Silverlight Exploits Up, Java Exploits Down, Says Cisco

← Back to Stories (view on slashdot.org)

Silverlight Exploits Up, Java Exploits Down, Says Cisco

Posted by Soulskill on Tuesday January 20, 2015 @05:19PM from the flavor-of-the-month dept.

angry tapir writes: Attempts to exploit Silverlight soared massively in late 2014 according to research from Cisco. However, the use of Silverlight in absolute terms is still low compared to the use of Java and Flash as an attack vector, according to Cisco's 2015 Annual Security Report. The report's assessment of the 2014 threat landscape also notes that researchers observed Flash-based malware that interacted with JavaScript. The Flash/JS malware was split between two files to make it easier to evade anti-malware protection. (The full report is available online, but registration is required.)

55 comments

Min score:

Reason:

Sort:

Silverlight isn't long for this world by TrollstonButterbeans · 2015-01-20 17:34 · Score: 3, Insightful

If Windows 7 supported HTML5 video for Netflix, Silverlight would be retired.

--
Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
1. Re:Silverlight isn't long for this world by Anonymous Coward · 2015-01-20 17:39 · Score: 0
  
  For some totally insane reason, the crapware on the disc accompanying my latest Canon EOS camera insisted on installing Silverlight. As you can imagine, it is now finding a new purpose as a coaster... Hello Canon, you do not ever try install Silverlight on my machine.
2. Re:Silverlight isn't long for this world by Anonymous Coward · 2015-01-20 18:03 · Score: 5, Informative
  
  Chrome on can use HTML5 for Netflix now.
3. Re:Silverlight isn't long for this world by TrollstonButterbeans · 2015-01-20 18:39 · Score: 1
  
  My Silverlight is uninstalled now. Thank you.
  
  --
  Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
4. Re:Silverlight isn't long for this world by epyT-R · 2015-01-20 19:19 · Score: 1
  
  Why wouldn't it support html5 for netflix?
5. Re:Silverlight isn't long for this world by Anonymous Coward · 2015-01-20 20:27 · Score: 0
  
  It is the only thing keeping Silverlight alive.
6. Re:Silverlight isn't long for this world by Anonymous Coward · 2015-01-20 20:33 · Score: 0
  
  Amazon instant video uses Silverlight too, at least here in europe.
7. Re:Silverlight isn't long for this world by TrollstonButterbeans · 2015-01-20 20:44 · Score: 1
  
  Chrome does as of November as someone else pointed out, so problem solved. IE11 (gross) supported it only on Windows 8. Firefox appears to not support it.
  
  --
  Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
8. Re:Silverlight isn't long for this world by Anonymous Coward · 2015-01-20 22:48 · Score: 1
  
  Chrome has supported "HTML5" Netflix for many months now. Poke around in your account settings to see if you can find the "Prefer HTML5 video" checkbox.
9. Re:Silverlight isn't long for this world by Megane · 2015-01-21 00:22 · Score: 1
  
  The configuration software for Harmony remotes uses Silver(b)light. I only tolerate that piece of crap because it has codes for things that I never had the remote for.
  
  --
  #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
10. Re:Silverlight isn't long for this world by Wootery · 2015-01-21 00:42 · Score: 1
  
  Apparently in the US they also support Flash.
  I found that Amazon's Silverlight player was an absolute abomination. Very rarely worked on my Windows machine. Worked a good deal better on my Mac, if I didn't mind overheating the thing for hours at a time.
11. Re: Silverlight isn't long for this world by Anonymous Coward · 2015-01-21 04:28 · Score: 0
  
  Not with Linux. You have to specifically modify your headers to watch Netflix on Linux. This was true 6 months ago at least...
12. Re:Silverlight isn't long for this world by tlhIngan · 2015-01-21 04:41 · Score: 1
  
