Security Update for Silverlight to Address Remote Code Execution (MS16-006)

ITS Advisory Number: 
2016-009
Date(s) Issued: 
Tuesday, January 12, 2016
Subject: 
Security Update for Silverlight to Address Remote Code Execution (MS16-006)
Overview: 

This security update resolves vulnerabilities in the Microsoft Silverlight product. Microsoft Silverlight is a powerful tool for creating and delivering rich Internet applications and media experiences on the Web. This vulnerability could allow a remote code execution vulnerability exists when Microsoft Silverlight decodes strings using a malicious decoder that can return negative offsets that cause Silverlight to replace unsafe object headers with contents provided by an attacker. Additionally, if system is compromised, the attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Systems Affected: 
  • Microsoft Silverlight 5
  • Microsoft Silverlight 5 Developer Runtime
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

Microsoft Silverlight RCE Vulnerability - CVE-2016-0034

A remote code execution vulnerability exists when Microsoft Silverlight incorrectly handles certain open and close requests that can result in read and write-access violations. An attacker who successfully exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the logged on user.

Actions: 
  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Remind users not to open email attachments from unknown users or suspicious emails from trusted sources.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.