Forgot your password?
typodupeerror
Bug Security

Netflix Users In Danger of Unknowingly Picking Up Malware 153

Posted by Unknown Lamer
from the perils-of-deprecated-proprietary-software dept.
An anonymous reader writes "Users of Silverlight, Microsoft's answer to Adobe Flash, are in danger of having malware installed on their computers and being none the wiser, as an exploit for a critical vulnerability (CVE-2013-0634) in the app framework has been added to the Angler exploit kit. The vulnerability could allow remote code execution if an attacker hosts a website that contains a specially crafted Silverlight application that could exploit this vulnerability and then convinces a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements." You'd think something like Silverlight would automatically upgrade itself.
This discussion has been archived. No new comments can be posted.

Netflix Users In Danger of Unknowingly Picking Up Malware

Comments Filter:
  • Automatic upgrade (Score:5, Informative)

    by Mr_Silver (213637) on Tuesday November 19, 2013 @04:15AM (#45461411)

    You'd think something like Silverlight would automatically upgrade itself.

    It will, assuming that it's given a critical priority within Windows Update and the user has their machine set up to automatically download and install updates.

    Come on, this is basic Windows stuff. Can we get someone on the Slashdot staff that has actually some experience of the operating system in use by 96% of the population please?

    • Re:Automatic upgrade (Score:5, Informative)

      by DaHat (247651) on Tuesday November 19, 2013 @04:21AM (#45461433) Homepage

      If one looks at the link to CVE-2013-0634, there is a link to a MS Security Bulletin [microsoft.com] first posted in March 2013 & last updated in April... even saying:

      Recommendation. Most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

      Way to go editors... this bug was reported & fixed 7 months ago and only now are we to get paranoid over what it could do if Windows Update isn't enabled? sheesh

      • by Anonymous Coward on Tuesday November 19, 2013 @04:43AM (#45461493)

        But the headline, it's so scary. Netflix users BEWARE! There be DRAGONS ahead. Boo!

        • by TWiTfan (2887093) on Tuesday November 19, 2013 @09:41AM (#45462503)

          I hear you can get pregnant just by watching Netflix on an unpatched computer!

          • I hear you can get pregnant just by watching Netflix on an unpatched computer!

            I don't know about that. But I did notice that ever since Silverlight got into my house the glue has disappeared from the bindings in all of my books. I thought it was a coincidence. But upon further consideration, I seem to be watching more movies from Netflix since the pages of my books keep falling out faster than I can read them.

            • by lgw (121541)

              Woah. I also use Silverlight and I just started reading my old, old copy of Ender's Game, and sure enough the pages are loose in the bindings! It's real, man!

        • by g0bshiTe (596213)
          I'm too lazy to RTFA, where exactly did Netflix come into play? Is my Roku running silverlight? As far as I know I don't have silverlight running on any of my devices.
          • by SQLGuru (980662)

            Just more FUD. Netflix is just one of the biggest reasons that people have Silverlight installed. Therefore, Netflix is the reason that you are vulnerable.

      • by Sycraft-fu (314770) on Tuesday November 19, 2013 @05:23AM (#45461621)

        I mean if some random shit "security blog" posts a trumped up story to try and get traffic, it is Slashdot's DUTY to repeat it here, with no checking or verification! After all, better everyone is scared of their own shadow than informed about security.

        Seriously this is just pathetic. As I said: This is some random ass site that is trying to get people to come and read, and it worked. By making a scare story about how Netlfix users on Windows are vulnerable they managed to get some Linux fanboy to submit the story to Slashdot. The editors then did what they do, which is to say NOT EDIT and just posted it. Great success for shit site, they now got a bunch of undeserved traffic.

        What is sadder is how uninformed this makes all involved look. the statement of "You'd think something like Silverlight would automatically upgrade itself." Yes, it DOES you fucking moron. One thing you have to give MS is that Windows update will patch all their stuff for you. Let it do its thing and you get security updates, as they are released. You don't need to pay attention or anything, it'll just happen. This includes things not installed by default like Silverlight, or older versions of the .NET runtimes.

