Zero-day vulnerability in Microsoft Silverlight

Improper input validation

On July 5, 2015, a large amount of data from one company was leaked to the Internet with a hacker known as “Phineas Fisher” claiming responsibility for the breach.

Known malware:

Used in Angler, Hunter, RIG and Sundown Exploit Kit.

Vulnerability details

Advisory: SB2016011203 - Remote code execution in Microsoft Silverlight

Vulnerable component: Microsoft Silverlight

CVE-ID: CVE-2016-0034

CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-20 - Improper Input Validation


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to an error when parsing strings with a malicious decoder that can return negative offsets. A remote attacker can create a specially crafted content, trick the victim into opening it, replace unsafe object headers with contents provided by an attacker and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

External links: