CenturionStudio.it - Fotolia

Manage Learn to apply best practices and optimize your operations.

Silverlight security: Defending against browser plug-in attacks

Silverlight security has been called into question following recent drive-by attacks on the browser plug-in. Expert Michael Cobb explains how to prevent these attacks.

The Silverlight browser plug-in is Microsoft's answer to Adobe Flash. Although it's nowhere near as well-known, Silverlight is used by Netflix for its instant video streaming service. Until recently, Silverlight has escaped the attention of hackers who have focused on more common browser plug-ins like Java, Flash and Adobe's Acrobat Reader. However, now that it has been successfully exploited, Silverlight is increasingly becoming an attack vector for those looking to infect and compromise users' computers.

There are many similarities between Java and Silverlight. Both run in a sandbox with low privileges by default that restrict access to the device's file system and other system resources. Any attack must be able to break the sandbox to be viable. Security researchers have noticed that exploit kits such as Fiesta, Nuclear, RIG and Angler -- which in the past mainly targeted Java-based exploits -- now include attacks that target vulnerabilities in Silverlight.

The attacks typically rely on luring a user to a hacker-controlled website, checking if their device has Silverlight installed, and then attempting to exploit a vulnerability to infect the victim's system. These drive-by attacks are also used to exploit vulnerabilities in other browser plugins.

The frustrating thing is that many of these attacks take advantage of vulnerabilities for which vendors have already issued patches. As always, enterprises need to ensure that their users' operating system and application software is kept up to date and that the devices are not running older versions longer than absolutely necessary. Administrators should configure the Silverlight auto-updater for all network users and prevent users from changing the update settings. If Silverlight is not deemed essential in your enterprise, the plug-in could potentially be banned.

Before an attack can even exploit a Silverlight vulnerability, the hacker has to trick a user into visiting a webpage that's hosting its attack code, typically by getting them to click a link in an email or instant message that takes them to the malicious page. Enterprises must reinforce the message of not clicking on links from unknown sources; this remains a very important aspect of security awareness training. In addition, malvertising -- the compromising of legitimate online ad networks -- is another technique that can lead users to malicious webpages hosting exploits. Up-to-date endpoint antimalware software is an essential part of an enterprise layered security strategy, but note that while many antimalware vendors understand how Java exploits work and know how to spot them using heuristic analysis, Silverlight-based exploits are still relatively new. However, with the recent news of Silverlight exploits, fixes are hopefully on their way. A Web security gateway with dynamic URL filtering can also help block unintentional access to many new and fast-changing malicious sites.

While many antimalware vendors understand how Java exploits work and know how to spot them using heuristic analysis, Silverlight-based exploits are still relatively new.

Those enterprises that develop their own Silverlight applications for in-house use should ensure their developers fully understand the security implications of enabling the application to interact with other apps and resources, such as local messaging or HTML Bridge, which manages calls between the application and the HTML page. Any assembly that a Silverlight application loads can be potentially malicious, so it is important to make sure that an application only loads assemblies that it trusts. The overall aim should be to keep the application as isolated as possible.

Attacks looking to exploit Silverlight are here to stay, as it opens up another attack vector for hackers -- and one that enterprises are not yet fully prepared to handle. A targeted attack against a travelling executive watching Netflix on his or her corporate laptop is a real possibility that enterprises need to consider. Administrators should review whether Silverlight is an essential plug-in; if it is, be sure to update the people, processes and technologies using it to make sure it is safe for the enterprise.

About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with over 20 years of experience in the IT industry. He co-authored the book IIS Securityand has written numerous technical articles for leading IT publications. He has also been a Microsoft Certified Database Manager and registered consultant with the CESG Listed Advisor Scheme (CLAS). Mike has a passion for making IT security best practices achievable and easier to understand. His website www.hairyitdog.com offers free security posters to raise employee awareness of the importance of safeguarding company and client data and of following good practices.

Next Steps

Get help mitigating Web browser plug-in threats.

Learn more about Silverlight vulnerabilities.

Moving past the Java browser plug-in.

This was last published in December 2014

Dig Deeper on Web browser security

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Has your organization had to deal with Silverlight security risks? How has it done so?
We never had issues, but we did help a client with one.

He was running Microsoft Silverlight 5 and the attacker took over his system. The attacker basically acted as if he was the desktop user, installed a keylogger program, and went on his way.

We did a full wipe, but he needed Silverlight for business. They had a patch out by then, so all was good...but he still fears a repeat every single day.