Thursday, February 25, 2016

MS Silverlight Exploit In-The-Wild:
Uninstall Silverlight NOW!
(Or update if you're stuck using it).


I don't know of any reason to continue using Microsoft's Silverlight Internet plug-in and neither does Microsoft! The company has, albeit quietly, stated that they are eventually discontinuing all support of Silverlight and that everyone should move on to more modern technologies. That includes ALL Mac users. So bully for Microsoft for sort of warning people ahead of time that Silverlight Is Dead. HTML5 and other MS technologies replace it in entirety.

But the damned thing is still being used by many websites. Meanwhile, further security holes in Silverlight have been found and are being exploited on the web at this moment, in-the-wild. Mac users are susceptible and are going to suffer. Uninstall Silverlight NOW! Don't update it. Just UNINSTALL IT! That is my personal advice.

Here's what's going on:

Malicious websites exploit Silverlight bug that can pwn Macs and Windows
Code execution exploit for just-fixed bug makes encore appearance in Angler.
. . . Exploit code for the patched vulnerability is being distributed through Angler, one of several toolkits that criminals use to seed websites with code that carry out drive-by attacks. The Silverlight attack was spotted earlier this week by a researcher who goes by the moniker Kafeine. The vulnerability is indexed as CVE-2016-0034. . . .
Microsoft has been clear that exploits have the ability to remotely execute malicious code on both unpatched Windows and OS X devices. . . .
While Silverlight vulnerabilities aren't nearly as numerous as security bugs in Adobe's Flash or Oracle's Java, Kafeine's discovery shows that the Microsoft framework has the potential to endanger a broad base of people using both Windows and OS X. Readers who can browse the Internet without Silverlight are best off uninstalling it. Everyone else should religiously update it as soon as patches become available. Patched versions are 5.1.41212.0 or higher.
Here are Microsoft's instructions for removing the Silverlight Internet plug-in from Mac computers:

Removing Silverlight plugins on Macintosh
1. Access your hard drive
   Double-click the hard drive icon on your desktop

2. Find the plugin
   Navigate to your Internet Plug-Ins directory: /Library/Internet Plug-Ins/

3. Remove the plugin
   Drag any of the following into your trash bin:
   • Silverlight.plugin
   • WPFe.plugin
I must add:

4. Restart ALL your web browsers. Otherwise Silverlight will still be running in them.

And again: Don't patch Silverlight. UNINSTALL Silverlight. Get it over with. If you run into some retrograde website that insists upon using Silverlight, send them this link, dated January 16, 2014:

Silverlight Support Roadmap

Microsoft will continue to support Silverlight 5 until 10/12/2021
That's the cutoff date. 
Microsoft continues to release updates to Silverlight 5 to address security and compatibility issues.
But that's it for the future of Silverlight.

So get rid of it! Immediately! So say I.


No comments:

Post a Comment