Incident Details

Incident: Discovery of Silverlight Zero-Day Exploit by Kaspersky Lab

Published Date: 2016-01-13

Postmortem Analysis
Timeline	1. The software failure incident happened in late November [39433]. Therefore, the software failure incident occurred in late November of the same year the article was published, which is 2016.
System	1. Microsoft's Silverlight software [39433]
Responsible Organization	1. Criminal hackers and intelligence agencies exploited a vulnerability in Microsoft's Silverlight software, leading to the software failure incident [39433].
Impacted Organization	1. Microsoft - The software failure incident impacted Microsoft as the vulnerability in their Silverlight software was exploited by the zero-day exploit discovered by Kaspersky Lab [39433].
Software Causes	1. The software failure incident was caused by a zero-day exploit targeting a vulnerability in Microsoft's Silverlight software, which allowed remote-code execution [39433].
Non-software Causes	1. Lack of awareness and patching of vulnerabilities by software makers [39433]
Impacts	1. The software failure incident involving the zero-day exploit in Microsoft's Silverlight software had the impact of allowing attackers to infect systems by getting users to visit malicious websites, potentially through phishing emails, leading to system compromise [39433]. 2. The exploit targeted a vulnerability in Silverlight that was considered "critical" by Microsoft, highlighting the severity of the issue and the potential for widespread infections [39433]. 3. The incident revealed the potential risks associated with zero-day exploits being used by criminal hackers and intelligence agencies to gain unauthorized access to systems, emphasizing the importance of timely patching and detection of such vulnerabilities [39433].
Preventions	1. Regular software updates and patching: Keeping software up to date with the latest patches and updates can help prevent vulnerabilities from being exploited by zero-day exploits [39433]. 2. Implementing security measures: Utilizing security tools such as antivirus software, firewalls, and intrusion detection systems can help detect and prevent malicious activities [39433]. 3. Educating users on cybersecurity best practices: Providing training to users on how to identify phishing emails and malicious links can help prevent them from falling victim to attacks that exploit software vulnerabilities [39433]. 4. Conducting regular security audits: Performing routine security audits and assessments can help identify and address potential vulnerabilities in software before they are exploited by attackers [39433].
Fixes	1. Patching the vulnerability in Microsoft's Silverlight software that was exploited by the zero-day exploit [39433]. 2. Implementing security measures to prevent phishing attacks that trick users into visiting malicious websites [39433]. 3. Using tools like YARA to create rules to search for malicious files and patterns in order to detect similar exploits in the future [39433].
References	1. Hacking Team's hacked emails, specifically the conversation between Hacking Team and a zero-day seller named Vitaliy Toropov [39433]. 2. Public list of bug discoveries and exploits by Vitaliy Toropov [39433]. 3. Kaspersky Lab's research and analysis team, particularly Costin Raiu [39433]. 4. YARA tool developed by Victor Manuel Alvarez [39433]. 5. Kaspersky Security Network (KSN) composed of customers who share malicious samples with Kaspersky [39433]. 6. Virus Total, a free online virus scanner now owned by Google [39433].

