Slashdot Mirror

← Back to Stories (view on slashdot.org)

Netflix Users In Danger of Unknowingly Picking Up Malware

Posted by Unknown on from the perils-of-deprecated-proprietary-software dept.

An anonymous reader writes "Users of Silverlight, Microsoft's answer to Adobe Flash, are in danger of having malware installed on their computers and being none the wiser, as an exploit for a critical vulnerability (CVE-2013-0634) in the app framework has been added to the Angler exploit kit. The vulnerability could allow remote code execution if an attacker hosts a website that contains a specially crafted Silverlight application that could exploit this vulnerability and then convinces a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements." You'd think something like Silverlight would automatically upgrade itself.

22 of 153 comments (clear)

  1. Automatic upgrade by Mr_Silver · · Score: 5, Informative

    You'd think something like Silverlight would automatically upgrade itself.

    It will, assuming that it's given a critical priority within Windows Update and the user has their machine set up to automatically download and install updates.

    Come on, this is basic Windows stuff. Can we get someone on the Slashdot staff that has actually some experience of the operating system in use by 96% of the population please?

    --
    Avantslash - View Slashdot cleanly on your mobile phone.
    1. Re:Automatic upgrade by DaHat · · Score: 5, Informative

      If one looks at the link to CVE-2013-0634, there is a link to a MS Security Bulletin first posted in March 2013 & last updated in April... even saying:

      Recommendation. Most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

      Way to go editors... this bug was reported & fixed 7 months ago and only now are we to get paranoid over what it could do if Windows Update isn't enabled? sheesh

      --
      Help Brendan pay off his student loans
    2. Re:Automatic upgrade by Anonymous Coward · · Score: 5, Funny

      But the headline, it's so scary. Netflix users BEWARE! There be DRAGONS ahead. Boo!

    3. Re:Automatic upgrade by TWiTfan · · Score: 4, Funny

      I hear you can get pregnant just by watching Netflix on an unpatched computer!

      --
      The cow says "Moo." The dog says "Woof." The Timothy says "Thanks, valued customer. We appreciate your input."
  2. Silverlight *does* patch automatically ... by cdrnet · · Score: 5, Informative

    From the related MS13-022 security bulletin: "Most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. "

    Unless you're one of those "smart" people that use windows but disable windows update ...

    1. Re:Silverlight *does* patch automatically ... by Anonymous Coward · · Score: 5, Funny

      Unless you're one of those "smart" people that use windows

      I usually take the stairs or the elevator, but I guess if you're in a hurry....

  3. The Critic malware by Gravis+Zero · · Score: 2

    good news! all users that dont use Netflix will be unaffected. I can only surmise that this malware replaces all movie descriptions with "It stinks." and a rating of one star.

    --
    Anons need not reply. Questions end with a question mark.
  4. Unknowingly? by pablo_max · · Score: 4, Insightful

    Tell me, when is the last time you knowingly were infected with malware?

  5. The best solution is to lock down Silverlight by Ruedii · · Score: 2, Insightful

    For plugins like silverlight that run code rather poorly sandboxed, you should lock them to a whitelist, so that only web sites you have preapproved can use them.

    Additionally, you should only run them on an unpriviledged user. (Something many Windows users don't do with anything as a regular practice.)

    These two measures won't eliminate your risk, but they will dramatically reduce it.

    1. Re:The best solution is to lock down Silverlight by zippthorne · · Score: 3, Insightful

      How do you lock silverlight to a whitelist?

      --
      Can you be Even More Awesome?!
  6. Netflix? by Anonymous Coward · · Score: 3, Informative

    And this is specific to Netflix users?
    I don't get it.

    1. Re:Netflix? by CastrTroy · · Score: 2

      Well, to be fair, it's probably the only reason most people have Silverlight installed. The only other thing I can think of that used Silverlight was when NBC required Silverlight for watching the Olympics, but I think that was back in 2010. I don't know why Netflix doesn't just required some kind of App to be installed. They have one for Windows 8. Sure the browser feature would be nice as a fallback options, but for actually watching shows it would be much better accomplished outside the browser.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  7. Silverlight? No Thanks by Scarletdown · · Score: 3, Informative

    Back when I used to be able to stream Netflix (I since changed my account to the 3 DVDs at a time plan instead), I gave Silverlight a try. After Silverlight was installed, my video capture device with WinDVR suddenly stopped working. Suspecting Silverlight was the culprit, I set up the video capture device on a test box, and verified that it worked. Then I installed Silverlight there, and sure enough, no more video capture capability. Removed Silverlight and eradicated all traces of it from the system, and my hardware was once again working properly.

