A new Microsoft Silverlight patch has gotten a lot more attention as security researchers claim the vulnerability...
may be the same as a Hacking Team zero day that could have been putting users at risk for years.
Costin Raiu, director of global research and analysis team at Kaspersky Lab, and Anton Ivanov, senior malware analyst also at Kaspersky Lab, said in a blog post that the investigation into the zero day began with a story about a Russian exploit developer, Vitaliy Toropov, who sold zero-day exploits to companies like Hacking Team.
Toporov was reportedly attempting to sell zero days for software like Adobe Flash, Java and Silverlight to Hacking Team in October of 2013. Kaspersky had found various Hacking Team zero-day exploits but wasn't able to find the Silverlight vulnerability exploited in the wild until it began tracking a Silverlight exploit posted by Toporov on OVSDB.
The Silverlight exploit was written in 2013, but a Kaspersky spokesperson told SearchSecurity that it couldn't check if the leaked Hacking Team archive had this exploit because "the Hacking Team emails are their intellectual property and [Kaspersky is] not allowed to legally read them" due to copyright issues.
After months of searching, Kaspersky detected a Silverlight exploit used in the wild in Laos. Kaspersky confirmed the zero day in late November/early December 2015 and disclosed it to Microsoft. A Silverlight patch was released as part of January 2016's Patch Tuesday release.
However, the bulletin for the Silverlight patch claimed that "Microsoft was unaware of any attack attempting to exploit this vulnerability."
Wolfgang Kandek, CTO of Qualys, said that knowing this vulnerability is being exploited in the wild makes it top priority for patching.
"[Kaspersky] made clear that this vulnerability is under attack in the wild and that we are looking at a true zero day here," Kandek wrote. "This changes our priorities -- we now put MS16-006 at the top of our list. Take a look at your installations, see if you have Silverlight installed and address the flaw as soon as possible."
A Kaspersky spokesperson told SearchSecurity that the Microsoft "bulletin contains an error, which is being corrected," but Microsoft refused to comment on the report and as of this publication, the Silverlight patch bulletin still does not acknowledge potential exploits in the wild.
Learn about defending against browser plug-in attacks.