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	unknown	(a) In the provided articles, there is no specific mention of a software failure incident happening again at the same organization or with its products and services. Therefore, there is no information available to address option (a). (b) The articles do not mention a similar incident happening again at other organizations or with their products and services. Hence, there is no information provided to address option (b) either.
Phase (Design/Operation)	design	(a) The software failure incident in the article is related to the design phase. The incident involved a zero-day exploit in Microsoft's Silverlight software, which was discovered by researchers at Kaspersky Lab after intentionally hunting for it based on clues from hacked emails [39433]. The exploit targeted a vulnerability in Silverlight, which allowed attackers to infect systems by getting users to visit a malicious website where the exploit resided. The exploit had remained undetected for years and was sold to customers for hacking purposes, highlighting a flaw in the design of the software that allowed such vulnerabilities to exist and be exploited [39433]. (b) The software failure incident is not related to the operation phase or misuse of the system.
Boundary (Internal/External)	within_system	(a) within_system: The software failure incident described in the article is primarily due to contributing factors that originate from within the system. Specifically, the failure was caused by a zero-day exploit targeting a vulnerability in Microsoft's Silverlight software [39433]. The exploit allowed attackers to infect systems by getting users to visit a malicious website where the exploit resided, typically through phishing emails that tricked users into clicking on malicious links. This vulnerability was considered critical by Microsoft, leading to the release of a patch to address the issue [39433]. The incident involved the exploitation of a flaw within the Silverlight software itself, highlighting an internal system vulnerability that was targeted by malicious actors.
Nature (Human/Non-human)	non-human_actions, human_actions	(a) The software failure incident in the article was primarily due to non-human actions, specifically a zero-day exploit targeting a vulnerability in Microsoft's Silverlight software [39433]. The exploit was discovered by researchers at Kaspersky Lab who intentionally went on the hunt for it using clues from hacked emails and proof-of-concept code provided by the exploit writer. The exploit allowed attackers to infect systems by getting users to visit a malicious website where the exploit resided, typically through phishing emails [39433]. (b) Human actions also played a role in the software failure incident as the exploit writer, Vitaliy Toropov, actively marketed his exploits, including the Silverlight exploit, to entities like Hacking Team for financial gain [39433]. Additionally, the exploit writer's actions of selling zero-day exploits to potential malicious actors contributed to the software failure incident.
Dimension (Hardware/Software)	software	(a) The software failure incident related to hardware: - The article discusses a zero-day exploit that targeted a vulnerability in Microsoft's Silverlight software, which is widely used in various systems, including critical infrastructure and industrial facilities [39433]. - The exploit allowed an attacker to infect systems by getting users to visit a malicious website where the exploit resided, typically through phishing emails [39433]. - The attack worked with all major browsers except Chrome, which had removed support for the Silverlight plug-in in 2014 [39433]. (b) The software failure incident related to software: - The zero-day exploit discovered in Microsoft's Silverlight software was a software-related failure, as it exploited a vulnerability in the software that allowed attackers to infect systems [39433]. - The exploit was a remote-code execution exploit that targeted a specific vulnerability in Silverlight, demonstrating a flaw in the software that could be exploited by malicious actors [39433]. - The incident highlighted the importance of software security and the need for timely patches to address vulnerabilities in software systems [39433].
Objective (Malicious/Non-malicious)	malicious	(a) The objective of the software failure incident was malicious, as it involved a zero-day exploit targeting a vulnerability in Microsoft's Silverlight software. The exploit was discovered after a hacker named Vitaliy Toropov negotiated the sale of the exploit to the surveillance firm Hacking Team, which uses such exploits to sneak surveillance tools onto targeted systems [39433]. (b) The software failure incident was non-malicious in the sense that the discovery of the zero-day exploit was not intentional but rather a result of researchers at Kaspersky Lab actively hunting for it. The researchers used clues from hacked emails and previous bug discoveries by Toropov to identify the exploit, indicating a non-malicious intent to uncover vulnerabilities and protect systems [39433].
Intent (Poor/Accidental Decisions)	poor_decisions	(a) The intent of the software failure incident related to poor_decisions: - The software failure incident in the article was related to a zero-day exploit in Microsoft's Silverlight software, which was intentionally kept hidden and sold to customers for hacking purposes [39433]. - The zero-day exploit was discovered after a hacker named Vitaliy Toropov intentionally marketed his Silverlight exploit to Hacking Team, a controversial surveillance firm, for financial gain [39433]. (b) The intent of the software failure incident related to accidental_decisions: - The software failure incident was not accidental but rather a deliberate act by the hacker to create and sell the zero-day exploit for financial gain [39433].
Capability (Incompetence/Accidental)	accidental	(a) The software failure incident related to development incompetence is not evident in the provided articles. (b) The software failure incident was accidental as it involved a zero-day exploit in Microsoft's Silverlight software that was discovered by researchers at Kaspersky Lab after intentionally going on the hunt for it [39433]. The exploit was found based on debugging code strings in the proof-of-concept exploit written by the hacker Toropov, which led to the discovery of the zero-day exploit infecting a customer's machine. The accidental nature of this incident is highlighted by the fact that the exploit remained undetected for years and was only discovered by chance during the researchers' investigation.
Duration	temporary	The software failure incident described in the article is temporary. The incident involved a zero-day exploit in Microsoft's Silverlight software, which allowed attackers to infect systems by getting users to visit a malicious website [39433]. The exploit was discovered by researchers at Kaspersky Lab after intentionally hunting for it and using clues from hacked emails [39433]. The exploit remained undetected for years until it was uncovered in late November after infecting a customer's machine [39433]. The incident was temporary as it was actively exploited for a period of time before being discovered and patched by Microsoft [39433].
Behaviour	value, other	(a) crash: The software failure incident described in the article is not related to a crash where the system loses state and does not perform any of its intended functions. Instead, the incident involves the exploitation of a zero-day vulnerability in Microsoft's Silverlight software by a hacker [39433]. (b) omission: The software failure incident is not related to a failure due to the system omitting to perform its intended functions at an instance(s). It is about the exploitation of a vulnerability in the software rather than the system failing to perform its functions [39433]. (c) timing: The software failure incident is not related to a failure due to the system performing its intended functions too late or too early. It is about the discovery of a zero-day exploit in Microsoft's Silverlight software by researchers at Kaspersky Lab [39433]. (d) value: The software failure incident is related to a failure due to the system performing its intended functions incorrectly. Specifically, the incident involves the exploitation of a vulnerability in Microsoft's Silverlight software, allowing an attacker to infect systems by getting users to visit a malicious website [39433]. (e) byzantine: The software failure incident is not related to a failure due to the system behaving erroneously with inconsistent responses and interactions. It is about the discovery and exploitation of a zero-day vulnerability in Silverlight software [39433]. (f) other: The behavior of the software failure incident can be categorized as a security breach resulting from the exploitation of a zero-day vulnerability in Microsoft's Silverlight software. This incident highlights the risks associated with unknown vulnerabilities in software that can be exploited by malicious actors [39433].

