Patched with ms15-044 CVE-2015-1671 is described as TrueType Font Parsing Vulnerability.
Silverlight up to 5.1.30514.0 are affected, but note : most browser will warn that the plugin is outdated
|Out of date Plugin protection in Chrome 39.0.2171.71|
|Out of date ActiveX controls blocking in Internet Explorer 11|
(introduced in August 2014)
and also consider that Microsoft announced the end of Silverlight at beginning of the month.
Angler EK :
Around the 1st of July some new Silverlight focused code appeared in Angler EK landing.
It even seems coders made some debug or something wrong as you could see this kind of popup several hours long on Angler EK.
|Deofuscated snipet of Silverlight call exposed to Victims in Angler EK|
I heard about filled calls from Eset and EKWatcher.
The exploit sent was 3fff76bfe2084c454be64be7adff2b87 and appears to be a variation of CVE-2015-1671 (Silverlight 5 before 5.1.40416.00). I spent hours trying to get a full exploit chain....No luck. Only 0size calls.
But, it seems it's back today (or i get more lucky ? ) :
Disclaimer : many indicators are whispering it's the same variation of CVE-2015-1671, but I am still waiting for a strong confirmation
|Silverlight 5.1.30514.0 exploited by Angler EK via CVE-2015-1671 in IE 11 on Windows 7|
|Silverlight 5.1_10411.0 exploited by Angler EK via CVE-2015-1671 in Chrome 39 on Windows 7|
|Silverlight 5.1.30514.0 exploited by Angler EK via CVE-2015-1671 in Firefox 38 on Windows 7|
Two x86 - x64 dll are encoded in the payload stream with XTea Key : m0boo69biBjSmd3p
|Silverlight dll in DotPeek after Do4dot|
Sample in those pass : ac05e093930662a2a2f4605f7afc52f2
(Out of topic payload is bedep which then gather an adfraud module - you have the XTea key if you want to extract)
Files: Fiddler (password is malware)
[Edit : 2015-07-26, has been spread to all Angler Threads]
Thanks for help/tips :
Eset, Microsoft, Horgh_RCE, Darien Huss, Will Metcalf, EKWatcher.
[Edit 2015-07-28 : has been spotted by Will Metcalf in Magnitude today. This post will be updated around the 10th of August. It's a rip of Angler's one]
Read more :
CVE-2013-0074/3896 (Silverlight) integrates Exploit Kits - 2013-11-13