CVE-2016-0034
Published: 13 January 2016
Summary
CVE-2016-0034 is a high-severity an unspecified weakness vulnerability in Microsoft Silverlight. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 1.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).
Deeper analysis
Microsoft Silverlight 5 before version 5.1.41212.0 contains a remote code execution vulnerability stemming from improper handling of negative offsets during decoding operations. The flaw resides in the Silverlight runtime component and can result in object-header corruption when processing specially crafted content.
Remote attackers can exploit the issue by serving a malicious website that triggers the decoding flaw when visited by a user with an affected Silverlight installation. Successful exploitation grants arbitrary code execution in the context of the current user or alternatively produces a denial-of-service condition, corresponding to the CVSS 8.8 rating that reflects network attack vector, low complexity, and no required privileges beyond user interaction.
Microsoft security bulletin MS16-006 addresses the vulnerability through an updated Silverlight runtime (5.1.41212.0 and later) and is referenced in multiple tracking databases including SecurityTracker. The flaw appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation activity that underscores the importance of applying the vendor patch promptly.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-0072
Vulnerability details
Microsoft Silverlight 5 before 5.1.41212.0 mishandles negative offsets during decoding, which allows remote attackers to execute arbitrary code or cause a denial of service (object-header corruption) via a crafted web site, aka "Silverlight Runtime Remote Code Execution Vulnerability."
- CWE(s)
- KEV Date Added
- 25 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor patch (Silverlight 5.1.41212.0) that eliminates the negative-offset decoding flaw.
Restricts or disables execution of Silverlight mobile code delivered by untrusted web sites, blocking the attack vector before the decoder is invoked.
Malicious-code protection mechanisms can block or alert on the crafted Silverlight content that triggers the RCE/DoS condition.