        This is just a massive pile of fail. It is not news, not even really old news. There was a bug, they patched it. This would be "how shit works", or at least how it should.

        • by ApplePy (2703131) on Tuesday November 19, 2013 @06:39AM (#45461819)

          That's ridiculous. How would it automatically update itself? Windows doesn't even have the basic tools for it, like apt and cron!

          • Windows can do some scary stuff. My laptop BIOS does not have the ability to set a time to wake the machine. Yet for weeks I would find the laptop had gone from a completely powered off state to a completely drained battery overnight while sitting in my backpack. When I turned off the automatic update feature of Windows, the mysterious behaviour stopped. Somehow, Windows would power up the laptop in the middle of the night, and it would sit at a GRUB prompt until the batteries were drained.
            • I remember when Intel added power on timers to the BIOS specification and released some software for configuring it. I think I was using a 386DX40 desktop at the time I tested it out. Your BIOS has the feature even if it doesn't expose it in the BIOS setup UI. Its the kind of feature that doesn't make sense as a standalone feature so its provided more for the OS to use.

              • by ncc74656 (45571) *

                I remember when Intel added power on timers to the BIOS specification and released some software for configuring it. I think I was using a 386DX40 desktop at the time I tested it out.

                That capability would've required ATX with its standby power capability, which didn't come along until well into the Pentium era. There's no way your 386 would've had wake-on-timer, wake-on-LAN, or wake-on-anything. The only thing that might've worked would have been to plug it into a timer (like you'd do with your Christmas

                • by noh8rz10 (2716597)

                  The only thing that might've worked would have been to plug it into a timer (like you'd do with your Christmas lights).

                  I leave my xmas lights on 24/7, you insensitive clod! Also, 365 days a year.

            • Windows cant power the laptop up. Something else is at work-- probably a BIOS setting to power your laptop on when power is restored (power outage / power comes back, computer will boot up).

              Stop and consider basic Operating Systems 101: The OS cannot run unless it is loaded into memory, and the CPU is active. If it isnt loaded into memory and the CPU isnt active, "windows" cant do anything.

              • by mmontour (2208)

                Windows cant power the laptop up.

                Technically, no. But Windows (or Linux) can program a wake-up alarm into the RTC chip. See for example http://www.mythtv.org/wiki/ACPI_Wakeup [mythtv.org] .

              • by Darinbob (1142669)

                Windows 8 will leave things running even after the computer appears to be off superficially. Part of it's goal to make bootup and shutdown look fast. Ie, screen goes blank but if you're on a desktop you see the hard drive light still active for five to ten seconds as well as the light on the tower's power switch. It's kind of worrying because someone not paying attention may just kill the power prematurely. For a laptop you never see the hard drive light and so think that its off when it isn't.

                A couple

            • That's from the trolls. They hide underneath the BIOS and wake everybody up at 3:00 AM (because they're trolls).

              It's what you get for hanging around here.....

            • by freeze128 (544774)
              That's what you get for not having a default selection in Grub. Add one, even if it's a HALT.
              • I tried adding a poweroff default to GRUB, but it didn't work for some reason or another. I wound up simply disabling the automatic updates within Windows.
        • This is nothing compared to the .Net Firefox plugin [slashdot.org]

          If Slashdot put as much effort in denouncing that plugin into Actual malicious plugins like Conduit, Dealio and the like, the world would be a better place.

        • by g0bshiTe (596213)
          Any administrator worth their weight doesn't let MS be rogue and update itself. You never know when KB-OMGWTFISTHIS will be incompatible with Driver_l()()t_d()()d.
          • Epic troll fail. Anyone whose done any sort of systems admin knows that Windows update is probably the LEAST likely of system updaters to cause problems.