  Chrome does as of November as someone else pointed out, so problem solved. IE11 (gross) supported it only on Windows 8. Firefox appears to not support it.
  Of course. This requires the EME (aka DRM) support in the browser. Netflix uses Silverlight because before then, they couldn't use a solution with DRM. Since the W3C created (with much protest) the EME spec, Chrome, Safari and IE implement it. Firefox refuses to out of pure ideology (no DRM, period!),
  EME was pushed heavily by Netflix so they could move away from Silverlight, which is no longer supported by Microsoft.
  Of course, the alternative would be to app-ify Netflix (which I think they also have on Windows 8), but then people complain about what it leads to - namely apps that really do nothing but show web pages so they want to return back to where everything could be done via a browser.
13. Re:Silverlight isn't long for this world by Anonymous Coward · 2015-01-21 05:23 · Score: 0
  
  It does. Use Chrome for Netflix on Windows 7. There ya go, HTML5. Now uninstall Silverlight.
14. Re: Silverlight isn't long for this world by Anonymous Coward · 2015-01-21 05:25 · Score: 1
  
  Not true anymore. http://www.pcworld.com/article/2824623/ubuntu-linux-gets-netflix-without-weird-workarounds.html
2015 the Year of Windows XP Perfection? by Anonymous Coward · 2015-01-20 18:14 · Score: 0

News from Microsoft Update. The month of January 2015 saw only four (4) security updates for Windows XP. Could Windows XP be approaching bug-free perfection?
1. Re:2015 the Year of Windows XP Perfection? by Wootery · 2015-01-21 00:43 · Score: 1
  
  Could Windows XP be approaching bug-free perfection?
  Seems rather more likely it's just no longer worth targetting.
Netflix... by Anonymous Coward · 2015-01-20 18:15 · Score: 0

Is literally the only use I have for Silverlight... Why they don't just switch to HTML5 yet on desktop, like they did on mobile, is a mystery.
1. Re:Netflix... by Tablizer · 2015-01-20 18:25 · Score: 1
  
  Why doesn't Netflix use Flash, at least as an alternative choice.
  
  --
  Table-ized A.I.
2. Re:Netflix... by Anonymous Coward · 2015-01-20 18:55 · Score: 0
  
  microsoft is probably giving them a deep discount on the drm licensing in exchange for getting their flash wannabe on computers.
3. Re:Netflix... by deesine · 2015-01-20 19:24 · Score: 1
  
  Amazon Prime Video. Having that tab open in FF disables my screensaver in 8.1. Arg.
  
  --
  damaged by dogma
4. Re:Netflix... by jonwil · 2015-01-20 21:09 · Score: 1
  
  As others have said, Netflix will work in a recent enough build of Chrome on both Windows and Linux with no Silverlight required.
5. Re:Netflix... by TheRaven64 · 2015-01-20 22:33 · Score: 1
  
  The Netflix client logic is fairly complex (it dynamically jumps between servers, bitrates, and so on). Each new version they add increases the size of their testing matrix. I'd imagine that they really don't want to do that...
  
  --
  I am TheRaven on Soylent News
6. Re:Netflix... by Dionysus · 2015-01-20 23:08 · Score: 1
  
  Does it use Silverlight? I can watch Netflix on my Linux machine without problems, and I don't have Silverlight installed...
  
  --
  Je ne parle pas francais.
7. Re:Netflix... by Wootery · 2015-01-21 00:44 · Score: 1
  
  I suspect it's because the dinosaurs who licence their stuff to Netflix think Silverlight has trustworthy DRM magic dust, where other technologies aren't to be trusted.
8. Re:Netflix... by drinkypoo · 2015-01-21 00:55 · Score: 4, Informative
  
  Why doesn't Netflix use Flash, at least as an alternative choice.
  Netflix used to use Flash, but they moved to Silverlight in exchange for a seat on the board at Microsoft for their CEO. So they dropped Flash and went to Silverlight, which caused a lot of problems for a while which they eventually ironed out.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
9. Re:Netflix... by Jeff+DeMaagd · 2015-01-21 01:32 · Score: 1
  
  Reed Hastings has been gone from that board for a couple of years now.
  I get annoyed with the notices from other sites that are asking for Silverlight. It's usually stuff on the login page. eBay and Tumblr (I think) are notable examples, but I've encountered several others.
10. Re:Netflix... by drinkypoo · 2015-01-21 12:00 · Score: 1
  
