14 DAY TRIAL // Users who are running Microsoft Silverlight right now are strongly recommended to update the software to the newest version as security companies are experiencing an increase in the number of attacks supposed to exploit old vulnerabilities.
Cisco has issued a statement this week to warn that there is evidence that Angler, an exploit kit previously developed to take advantage of some old vulnerabilities in Silverlight, is again being used in a new wave of attacks.
According to Cisco Information Security Researcher Levi Gundert, Angler is based on a malicious tactic called malvertising which comes down to dangerous code injected into ads displayed on legitimate websites.
“Silverlight exploits are the drive-by flavor of the month. In this particular Angler campaign, the attack is more specifically targeted at Flash and Silverlight vulnerabilities, and though Java is available and an included reference in the original attack landing pages, it's never triggered,” he said.
It appears that only older versions of Silverlight are being exploited right now, so users who are running the newest version are perfectly secure. Of course, those who are still using outdated builds should update as soon as possible, Gundert recommended.
“Unfortunately, we observe extensive global DNS requests for the Angler landing pages, indicating that this campaign is largely succeeding... due to [each victim's] failure to upgrade their system's applications.”
Security company Trustwave has also confirmed that Silverlight attacks have also skyrocketed recently and has warned that the same exploit kits that have been spotted in previous waves are being used right now as well.
“Within a month, Silverlight became the most popular target for exploitation. To make matters worse, integrating this exploit into a kit was so simple that developers could use the same .dll file across all versions. They merely added their own methods of obfuscation and evasion to the code,” the company warned according to Dark Reading.
The latest version of Silverlight is 5.1.30214.0 and was released by Microsoft on March 11, as part of the company's Patch Tuesday rollout that month.
Of course, the new build has brought several security improvements, including support for Internet Explorer 11 Enhanced Protected Mode (EPM) and reporting of unavailable features. At the same time, it fixed an issue that could allow the bypass of the protection systems implemented in the app and thus expose users' data to online attacks.
Obviously, everyone is recommended to update to this new version as soon as possible, so download Microsoft Silverlight 5.1.30214.0 right now to make sure that you're entirely secure.