Zero-day vulnerability in Microsoft Silverlight

Improper input validation
CVE-2016-0034

On July 5, 2015, a large amount of data from one company was leaked to the Internet with a hacker known as тАЬPhineas FisherтАЭ claiming responsibility for the breach.

Known malware:

Used in Angler, Hunter, RIG and Sundown Exploit Kit.

Vulnerability details

Advisory: SB2016011203 - Remote code execution in Microsoft Silverlight

Vulnerable component: Microsoft Silverlight

CVE-ID: CVE-2016-0034

CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-20 - Improper input validation

Description:

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to an error when parsing strings with a malicious decoder that can return negative offsets. A remote attacker can create a specially crafted content, trick the victim into opening it, replace unsafe object headers with contents provided by an attacker and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

External links:

https://technet.microsoft.com/en-us/library/security/MS16-006
https://securelist.com/blog/research/73255/the-mysterious-case-of-cve-2016-0034-the-hunt-for-a-micro...
https://www.symantec.com/security_response/writeup.jsp?docid=2016-011507-1032-99
http://blog.trendmicro.com/trendlabs-security-intelligence/malvertising-campaign-in-us-leads-to-angl...
http://www.broadanalysis.com/2016/03/21/silverlight-exploit-leads-to-teslacrypt-cve-2016-0034/
http://sensorstechforum.com/attack-involves-silverlight-exploit-cve-2016-0034-angler-ek-and-teslacry...
http://www.securityweek.com/hacking-team-leak-leads-discovery-silverlight-zero-day
http://www.securityweek.com/exploit-recently-patched-silverlight-flaw-added-angler
https://www.trustwave.com/Resources/SpiderLabs-Blog/Sundown-EK-%E2%80%93-Stealing-Its-Way-to-the-Top...
http://securityaffairs.co/wordpress/44774/cyber-crime/angler-ek-silverlight-exploit.html
https://blog.qualys.com/securitylabs/2016/01/14/hunting-for-vulnerable-functions-in-microsoft-silver...
http://www.zdnet.com/article/microsoft-silverlight-exploit-spotted-in-angler-kit/
http://www.zdnet.com/article/kaspersky-lab-discovers-silverlight-zero-day-vulnerability/
http://news.softpedia.com/news/hackers-wasted-their-time-adding-a-silverlight-exploit-to-the-angler-...
https://www.scmagazine.com/as-kaspersky-labs-researchers-predicted-exploits-of-silverlight-vulnerabi...
http://blog.morphisec.com/javascript-in-ie-overtakes-flash-as-number-one-target-for-angler-exploit-k...
https://threatpost.com/new-silverlight-attacks-appear-in-angler-exploit-kit/116409/
https://arstechnica.com/security/2016/02/malicious-websites-exploit-silverlight-bug-that-can-pwn-mac...
http://www.darkreading.com/vulnerabilities---threats/kaspersky-caught-scent-of-silverlight-zero-day-...