Firefox blocks Silverlight plugin 5.1.10411.0

Recently Firefox blocked Java plugin as it was vulnerable, but the new version of it was released quickly and that resolved the issue. Now it’s time for Silverlight. Silverlight plug-in version 5.1.10411.0 has been blocked and warned that it is vulnerable and should be updated. .

silverlight-plugin-vulnerable-firefox

I remember when Firefox blocked the Java plugin, I just hit the “click here to activate” and continued with it, untill I decided one day it’s time now to do something about it. So for Silverlight I am going to do all I can to get my hands on the latest version which is safe and secure.

silverlight-plugin-vulnerable-firefox-player

Clicking “check for updates” takes you to the Plugin checker page that has more information about the plugin’s vulnerability.

silverlight-plugin-vulnerable-firefox-plugin-checker-page

As usual the more information about the vulnerability message reads,

This plugin version has a security vulnerability that websites can exploit and potentially harm your computer. It is recommended that you update this plugin or if an update is not available, disable it.

For more information, read the plugin vendor’s vulnerability information.

and links to Microsoft security bulletin page. The page talks about the vulnerability and the precaution people should take in setting the Silverlight to auto update when an update is available.

Remote code execution Vulnerability

The vulnerability could allow remote code execution if an attacker hosts a website that contains a specially crafted Silverlight application that could exploit this vulnerability and then convinces a user to view the website.

The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. Such websites could contain specially crafted content that could exploit this vulnerability.

In all cases, however, an attacker would have no way to force users to visit a website. Instead, an attacker would have to convince users to visit a website, typically by getting them to click a link in an email message or in an Instant Messenger message that takes them to the attacker’s website. It could also be possible to display specially crafted web content by using banner advertisements or by using other methods to deliver web content to affected systems.

What does that mean? When you visit a website that has a malicious silverlight application that exploits the vulnerability of Silverlight, it attacks your computer so that it can execute malicious code remotely. What code is remotely executed on your computer? Ads! Ads that take you to the malicious sites again to attack even more. That Ad could be a link in the email message or in an Instant messenger message.

James Forshaw of Context Information Security reported the Silverlight Double Dereference Vulnerability.

The Solution: Update it immediately and make sure you turn on the auto updating feature.

http://www.microsoft.com/getsilverlight/get-started/install/default.aspx

silverlight-update-page

It’s been 13 days after Firefox initially posted this news, and for those of you including me who didn’t update, update it. While installing the update, a windows shows up with “Enable Microsofft Update” with an enabled checkbox, leave it as is.

silverlight-auto-update

Only if the earlier version had this, it wouldn’t have taken me 13 days to do something about this vulnerability. *sigh*

Restart the browser for changes to take effect, as it didn’t restart the browser.