  The Netflix client logic is fairly complex (it dynamically jumps between servers, bitrates, and so on).
  Yeah, that's why Netflix was originally WiMP-based. (whoops, could have sworn it used flash at one time, but DRM-only hence no Linux then. Maybe once it was flash UI with WIMP backend?) Because it can handle cool stuff like jumping between servers, bitrates, and so on. They switched to Silverlight for both UI and video fairly early on, and the rest is either history, or happening right now. On OSX it's already using HTML5 video on Safari, and on Windows it's supposed to be HTML5 on IE11. ISTR an article about how Firefox is going to go ahead and take on a closed video component to permit it to also play HTML5 DRM video, so perhaps we'll have Netflix in Firefox on Linux, which would be a big step forward for Linux-based entertainment centers. I have no problems with Netflix under XP32 in VMWare Player with a Linux host, except that it doesn't integrate with Kodi.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
11. Re:Netflix... by john5819 · 2015-01-21 16:37 · Score: 1
  
  Why doesn't Netflix use Flash, at least as an alternative choice.
  If you need to ask then you wouldn't understand the answer.
One of two? by Anonymous Coward · 2015-01-20 18:30 · Score: 0

I guess 1 of 2 users makes for a high 50% infection rate
Who the hell still uses Silverlight by Anonymous Coward · 2015-01-20 18:30 · Score: 0

Just another feeble attempt by Microsoft to extinguish Adobe Flash (and maybe HTML5) by coming up with their own proprietary standard.
Back in the day when Silverlight arrived upon the scene, all the pro-Microsoft astroturfers were having a congratulatory jizzfest on various tech sites.
Please let Silverlight die already.
1. Re:Who the hell still uses Silverlight by AqD · 2015-01-20 18:54 · Score: 3, Interesting
  
  We used Silverlight to build enterprise apps because it's most resembling to fully-functional desktop app platform - like client-server except the server side is built on OData service with row-level access control (by SQL expression rewriting) and clients simply query everything by LINQ, maintaining maximum control over everything except authentication/authorization.
  It boosts development time significantly for building apps of the same functionality and does a lot of things which HTML5/JS cannot even maturely do yet, like binary data processing and really fast graphics rendering. If you take a look at their theme resource files, you'd notice that every UI controls and cool effects in Silverlight are actually complex vector shapes to be rendered in real-time, not fake image/bitmap used in typical websites because they're too slow to do anything serious.
  But now it's dead.....
2. Re:Who the hell still uses Silverlight by Anonymous Coward · 2015-01-20 19:07 · Score: 0, Flamebait
  
  And everybody but you is glad it is...
3. Re:Who the hell still uses Silverlight by gl4ss · 2015-01-20 20:00 · Score: 1
  
  you know what's funny?
  microsoft announces death of silverlight -> announces silverlight as the thing for wp.
  microsoft announces death of xna -> announces pretty much xna as the thing for games for wp / metro.
  
  --
  world was created 5 seconds before this post as it is.
4. Re:Who the hell still uses Silverlight by Crashmarik · 2015-01-20 20:06 · Score: 2
  
  Extinguish ? Flash needs to die in a fire.
5. Re:Who the hell still uses Silverlight by Kagetsuki · 2015-01-20 20:45 · Score: 1
  
  I hate to ask this, and I'm sure you're asking yourself, but: why didn't you just build on a desktop app platform? There's something preventing your users from running a full application?
6. Re:Who the hell still uses Silverlight by AlphaBro · 2015-01-20 21:33 · Score: 1
  
  I can't speak for AqD, but quite often, yes. When I was developing business apps using .NET, desktop was my first choice. Unfortunately, most clients were adamant about a web UI, so Silverlight was my first fallback since it let me reuse a lot of the same code. Only if they resisted that did I go with HTML/JS and ASP.NET. Web app development sucks so I rarely do anything of the sort anymore, but Silverlight made it more tolerable.
7. Re:Who the hell still uses Silverlight by gbjbaanb · 2015-01-21 00:37 · Score: 1
  