        • I mean if some random shit "security blog" posts a trumped up story to try and get traffic, it is Slashdot's DUTY to repeat it here, with no checking or verification! After all, better everyone is scared of their own shadow than informed about security.

          Well, around here there is a massive reading comprehension fail in submitters so that may be a big part of this submission. For example, if someone somewhere writes an article that says basically "Not X. Definitely not X. It may be A-W, Y or Z but it's definitely not X. Anything but X." then the submitter will post and scream "X! They said it was X! The sky is falling! It's X!!!". It does get old.

      • And it only effects the web player version of Netflix. Those watching via the Windows Store app are fine.

      • by phorm (591458)

        Not only that, but every now and then when I access Netflix with an older Silverlight version, it *does* prompt me to upgrade. This includes on Mac and older WinXP systems.

    • by hairyfeet (841228)

      What do you expect, most of the MSFT bashing here is based on shit that ended with XP. As someone who works on Windows systems 6 days a week i can say that a modern Windows system (Vista on up) with automatic updates and a browser that recognizes low rights mode (IE or any Chromium based) is one tough nut to crack, in fact the only infections I see with any regularity are ones where the writer used social engineering to get the user to bypass the OS security. Sadly no matter how well MSFT hardens the OS you

      • by g0bshiTe (596213)
        Switch to *nix, instead of fixing them 6 days a week they work.

        Kidding, kidding before you decry me as a *nix zealot though I do use it regularly, I find that neither OS is 1 size fits all. There are things I love in nix and things I love in Windows barring Windows 8 of course. I never let it update without looking over what it wants to push.

        And you are right since MS isolated Session0 it has been much tougher for me to find a compromised system on my network as long as users don't run with elevated privi
        • by hairyfeet (841228)

          Look up "The Hairyfeet Challenge" to see why *nix don't cut it my friend. You are obviously a system admin and thus its trivial for you to admin your own systems, I on the other hand work primarily with home users, SOHOs, and SMBs and with them it better "just work" and any fuck up, like say Ubuntu shitting on the wireless or Mint doing a dump on the video? Then its ME that is gonna get a hit to my rep.

          What the FOSS zealots here refuse to accept that you have seen with your own eyes is that from Vista on up

    • by ktappe (747125)
      • Can we get someone on the Slashdot staff that has actually some experience of the operating system in use by 96% of the population please?

      It's not even correct for the other 4%. On Mac OS X, Silverlight absolutely alerts the user that their version is out of date and a single "OK" click will download the new version for them.

    • by Darinbob (1142669)

      I often think that automatic upgrades are a security disaster waiting to happen myself. I far prefer to be notified that updates are available.

      • by cbhacking (979169)

        The chain of trust for Windows updates is among the strongest protections the OS has. Certificate pinning for the update servers (can't spoof them even with a compromised CA signing your SSL cert), signed update packages (again, must be signed by Microsoft rather than some third-party trust authority), and signed binaries. In order to compromise the update installer, you would need to have already compromised the OS so thoroughly that there's no point pushing a malicious update. The odds of an actual securi

        • by Darinbob (1142669)

          You get a window that says "do you want to update this?" But you have no possible way of knowing if that is official or is part of malware. What about third party applications doing the same thing, as in Adobe Reader or Firefox asking over and over for your permission to update, I'm pretty sure they're not linked into Microsoft's cert chains.

    • by chuckw (15728) *

      That would be a reasonable thing to say if the world all ran Windows. This is in fact very much not the case. Apple users are forced to use Silverlight if they wish to use Netflix, and there is no auto-update feature. You have to download the latest DMG to your desktop, shut down your browser, and install it. Very 1995...

  • by cdrnet (1582149) on Tuesday November 19, 2013 @04:18AM (#45461423)

    From the related MS13-022 security bulletin: "Most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. "

    Unless you're one of those "smart" people that use windows but disable windows update ...

