Number: AL16-001
Date: 13 January 2016
Purpose
The purpose of this alert is to bring attention to a recently disclosed vulnerability in Microsoft Silverlight that is under active exploitation.
Assessment
CCIRC is aware of attacks exploiting a recently patched critical vulnerability in Microsoft Silverlight. Identified as CVE-2016-0034, this vulnerability can allow for remote code execution if a user visits a webpage containing a specially crafted Silverlight application.
Suggested action
Due to the elevated risk presented by this vulnerability, CCIRC recommends that system administrators test and deploy the vendor-released updates to affected applications accordingly. CCIRC recommends that priority is given to this patch.
References
CCIRC Advisory AV15-006: Microsoft Critical Security Bulletins Summary for January Microsoft Critical Security Bulletins Summary for January 2016
http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2016/av16-005-en.aspx
Microsoft Security Bulletin MS16-006 - Security Update for Silverlight to Address Remote Code Execution (3126036):
https://technet.microsoft.com/library/security/MS16-006
SecureList: The Mysterious Case of CVE-2016-0034: the hunt for a Microsoft Silverlight 0-day
https://securelist.com/blog/research/73255/the-mysterious-case-of-cve-2016-0034-the-hunt-for-a-microsoft-silverlight-0-day/