  Microsoft says "silverlight s dead", ex Silverlight team (now working on WP) announces Silverlight as the thing for WP.
  I guess its the natureof Microsoft's non-joined-up team structures, one team likes something another team doesn't. I think things are changing now with Nadella actually taking charge.
  The thing for WP and Metro, according to Microsoft is Cordova! I can't argue against that, even Microsoft knows cross-platform toolsets are the way forward :-)
8. Re:Who the hell still uses Silverlight by preflex · 2015-01-21 00:56 · Score: 1
  
  It boosts development time significantly for building apps of the same functionality
  Wow! Silverlight sounds great! I'm always looking for ways to boost my development time. I charge by the hour.
9. Re:Who the hell still uses Silverlight by Anonymous Coward · 2015-01-21 04:04 · Score: 0
  
  There's this thing called SVG. It's a vector format that allows for complex shapes and is rendered in real time. Then there's Canvas which is a vector drawing API for a raster device. Just sayin'
10. Re:Who the hell still uses Silverlight by AqD · 2015-01-21 06:16 · Score: 1
  
  I'm aware of that. But SVG and Canvas only come into major browsers recently and they're not even properly hardware-accelerated yet (I wanted the level of performance you can see in Qt or WPF), let alone any UI frameworks built on top of them.
  WebGL might be a better choice. Its performance even in infant stage is years ahead of anything 2D renderers have to offer. But that doesn't solve the incapability of JavaScript to handle binary data such as conversion between different text encodings or parsing office files at client side.
11. Re:Who the hell still uses Silverlight by AqD · 2015-01-21 06:45 · Score: 1
  
  The result products are superior and they're done in lesser time. What else should I care about? If you want to talk about life span of the platform, all Microsoft related tech would have to be abandoned.
Real malware by Anonymous Coward · 2015-01-20 18:42 · Score: 0

Attempts to exploit Silverlight ...

SilverLight is the malware. I've only met a few sites that use it, and most of them of were unstable and barely usuable. Except for the adverts which worked and eventually increased in quantity.
That is not bad by TrollstonButterbeans · 2015-01-20 18:54 · Score: 2

If a product requires a CD, the CD is almost sure to be crap.

Bad = Helping someone setup their Linksys router and discovering that since Belkin bought them (Belkin is remarkably inept, I think only 2 of their products ever worked for me and one of those was a cord!), the router setup web page (192.168.1.1) actually requires a very recent browser -- which precludes configuration using a mobile phone or iPad for no good reason --- and provides no way to NOT require a username and password to use the wireless.

And to use the router setup page at 192.168.1.1 you must install the CD! Hello incompetence! How does that work for Linux? Belkin is the worst.

Corporations have special skills to sabotage their own products.

--
Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
1. Re:That is not bad by drinkypoo · 2015-01-21 00:40 · Score: 1
  
  the router setup web page (192.168.1.1) actually requires a very recent browser -- which precludes configuration using a mobile phone or iPad for no good reason --- and provides no way to NOT require a username and password to use the wireless.
  And you tried using Firefox mobile with "request desktop site" turned on? And you tried Firefox Beta, too?
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Why is MS Still pushing it then? by Anonymous Coward · 2015-01-20 18:54 · Score: 3, Informative

I build a new Windows 7 VM last week.
After the close to 750Mb of patches in the 'download and reboot' cycle, up pops Slitherlight (Like Slitherin in Harry Potter, not nice) as an optional download.
I do not want it but even after hiding it, like a bad penny it keeps on coming back.
Can we really try to get rid of this thing (and flash for that matter). The world has moved on and it is not needed anymore.
1. Re:Why is MS Still pushing it then? by Anonymous Coward · 2015-01-21 00:02 · Score: 2, Interesting
  