    • by Anonymous Coward on Tuesday November 19, 2013 @04:39AM (#45461481)

      Unless you're one of those "smart" people that use windows

      I usually take the stairs or the elevator, but I guess if you're in a hurry....

    • by Anonymous Coward

      Or one of those corporate people with a managed desktop where you can't install your own patches and don't get anything that your IT department don't deem "ultra-critical" because they'd rather avoid any testing or issues with updating a browser plugin that's not relevant to your job. The last place I worked was usually about a month behind on patches while we deployed them to testing groups, and some of the "peripheral" stuff like patches for Silverlight, driver updates, etc would just be ignored altogethe

  • by Anonymous Coward

    Isn't this title just totally misleading? Although Silverlight never enjoyed the popularity of Flash, it's not like Netflix is the exclusive user of Silverlight...

  • by Gravis Zero (934156) on Tuesday November 19, 2013 @04:42AM (#45461487)

    good news! all users that dont use Netflix will be unaffected. I can only surmise that this malware replaces all movie descriptions with "It stinks." [youtu.be] and a rating of one star.

    • by ApplePy (2703131)

      good news! all users that dont use Netflix will be unaffected.

      Good thinking! My Linux box is so secure it won't even run Netflix!

      • by jedidiah (1196)

        > Good thinking! My Linux box is so secure it won't even run Netflix!

        Although it handles Hulu and Amazon Prime just tine.

  • Unknowingly? (Score:5, Insightful)

    by pablo_max (626328) on Tuesday November 19, 2013 @04:43AM (#45461491)

    Tell me, when is the last time you knowingly were infected with malware?

    • by osu-neko (2604)

      Tell me, when is the last time you knowingly were infected with malware?

      A few years ago. Rebooting into Windows and deliberately plugging into a client's network was (for various reasons) the quickest/easiest way to determine what exactly was infecting their computers and if it was really spreading across the LAN rather than being transmitted by some emailed word document or promiscuous USB-stick user. It was.

      I've actually never been unknowingly infected with malware. It's always been deliberate, although I didn't always know exactly what sample I'd be collecting...

  • Really? Why is this on front page of Slashdot? A vulnerability that was patched months ago via windows updates is now an issue?
    • by penix1 (722987)

      To me the real story isn't the attempt to sensationalize on a vulnerability or to single out one user of the technology but that an exploit for that vulnerability has been added to an exploit kit. That means that you probably will see it exploited widely simply because of people turning off windows update for various reasons.

  • For plugins like silverlight that run code rather poorly sandboxed, you should lock them to a whitelist, so that only web sites you have preapproved can use them.

    Additionally, you should only run them on an unpriviledged user. (Something many Windows users don't do with anything as a regular practice.)

    These two measures won't eliminate your risk, but they will dramatically reduce it.

    • by bazorg (911295)

      Hi,

      When you say that it is not properly sandboxed and using admin user permissions, does that apply to people using IE11 (Windows 8)? I thought the defaults on Windows 8 were not as careless as back in the day of XP pre-SP.

    • by zippthorne (748122) on Tuesday November 19, 2013 @09:48AM (#45462559) Journal

      How do you lock silverlight to a whitelist?

      • by Anonymous Coward

        Silverlight is a plugin, and in Chrome you can block all plugins and then add sites to a plugin whitelist. I assume something similar is available in other browsers.

        There are similar whitelists for Javascript and cookies. I whitelist all three. Managing the lists can be annoying, but I prefer to have a bit of control over what web sites do on my computer.

      • by jader3rd (2222716)

        How do you lock silverlight to a whitelist?

