Security researcher warns that cybercriminals are trying to exploit it right now

Nov 15, 2013 22:01 GMT  ·  By

Microsoft Silverlight users are again vulnerable to attacks, as hackers have found a new way to infiltrate into Windows computers through a flaw in this particular software solution.

Malwarebytes Senior Security Researcher Jerome Segura found the flaw and warned that cybercriminals across the world are using the Angler exploit kit to break into computers running the vulnerable version of Silverlight.

It turns out that all builds prior to 5.1.20125.0 are vulnerable to attacks, so it’s critical for all users to update to the latest version as soon as possible.

“The flaw, which exists in versions prior to 5.1.20125.0, allows attackers to execute arbitrary code on the affected systems without any user interaction,” he was quoted as saying by V3.

“Upon landing on the exploit page, the Angler exploit kit will determine if Silverlight is installed and what version is running. If the conditions are right, a specially crafted library is triggered to exploit the Silverlight vulnerability. As with all exploit kits, leveraging vulnerabilities is just an intermediary step for the real motive: pushing malware onto the victim's machine.”

At the same time, the security researcher warns that the Silverlight flaw could soon be part of other exploit kits that would become more popular among hackers looking for ways to break into Windows computers.

“We can expect this CVE to be integrated into other exploit kits soon, so it is important to make sure you patch all your machines now. If you don't need Silverlight – or other plugins – simply remove it altogether as that will help to reduce your surface of attack,” he explained.

Silverlight is at this point used by millions of consumers across the world, so it’s very important to install the latest version as soon as possible. Until Microsoft rolls out more details on this, download Microsoft Silverlight to stay on the safe side.

Update: Microsoft has told us that this vulnerability was actually patched in March, so all users who applied the fixes should be on the safe side. Redmond has confirmed however that exploit kits trying to use this vulnerability are out there in the wild.

"We are aware of reports that an exploit kit has included a previously patched Silverlight vulnerability. This issue was fully addressed in the March Security Bulletin Release, via MS13-022 and customers with automatic updates enabled are protected from this issue and do not need to take any action," a company spokesperson said.