IoT System Layer

Layer	Option	Rationale
Perception	embedded_software	The software failure incident discussed in the articles is related to the embedded software layer of the cyber physical system. The incident involved a zero-day exploit targeting a vulnerability in Microsoft's widely used Silverlight software, which is utilized in critical infrastructure and industrial facilities [39433]. The exploit was a remote-code execution exploit that could infect a system after a user visited a malicious website where the exploit resided, typically through a phishing email tricking the user into clicking on a malicious link. This indicates a failure in the embedded software layer of the system, as the vulnerability in the Silverlight software allowed attackers to compromise the system through the exploitation of the software itself.
Communication	connectivity_level	The software failure incident discussed in the articles is related to the communication layer of the cyber physical system that failed at the connectivity level. The failure was due to contributing factors introduced by the network or transport layer. The incident involved a zero-day exploit targeting a vulnerability in Microsoft's Silverlight software, which is widely used in various systems, including industrial control systems like SCADA [39433]. The exploit allowed attackers to infect systems by getting users to visit a malicious website, typically through phishing emails that trick users into clicking on malicious links. This indicates that the failure was at the connectivity level, involving network communication vulnerabilities rather than issues at the physical layer.
Application	TRUE	The software failure incident described in the articles is related to the application layer of the cyber physical system. The incident involved a zero-day exploit targeting a vulnerability in Microsoft's Silverlight software, which is widely used in various applications including browser plug-ins, streaming services like Netflix, and industrial control systems like SCADA [39433]. The exploit allowed attackers to infect systems by tricking users into visiting a malicious website, indicating a failure at the application layer due to vulnerabilities in the software [39433].

Other Details

Category	Option	Rationale
Consequence	no_consequence	(a) unknown (b) unknown (c) unknown (d) unknown (e) unknown (f) unknown (g) no_consequence (h) unknown (i) The software failure incident described in the articles did not result in any real observed consequences.
Domain	information, entertainment	(a) The failed system was related to the production and distribution of information as it involved a zero-day exploit targeting Microsoft's widely used Silverlight software, which is utilized by various providers, including Netflix, to deliver streaming content to users [39433].

Sources

Hacking Team's Leak Helped Researchers Hunt Down a Zero-Day - WIRED - Published on: 2016-01-13
Article ID: 39433

Back to List