    That was when I invoked the hardware owner's right. The ability for any publisher's software to run on hardware that I own is a privilege, not a right. If your product interferes with the rightful and proper operation of my property, then its privilege to exist on my system is revoked permanently.

    Do not fuck with my hardware or any other software that I have installed, or you will not be permitted to run on any systems under my control, and word of your dipshittery will be passed on to others, so that they can be made aware that your software is malware.

    --
    This space unintentionally left blank.
  8. Netflix users? by BringsApples · · Score: 3, Insightful

    Shouldn't this be Microsoft Windows users? My PS3 isn't going to get malware.

    --
    Politics; n. : A religion whereby man is god.
  9. Hey come on, gotta hate on MS! by Sycraft-fu · · Score: 5, Insightful

    I mean if some random shit "security blog" posts a trumped up story to try and get traffic, it is Slashdot's DUTY to repeat it here, with no checking or verification! After all, better everyone is scared of their own shadow than informed about security.

    Seriously this is just pathetic. As I said: This is some random ass site that is trying to get people to come and read, and it worked. By making a scare story about how Netlfix users on Windows are vulnerable they managed to get some Linux fanboy to submit the story to Slashdot. The editors then did what they do, which is to say NOT EDIT and just posted it. Great success for shit site, they now got a bunch of undeserved traffic.

    What is sadder is how uninformed this makes all involved look. the statement of "You'd think something like Silverlight would automatically upgrade itself." Yes, it DOES you fucking moron. One thing you have to give MS is that Windows update will patch all their stuff for you. Let it do its thing and you get security updates, as they are released. You don't need to pay attention or anything, it'll just happen. This includes things not installed by default like Silverlight, or older versions of the .NET runtimes.

    This is just a massive pile of fail. It is not news, not even really old news. There was a bug, they patched it. This would be "how shit works", or at least how it should.

    1. Re:Hey come on, gotta hate on MS! by ApplePy · · Score: 4, Funny

      That's ridiculous. How would it automatically update itself? Windows doesn't even have the basic tools for it, like apt and cron!

      --
      That I'm right, and you don't like it, doesn't mean I'm a troll.
    2. Re:Hey come on, gotta hate on MS! by camperdave · · Score: 2

      Windows can do some scary stuff. My laptop BIOS does not have the ability to set a time to wake the machine. Yet for weeks I would find the laptop had gone from a completely powered off state to a completely drained battery overnight while sitting in my backpack. When I turned off the automatic update feature of Windows, the mysterious behaviour stopped. Somehow, Windows would power up the laptop in the middle of the night, and it would sit at a GRUB prompt until the batteries were drained.

      --
      When our name is on the back of your car, we're behind you all the way!
    3. Re: Hey come on, gotta hate on MS! by jrumney · · Score: 2

      I remember when Intel added power on timers to the BIOS specification and released some software for configuring it. I think I was using a 386DX40 desktop at the time I tested it out. Your BIOS has the feature even if it doesn't expose it in the BIOS setup UI. Its the kind of feature that doesn't make sense as a standalone feature so its provided more for the OS to use.

  10. Re:to post about already patched vulnerabities by penix1 · · Score: 2

    To me the real story isn't the attempt to sensationalize on a vulnerability or to single out one user of the technology but that an exploit for that vulnerability has been added to an exploit kit. That means that you probably will see it exploited widely simply because of people turning off windows update for various reasons.

    --
    This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
  11. How does this stuff get the green light? by WD · · Score: 5, Insightful

    1) This has nothing to do with Netflix. I am a Netflix user and I suspect that my Roku is not affected by the vulnerability in question.
    2) Silverlight *does* get updated with automatic updates.
    3) The vulnerability in question was fixed in March (MS13-022).

  12. What does this have to do with Netflix? by EmagGeek · · Score: 3, Interesting

    Sorry, but this is just senseless hyperbole. Malware can be picked up from ANY website, but mentioning Netflix by name is just a design at whipping up a senseless panic.

    Fuck you, Slashdot.

  13. Re: Misleading title? by jrumney · · Score: 2

    Yes, don't forget all the people checking the Beijing Olympics website daily for the latest updates. They have Silverlight installed too.