        In Internet Explorer, just like any other ActiveX control. In the Manage Add-Ons Windows select the Add-On you want whitelisted and press "More information". In the information dialog press "Remove All Websites". Then when you are viewing a website that wants to run that add-on and small bar will appear at the bottom of the windows asking for permissions to run.
        I do this with Flash. It means I have a small bar at the bottom of every website I visit, and I think my whitelist for it at the moment is thedaily

        • Good, informative post. I've been doing this for years on all my boxes with IE installed, but most people don't even know it's possible.
          Note that since IE9, you can also disable/enable ActiveX in general on a per-site basis. Tools -> Safety -> ActiveX filtering to disable it by default. It'll put a little blue icon in end of the address bar when it blocks something; you can click the icon to turn off the filtering for that site only. Less obtrusive than the "do you want to enable <SPECIFIC_ACTIVEX_

  • Perhaps Silverlight has become self-aware and assumes that any upgrade would involve Microsoft trying to kill it off.

  • Netflix? (Score:3, Informative)

    by Anonymous Coward on Tuesday November 19, 2013 @05:11AM (#45461585)

    And this is specific to Netflix users?
    I don't get it.

    • It's always their fault.
      Don't you get it? It doesn't run on Linux.
      • by Lumpy (12016)

        But it does. All BluRay players run linux, and the ones that have netflix.... That's Netflix on Linux. so they are lying bastards when they say they cant do it.

    • by CastrTroy (595695)
      Well, to be fair, it's probably the only reason most people have Silverlight installed. The only other thing I can think of that used Silverlight was when NBC required Silverlight for watching the Olympics, but I think that was back in 2010. I don't know why Netflix doesn't just required some kind of App to be installed. They have one for Windows 8. Sure the browser feature would be nice as a fallback options, but for actually watching shows it would be much better accomplished outside the browser.
    • by Java Pimp (98454)

      It has nothing to do with Netflix specifically. The article is sensationalist FUD. It's like saying Slashdot users are in danger of unknowingly picking up malware because someone found a javascript exploit.

      • by jedidiah (1196)

        The headline is a function of the fact that Silverlight is pretty much irrelevant except for Netflix. Micrsosoft thought they were going to displace Adobe but it didn't quite work out that way.

        Without the Netflix connection, the common man's reaction to this story would be: "Silverlight? What's that? Why should I care?"

  • by Scarletdown (886459) on Tuesday November 19, 2013 @05:16AM (#45461603) Journal

    Back when I used to be able to stream Netflix (I since changed my account to the 3 DVDs at a time plan instead), I gave Silverlight a try. After Silverlight was installed, my video capture device with WinDVR suddenly stopped working. Suspecting Silverlight was the culprit, I set up the video capture device on a test box, and verified that it worked. Then I installed Silverlight there, and sure enough, no more video capture capability. Removed Silverlight and eradicated all traces of it from the system, and my hardware was once again working properly.

    That was when I invoked the hardware owner's right. The ability for any publisher's software to run on hardware that I own is a privilege, not a right. If your product interferes with the rightful and proper operation of my property, then its privilege to exist on my system is revoked permanently.

    Do not fuck with my hardware or any other software that I have installed, or you will not be permitted to run on any systems under my control, and word of your dipshittery will be passed on to others, so that they can be made aware that your software is malware.

  • Netflix users? (Score:4, Insightful)

    by BringsApples (3418089) on Tuesday November 19, 2013 @05:21AM (#45461615)
    Shouldn't this be Microsoft Windows users? My PS3 isn't going to get malware.
    • by Anonymous Coward

      Not even that, since neither Win RT, Windows Phone, or Xbox users are affected either.

      • by Anonymous Coward

        Not even that, since neither Win RT, Windows Phone, or Xbox users are affected either.

        Neither are any Windows users with Windows Update on. This was auto-patched months ago. The summary blurb about upgrades is just ignorant.

  • As a Roku owner this affects me how? Who uses a PC to view Netflix content? Yes, it's possible, but it's not the best way.
  • by WD (96061) on Tuesday November 19, 2013 @07:43AM (#45462015)

    1) This has nothing to do with Netflix. I am a Netflix user and I suspect that my Roku is not affected by the vulnerability in question.
    2) Silverlight *does* get updated with automatic updates.
    3) The vulnerability in question was fixed in March (MS13-022).

