"Silverlight exploits are also ideal because Silverlight continues to gain rich Internet application market share, perhaps surpassing Java, and Microsoft's life cycle schedule suggests Silverlight 5 will be supported through October, 2021," says the report.
Current malware attacks "use a Silverlight file to trigger the same CVE-2013-3896 vulnerability, but packages the exploit differently and attempts obfuscation through AES encryption." The CVE-2013-3986 exploit was already patched four months ago, but a majority of users have outdated Silverlight installs. Silverlight, unlike many Microsoft products, does not self-update.
Source:
Electronista