Security Experts:

Connect with us

Hi, what are you looking for?



Hacking Team Leak Leads to Discovery of Silverlight Zero-Day

One of the vulnerabilities patched by Microsoft on Tuesday with the first round of security bulletins for 2016 was a Silverlight zero-day which Kaspersky Lab identified in November as a result of an investigation into Hacking Team’s exploits.

One of the vulnerabilities patched by Microsoft on Tuesday with the first round of security bulletins for 2016 was a Silverlight zero-day which Kaspersky Lab identified in November as a result of an investigation into Hacking Team’s exploits.

The Silverlight flaw, identified as CVE-2016-0034, was patched with the MS16-006 critical bulletin. According to Microsoft, the remote code execution vulnerability can be exploited by an attacker via a website set up to host a specially crafted Silverlight application.

If an attacker can get a user to visit the malicious website and the exploit is successful, the attacker can obtain the same permissions as the victim. If the victim has administrative privileges, the attacker can take complete control of the vulnerable system, Microsoft said.

The story of how Kaspersky Lab discovered the Silverlight zero-day starts in July 2015, shortly after a hacker leaked hundreds of gigabytes of data, including exploits for zero-day vulnerabilities, from the systems of controversial Italy-based spyware maker Hacking Team.

Among the more than one million emails published by WikiLeaks after the breach, Ars Technica discovered communications between a then 33-year-old Russian exploit developer named Vitaliy Toropov and Hacking Team.

In 2013, Toropov sold an Adobe Flash Player exploit to Hacking Team for $45,000 and also offered to sell a Silverlight exploit that he claimed was written two and a half years prior and had still not been discovered. It’s unclear if Hacking Team acquired this Silverlight exploit from the hacker.

This mysterious Silverlight exploit caught the attention of Kaspersky Lab researchers who started analyzing Toropov’s exploits. The Russian hacker had published details and exploits for many of the vulnerabilities he identified, including a Silverlight memory disclosure issue found in 2013.

Since the description of this Silverlight bug was also accompanied by a proof-of-concept written by Toropov, Kaspersky researchers created a YARA rule designed to detect specific strings taken from a DLL file that implemented the exploit.

YARA is a tool that allows researchers to identify and classify malware based on textual or binary patterns that are described in what are known as YARA rules. Security firms often use YARA to identify and track threats, including APT actors.

The YARA rule written by Kaspersky didn’t have any results until November 25, when a sample matching the description of the 2013 Silverlight exploit published by Toropov was detected on a user’s machine. Another sample of the exploit was uploaded later that day from Laos to a multiscanner service.

After analyzing the file, which had been compiled in July 21, 2015, shortly after the Hacking Team breach came to light, Kaspersky researchers determined that it was a new Silverlight exploit and reported it to Microsoft.

Microsoft says in its advisory that it’s unaware of any attacks attempting to exploit the vulnerability. However, Kaspersky Lab’s Costin Raiu told SecurityWeek that this is an inaccuracy which Microsoft plans on fixing.

It’s unclear if this flaw, which affects Silverlight versions prior to 5.1.41212.0, is the one that Toropov advertised in 2013.

“Several things make us think it’s one of [Toropov’s] exploits, such as the custom error strings. Of course, there is no way to be sure and there might be several Silverlight exploits out there. One thing is for sure though – the world is a bit safer with the discovery and patching of this one,” Kaspersky researchers wrote in a blog post.

*Updated with clarification from Costin Raiu that Microsoft’s advisory is inaccurate

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.