14 DAY TRIAL // A Silverlight zero-day bug discovered by Kaspersky researchers and patched by Microsoft at the start of January has been spotted in the wild, having recently been added to some Angler Exploit Kit versions.
The zero-day, CVE-2016-0034, affects all Silverlight versions up to 5.1.41105.0 and was patched in Microsoft's MS16-006 security bulletin.
The vulnerability has an interesting story behind it and was discovered after two Kaspersky researchers decided to follow a hunch and investigate a lead they had from the Hacking Team data breach.
Silverlight zero-day was supposed to be sold to the Hacking Team
The two eventually found remnants of some Silverlight exploit code hosted somewhere online, and with the help of Kaspersky's security software infrastructure, they detected exploits used in the wild during the past year.
As we and other security news sites wrote about their discovery and Microsoft's recent patch, the presence of this highly dangerous bug was also brought to the attention of not-so-well-intended coders.
According to the unnamed security researcher that runs the Malware don't need coffee blog, the CVE-2016-0034 bug has been recently detected in some Angler Exploit Kit versions, fact confirmed by one of the security researchers that discovered the bug in the first place.
Angler operators wasted their time
With a market share that peaked at 64% back in 2011, Silverlight doesn't attract the same installation numbers these days as you'd think.
Even Java has more users than Silverlight, something that Microsoft knows and was one of the reasons it recommended users and businesses to stop installing it last summer.
With one leg out the door of Microsoft's ecosystem, it is quite curious that Angler's coders bothered to add this zero-day to Angler's arsenal since the return will be so small.
Nevertheless, users should oblige Microsoft's advice and uninstall Silverlight from their systems.
CVE-2016-0034 in Angler. Overriden GetChars method in decrypted Silverlight exploit. pic.twitter.com/nnFV8F7jBv — Anton Ivanov (@antonivanovm) February 22, 2016