.1.41212.0, is the one that Toropov advertised in 2013.

“Several things make us think it’s one of [Toropov’s] exploits, such as the custom error strings. Of course, there is no way to be sure and there might be several Silverlight exploits out there. One thing is for sure though – the world is a bit safer with the discovery and patching of this one,” Kaspersky researchers wrote in a blog post.

*Updated with clarification from Costin Raiu that Microsoft’s advisory is inaccurate

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.