Nearly ubiquitous browser plug-ins like Java and Flash have long been abused by attackers, but according to one researcher, Microsoft's lesser known Silverlight video player plug-in is playing an increasingly prominent role in exploit kits, potentially leaving enterprise users vulnerable to malware infections, remote code execution and more.
Craig Williams, senior technical leader at Cisco, said he first took note of a rise in Silverlight security issues in January when researching Fiesta, an exploit kit that relied on typical drive-by attack to lure victims to websites, scan their systems for potentially vulnerable browser plug-ins and then deliver an exploit for the suspect plug-in. As per most modern exploit kits, Williams said that Fiesta relied on Java-based exploits, most of which had been previously patched.
Not so typical, however, was that nearly 10% of the total exploits served by Fiesta were Silverlight-based, Williams noted. When Cisco analyzed the Angler exploit kit in April and May, Java was actually sidelined while attackers focused on exploiting Flash and, to a lesser extent, Silverlight. Angler was actually spotted targeting a security feature to bypass Silverlight vulnerability, CVE-2013-0074, that was patched by Microsoft in March.
That trend continued with the RIG exploit kit. When monitored in April and May, Java exploits made up nearly half of the landing page requests for RIG, he said, but more noteworthy was the 30% of requests that served up Silverlight exploits.
As for why Silverlight is gaining more attention from attackers, Williams cited multiple reasons. First, a vast majority of the Cisco-monitored Silverlight exploits were aimed at U.S.-based users, a statistic that Williams found unsurprising considering the huge amount of Internet traffic generated in the U.S. by the Silverlight-based online streaming service Netflix. Though Silverlight is commonly linked to Netflix, Williams emphasized that Silverlight is often found in enterprise settings as well, including internal meeting systems, conference systems and more. Even if that weren't the case, enterprise IT teams must still be wary of Silverlight as traveling users will often watch Netflix on corporate devices, he added.
In general, Williams said that the security industry has gotten much better in recent years at detecting exploits against the most common browser-based attack vectors. For instance, when researching Fiesta, Cisco researchers analyzed all URLs associated with the exploit kit and compared them against a number of antivirus systems. That process showed that Java-based exploits were the most commonly detected attack vector in the kit, and that AV engines were able to detect them through heuristic means -- a fact that Williams said shows that the industry understands how Java exploits function and how to spot them.
Craig WilliamsSenior Technical Leader, Cisco Systems Inc.
Indeed, despite Silverlight playing a reasonably significant part in Fiesta, none of the top 30 exploits spotted by the AV analysis targeted Microsoft's plug-in. For Williams, the takeaway from the research was clear: Attackers are hedging their bets as Java, Flash and other stalwart attack vectors receive more attention.
"So we see attackers moving away from some of these larger, widely exploited vectors," said Williams, "and it's not to say they're not still in the lead. They absolutely are, but there is a small, slow shift toward other vectors like Silverlight. I think what we're seeing here is the tip of the iceberg."
Microsoft had yet to comment before time of publishing.
Williams said that there are few different measures enterprise security teams can take to secure users against Silverlight exploits. Depending on the environment, a company could just ban the plug-in from its IT image. Enterprises can also use security devices to block such attacks, though considering the troubles AV systems had spotting Silverlight-based exploits, Williams said that both network- and endpoint-based products will need to be used as part of a layered security strategy.
Fiesta in particular used dynamic DNS sites to give the appearance of a being a much larger botnet, with six actual IP addresses hiding behind 300 dynamic domain names. Considering that traffic from dynamic DNS sites has a much higher likelihood of being malicious, Williams said enterprises should consider putting systems in place to monitor and block that traffic.
Williams stressed that at least in the cases of Fiesta, Angler and RIG, attackers used "malvertising" -- the compromising of legitimate online ad networks -- to steer users from high-traffic websites to the malicious webpages hosting the exploits. That means users don't need to visit questionable websites to be put in danger, he said, so the best bet for fending off malvertising attacks is to instruct users to either patch or disable vulnerable plug-in instances.
"They're getting these ads anywhere. Any site that has a high viewership is one that an attacker may target for Silverlight exploits," said Williams. "So the reality is you can't simply be saved by following browsing best practices."
Silverlight security may become more problematic in the near future, but other browser plug-ins are just as vulnerable. Resident expert Michael Cobb explains how enterprises can mitigate browser plug-in threats