Tech Target shares an informative article on key best practices to ensure safety. These include staying on latest version, deploying patches promptly, avoiding potentially malicious sites, and user security awareness. Those safety tips apply universally to almost all software products.

http://searchsecurity.techtarget.com/tip/Silverlight-security-Defending-against-browser-plug-in-attacks

The Silverlight browser plug-in is Microsoft’s answer to Adobe Flash. Although it’s nowhere near as well-known, Silverlight is used by Netflix for its instant video streaming service. Until recently, Silverlight has escaped the attention of hackers who have focused on more common browser plug-ins like Java, Flash and Adobe’s Acrobat Reader. However, now that it has been successfully exploited, Silverlight is increasingly becoming an attack vector for those looking to infect and compromise users’ computers.

There are many similarities between Java and Silverlight. Both run in a sandbox with low privileges by default that restrict access to the device’s file system and other system resources. Any attack must be able to break the sandbox to be viable. Security researchers have noticed that exploit kits such as Fiesta, Nuclear, RIG and Angler — which in the past mainly targeted Java-based exploits — now include attacks that target vulnerabilities in Silverlight.

The attacks typically rely on luring a user to a hacker-controlled website, checking if their device has Silverlight installed, and then attempting to exploit a vulnerability to infect the victim’s system. These drive-by attacks are also used to exploit vulnerabilities in other browser plugins.

The frustrating thing is that many of these attacks take advantage of vulnerabilities for which vendors have already issued patches. As always, enterprises need to ensure that their users’ operating system and application software is kept up to date and that the devices are not running older versions longer than absolutely necessary. Administrators should configure the Silverlight auto-updater for all network users and prevent users from changing the update settings. If Silverlight is not deemed essential in your enterprise, the plug-in could potentially be banned.

Before an attack can even exploit a Silverlight vulnerability, the hacker has to trick a user into visiting a webpage that’s hosting its attack code, typically by getting them to click a link in an email or instant message that takes them to the malicious page. Enterprises must reinforce the message of not clicking on links from unknown sources; this remains a very important aspect of security awareness training.