  • This is why I have plugins disabled by default and enabled only for certain "trusted" sites. For Silverlight, the only site that can run it is Netflix. This obviously doesn't protect you if your "trusted" site is compromised, but it does mean that browsing to some random website doesn't automatically infect you.
  • by EmagGeek (574360) <gterich@aol.cTWAINom minus author> on Tuesday November 19, 2013 @08:10AM (#45462107) Journal

    Sorry, but this is just senseless hyperbole. Malware can be picked up from ANY website, but mentioning Netflix by name is just a design at whipping up a senseless panic.

    Fuck you, Slashdot.

  • "Users of Silverlight, Microsoft's answer to Adobe Flash"

    Ah! There's your problem, right there.

    WARNING! both TF And the /. title are nothing more than sensationalism. Nothing in TFA, which is quite brief, specifically says Netflix users are being targeted. Only that Netflix uses silverlight which has a vulnerability. Its like saying "Newgrounds (pretend it's 6+years ago and still relevant) users are in danger of being infected with malware" when its all users of flash. *BUT* since silverlight and flash are

    • by Desler (1608317)

      Only that Netflix uses silverlight which has a vulnerability.

      That was patched in March via auto update... Unknown Lamer and Timmeh continue to show how the Slashdot "editors" are functional illiterates.

  • There is only one reason I have Silverblight installed on my OS X laptop, and that's the (laggy as fuck) Harmony remote configurator. Since that's the only thing I have which uses that crapware, I have the extension disabled in my web browser unless I'm actually using it.

    The Harmony remote is such a total piece of crap, and that Silverblight configurator crapplet doesn't make it any better. The best part is when I drop it, its batteries bounce and it resets and thinks all devices are off. Fuck you very muc

  • A flaming piece of shit from the word go. I can't stand it and wish Netflix would just go back to the damned Flash player. I have an older machine and can regular watch Silverlight consume EVERY CPU cycle. It seems to do with network latency - it loses it's mind.
  • "You'd think something like Silverlight would automatically upgrade itself."

    As intrusive and time consuming as Microsoft updates are, they damn well better be updating Silverlight, FFS.

  • Seriously, there has to be a better way to down mod articles that make it to the front page. The firehose just doesn't cut it.

  • The problem was with Silverlight, not with Netflix. I think the author's article title is misleading and going to scare a lot of unsavvy Netflix users...

  • This is a perfect example of why I never installed Silverlight. Adobe is sloppy enough with their programming, Microsoft tends to take it to the next level of actually hating their customers so I would love to watch Netflix on my Laptop/Desktop but instead don't. I was shocked to see that they were using Silverlight in that I though Netflix had good programmers who knew what they were doing.
    • by cbhacking (979169)

      Either the Flash or Java browser plugins have more exploits discovered each year than Silverlight has in its entire existence... and unlike this one (which was patched over half a year ago), many of those get exploited in the wild as 0-days. Microsoft's security stance is (within the last seven years or so) far, far better than that of either Adobe or Oracle (Sun wasn't much better, at least with browser plugins).

      Netflix does, in fact, have a lot of really bright people (don't work there myself, but I know

      • The simple fact is that silverlight increases the attack space while offering me nothing. You still have to have flash (as do the vast majority) installed in order to access quite a bit of content but this is in a nice decline with HTML5, Java browser plugins are basically dead with just a few fools stuck with legacy code that they are required to use.

        Plus I don't trust MS one iota. I don't have MS anything installed on any of my machines. Presently I use Mac and would love to dump even that OS but I too
  • Doesn't Silverlight require the computer to be infected with Windows?
  • by Lumpy (12016)

    People still use netflix on a computer? do these people not own TV's or tablets?

  • Did Timothy cover Unknown Lamer's shift, using Unknown Lamer's account?

Their idea of an offer you can't refuse is an offer... and you'd better not refuse.

Working...