Microsoft Silverlight is one of those technologies that probably should have gone much further than it did. Initially conceived as a kind of all-purpose replacement for Adobe Flash Player, the online media protocol is now mostly just a way to run Netflix and Amazon Video on PCs and Macs.
Like Flash, though, Silverlight makes Web browsers vulnerable to some potentially nasty attacks, and if you haven't kept it updated, you could fall victim to a pernicious exploit that's now making the rounds online.
A French security blogger who goes by the name of Kafeine this week shared information about the Silverlight vulnerability on his security blog, Malware Don't Need Coffee. His explanation of the issue was simple and straightforward: Microsoft patched a major Silverlight vulnerability this month, but in so doing, it gave hackers the opportunity to reverse-engineer the previously undisclosed flaw and add it to the widely distributed Angler browser exploit kit.
The Silverlight vulnerability itself, which was given the ID CVE-2016-0034 (rolls right off the tongue, doesn't it?) can affect both Windows PCs and Macs. By convincing a user to visit a website infected with the Angler exploit kit, a hacker could use the Silverlight vulnerability to compromise the user's Web browser and infect the user's computer. Provided that user has administrative rights on his or her computer (it's much safer to browse the Web as a limited user), this attack could be really anything: file theft, unauthorized program installation, keylogging or any other common cybercriminal technique.
This is not the first time that Silverlight has come under attack via the CVE-2016-0034 exploit. Ars Technica points out that the vulnerability has been exploited in the wild for at least two years -- but only in spyware made and marketed by Hacking Team, an Italian company that buys zero-day exploits from independent hackers and incorporates them into its products.
Last summer, someone hacked into Hacking Team's servers and dumped the company's email correspondence online, revealing the existence of many previously unknown security flaws, including at least one that affected Silverlight. It took some time for Microsoft and Moscow-based security firm Kaspersky Lab to fully research the disclosed Silverlight flaw and devise countermeasures.
The fix, at least, is simple: Keep Microsoft Silverlight up to date. If you run Windows Update or Apple Update frequently, you are already protected. Microsoft has also provided instructions to update Silverlight manually (opens in new tab).
If you want to go one step further, you could just ditch Silverlight entirely. While the protocol is useful for watching Netflix and Amazon Video on most browsers, Google Chrome does not require Silverlight to run either one of the popular video streaming services. Unless you're a developer, there's likely nothing else for which you use Silverlight on a regular basis.
If you've already been infected, there's still no need to panic. The Angler exploit kit can install some nasty malware, but nothing that a good antivirus program can't handle. Run a scan, change your passwords and consider switching to Chrome.