CVE-2016-0034

What Is Microsoft Silverlight?

Microsoft Silverlight was a browser plugin for rich internet applications — the Microsoft equivalent of Adobe Flash — capable of delivering streaming media, animations, and interactive web content. Silverlight was installed on hundreds of millions of computers during its peak deployment in 2010–2015. Like Flash, Silverlight ran as an NPAPI browser plugin with direct access to the user's system, making Silverlight vulnerabilities exploitable via any web page the user visited.

Microsoft announced Silverlight's end-of-life in 2012 (setting the date for 2021) and browser vendors progressively disabled NPAPI support. Silverlight reached official end-of-life on October 12, 2021. Exploit kit operators exploited Silverlight vulnerabilities alongside Flash vulnerabilities throughout 2013–2016.

Overview

CVE-2016-0034 is a remote code execution vulnerability in Microsoft Silverlight caused by improper handling of negative offsets during decoding of media or object content. When Silverlight processes a specially crafted media stream or Silverlight application, the negative offset calculation results in out-of-bounds memory access, corrupting heap memory in a way that enables code execution. The vulnerability was exploited by the Angler exploit kit for ransomware delivery. Patched in MS16-006 (January 12, 2016). Silverlight is permanently end-of-life since October 2021 — any remaining installations cannot receive further patches.

Affected Versions

Technical Details

Root Cause: Negative Offset Decoding Error

CVE-2016-0034 involves improper bounds checking (CWE-119) in Silverlight's media decoding or object deserialization routines. When Silverlight processes a negative offset value during content decoding, it fails to validate that the computed memory address remains within expected bounds. This causes Silverlight to read from or write to memory outside the intended buffer, corrupting adjacent heap structures.

The exploitation pattern mirrors the Flash UAF/overflow techniques prevalent in this era:

1. Heap grooming — shape the Silverlight heap to place controlled data adjacent to the corruption target
2. Trigger the negative offset bug — process the crafted media/Silverlight content
3. Overwrite function pointer — corrupt an adjacent heap object containing a code pointer
4. Code execution — Silverlight executes attacker-controlled shellcode or ROP chain

Angler Exploit Kit Integration

Angler was the most sophisticated and widely-deployed exploit kit of 2013–2016. By early 2016, Angler maintained a rotating portfolio of exploits for Flash, Silverlight, and Internet Explorer vulnerabilities — using the first unpatched exploit that succeeded for each target. CVE-2016-0034 was added to Angler's Silverlight exploitation chain, typically as a fallback for targets where Flash was blocked or patched.

Attack Characteristics

Discovery

Reported to Microsoft and patched in MS16-006 (January 2016 Patch Tuesday).

Exploitation Context

• Angler ransomware delivery: CVE-2016-0034 was integrated into Angler's Silverlight exploit chain for ransomware payload delivery — primarily CryptoWall and Cerber variants; Silverlight exploitation provided a second vector when Flash was blocked or patched, significantly expanding exploit kit reach
• Silverlight decline: By 2016, Silverlight exploitation was declining relative to Flash as browser vendors removed NPAPI support; Chrome had removed NPAPI by 2015, and Firefox was transitioning; IE and Firefox ESR remained the primary Silverlight delivery vectors
• EOL permanent exposure: Silverlight reached permanent end-of-life in October 2021; any remaining Silverlight installations cannot receive security patches and are permanently vulnerable to CVE-2016-0034 and all other known Silverlight vulnerabilities
• CISA KEV (2022): Added May 2022

Remediation

1. Uninstall Silverlight — remove Silverlight from all systems. Silverlight is permanently end-of-life and receives no further security updates.

2. Migrate Silverlight applications — replace Silverlight-based internal applications with HTML5 or supported alternatives. Microsoft Media Foundation and HTML5 video replace Silverlight streaming capabilities.

3. Browser controls — modern browsers (Chrome, Firefox, Edge) no longer support NPAPI plugins and cannot run Silverlight. IE11 with Silverlight should be upgraded to Edge.

4. Block Silverlight content — if Silverlight cannot be immediately removed, configure application control policies to prevent Silverlight content execution from untrusted sources.