updated 10:22 pm EDT, Tue May 20, 2014
Microsoft's browser extension has less public awareness of malware attacks
Microsoft's web video and interactive cross-platform content plugin Silverlight is coming under increasing volume of attacks from hackers as of late, according to security reports. As the public awareness of Java and Flash flaws is increasing, Cisco's security researchers are finding an increasng number of systems affected by attacks focused on exploits of Microsoft's Silverlight, as users aren't aware of the increasing proliferation of malware for the platform, or even that they have the plug-in installed.
Cisco's researchers say that "Silverlight exploits are also ideal because Silverlight continues to gain rich Internet application market share, perhaps surpassing Java, and Microsoft's life cycle schedule suggests Silverlight 5 will be supported through October 2021," making users of the plug-in numerous, and vulnerable.
The analysts go on to say that a particular malware campaign they looked at "uses a Silverlight file to trigger the same CVE-2013-3896 vulnerability, but packages the exploit differently and attempts obfuscation through AES encryption." The CVE-2013-3986 exploit was patched in January, but a large percentage of Silverlight users install the package and never update it, with some installs being years out of date.
Microsoft has bug mitigation programs in place, however, Silverlight does not self-update - and is often installed surreptitiously as part of other installs, such as Microsoft Office. Levi Gundert, technical lead from the Cisco researchers say that the security firm expects "these existing Silverlight exploits to proliferate through other exploit pack families in the near future as threat actors copy code from each other and release updates."