  You hide specific KB numbers / Silverlight releases, not Silverlight as a product.
  This means that the first time you hide Silverlight, it is the latest version of Silverlight you are hiding. You will then be offered the second-to-last version (note that the KB numbers and dates change). This will continue until you have hidden every release of Silverlight. When a new version is released it will appear as new download, but you won't have to go through the whole hide-previous-updates again.
Re:Silverlight is the best light to fuck GNAA ASS by Anonymous Coward · 2015-01-20 23:58 · Score: 0

Why do I find this hilarious?
Eh. by Anonymous Coward · 2015-01-21 00:34 · Score: 0

I don't like Silverlight itself, but I really am not happy with the way the web is reducing itself to Ein Language, Ein Platform, Ein Consortium. Choice from competing or cooperating providers is what gives freedom and progress - not One True Path involving HTML (eh) and Javascript (eugh eugh eugh), which frankly doesn't offer nearly the stability, UI richness, speed nor programming elegance of desktop software even after two decades.
1. Re:Eh. by Wootery · 2015-01-21 00:49 · Score: 1
  
  I really am not happy with the way the web is reducing itself to Ein Language, Ein Platform, Ein Consortium
  The only free and open 'non-standard web technologies' I can think of are Java applets (oh dear) and Dart.
  Flash and Silverlight are proprietary.
  Anyway, what's wrong with the web as a single platform? You still have your pick of browsers.
2. Re:Eh. by Anonymous Coward · 2015-01-21 01:06 · Score: 1
  
  Forgive me, but what's bad with Java applets? They're way more efficient than HTML+Javascript, i.e. something which requires a 2009 machine today would require a 1999 in Java. Java libraries are a lot richer than Javascript both for connectivity and UI. If you're worried about Oracle's treatment of the Java applet platform, choose a decent launcher/updater.
  Are you honestly asking what's wrong with having only one platform for development? What's wrong with ANSI C as a single platform? Win32 as a single platform? Everthing lacking in HTML+Javascript is wrong with the web as a platform. And every disagreement on the best way of doing something which can't be alternatively implemented (there is no One True Way) is wrong with the web as a platformm.
3. Re:Eh. by Wootery · 2015-01-21 02:53 · Score: 2
  
  Forgive me, but what's bad with Java applets?
  Security (the greatest downside imo), inability to (ever!) run on mobile devices, increased RAM use from pulling in a whole JVM, external dependency beyond a web-browser, immaturity of JavaFX. Historically Java applets would often cause a browser crash, but that seems not be a an issue these days (presumably as we've just got the horsepower to cope).
  
  They're way more efficient than HTML+Javascript
  JavaScript JIT compilers are pretty damn good these days. I suspect that you're right, but performance can be pretty good with web technologies. There are working audio/video-decoders written in JavaScript, for instance.
  
  If you're worried about Oracle's treatment of the Java applet platform, choose a decent launcher/updater.
  You mean OpenJDK?
  
  Are you honestly asking what's wrong with having only one platform for development?
  Yes, hence why I asked.
  
  What's wrong with ANSI C as a single platform? Win32 as a single platform? Everthing lacking in HTML+Javascript is wrong with the web as a platform.
  Well the standards are ever-growing. (And the technical barrier to creating a browser becomes ever more daunting, but I guess that's just the price we pay.)
  
  And every disagreement on the best way of doing something which can't be alternatively implemented
  It's called "the web". A mish-mash of incompatible technologies is not good for the web. On the other hand I kinda agree: I'd really like to see JavaScript die and be replaced (it's just awful), but it looks like we're stuck with it. There is an upside here though: stability of the web as a platform. There's one web, and it works on all sorts of devices. That's something that would be compromised by a plugins-for-everything web.
4. Re:Eh. by Anonymous Coward · 2015-01-21 03:11 · Score: 0
  
  Java applets kinda suck in every way. Java Web Start is a bit better. The problem is that too many shitty programmers who don't understand threading and the whole event dispatch thread thing that java UI uses, wrote a lot of shitty code that freezes and locks while processing callbacks instead of remaining responsive.
Java updated yesterday by schwit1 · 2015-01-21 01:37 · Score: 1

http://www.java.com/en/downloa...