Cyber Risk Report

December 7–13, 2009

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.


Vulnerability and threat activity was elevated again during the time period. The increase was primarily Vulnerability and threat activity remained at increased levels during the time period. Activity was highlighted by vendor advisories from Microsoft, Adobe, HP, Sun, and Red Hat.

The Microsoft security bulletin release for December 2009 included six bulletins, three of which Microsoft rated as Critical and three that were rated Important. The Cumulative Update for Internet Explorer was the most significant release, as it corrected a cascading style sheet vulnerability for which proof-of-concept code was publicly available. Diligence in maintaining current patch levels and secure browser configurations remains critical to mitigate the current trends of exploiting users through drive-by attacks and other user-based exploits. Vulnerabilities in Adobe products and Java environments have also been popular targets for exploitation. Adobe, Sun, and Red Hat all released updates during this period; administrators are advised to deploy these quickly to mitigate future attacks.

HP released multiple updates for HP OpenView Network Node Manager to correct vulnerabilities that could allow attackers to control these monitoring and management systems. The sensitivity of information on the vulnerable systems should increase the priority in applying updates and preventing system compromises.

The Opachki trojan also continues to highlight threat activity for this time period. This trojan targets user search information and redirects users to malicious or compromised websites to further compromise systems. The sporadic activity levels associated with Opachki indicate that it continues to spread and evade detection.

Cisco released the Cisco 2009 Annual Security Report on December 8, 2009. The report includes information about 2009 global threats and trends, as well as security recommendations for 2010.

IntelliShield published 156 events last week: 65 new events and 91 updated events. Of the 156 events, 135 were Vulnerability Alerts, six were Security Activity Bulletins, eight were Security Issue Alerts, two were Threat Outbreak Alerts, one was a Malicious Code alert, three were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 12/11/2009 11 36 41
Thursday 12/10/2009 11 12 23
Wednesday 12/09/2009 16 16 32
Tuesday 12/08/2009 19 13 32
Monday 12/07/2009 8 14 22
Weekly Total 65 91 156

Significant Alerts for December 7–13, 2009

Microsoft Internet Explorer Cascading Style Sheets Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 19468, Version 5, December 10, 2009
Urgency/Credibility/Severity Rating: 2/5/4

Microsoft Internet Explorer versions 6 and 7 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. Proof-of-concept code is publicly available. Microsoft has released security bulletin MS09-072 addressing this vulnerability.

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 19, December 11, 2009
Urgency/Credibility/Severity Rating: 2/5/3

Multiple TLS implementations contain a vulnerability when renegotiating a Transport Layer Security (TLS) session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Multiple vendors have released updates to correct this vulnerability. Proof-of-concept code that exploits this vulnerability is publicly available.

Previous Alerts That Still Represent Significant Risk

Microsoft Windows SMB Client Remote Denial of Service Vulnerability
IntelliShield Vulnerability Alert 19422, Version 2, November 16, 2009
Urgency/Credibility/Severity Rating: 2/5/3

Microsoft Windows Server 2008 R2 and Windows 7 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. Exploit code is publicly available. Microsoft has confirmed this vulnerability, but updates are not available.

Gumblar Malicious Code Adopts Additional Exploit Methods
IntelliShield Vulnerability Alert 19237, Version 1, October 20, 2009
Urgency/Credibility/Severity Rating: 3/4/3

Reports indicate additional activity related to the Gumblar malicious code.

Microsoft Windows SMB2 Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 19000, Version 7, October 13, 2009
Urgency/Credibility/Severity Rating: 3/5/4

Microsoft Windows Vista SP2 and prior and Windows Server 2008 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. Microsoft has released a security advisory to address the Microsoft Windows SMB2 remote code execution vulnerability. Microsoft has released a security advisory and updated software to address the Microsoft Windows SMB2 remote code execution vulnerability. Functional exploit code is publicly available.

Microsoft Internet Information Services FTPd Remote Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 18951, Version 5, October 13, 2009
Urgency/Credibility/Severity Rating: 2/5/4

Microsoft IIS versions 5.0, 5.1, and 6 contain a vulnerability in the FTPd service that could allow an authenticated, remote attacker to cause a DoS condition or execute arbitrary code with elevated privileges. Microsoft has released a security bulletin with software updates to address the Microsoft Internet Information Services FTPd remote buffer overflow vulnerability.

Microsoft Visual Studio Active Template Library Uninitialized Object Vulnerability
IntelliShield Vulnerability Alert 18725, Version 12, November 5, 2009
Urgency/Credibility/Severity Rating: 2/5/4

Microsoft Visual Studio Active Template Library contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has released a security bulletin and software updates to address the Microsoft Visual Studio Active Template Library uninitialized object vulnerability in Microsoft Windows.

Microsoft Office Web Components ActiveX Control Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 18633, Version 6, October 12, 2009
Urgency/Credibility/Severity Rating: 3/5/4

Microsoft Office Web Components contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. This vulnerability is due to an unspecified error in the Office Web Components ActiveX control. Reports indicate that exploits of this vulnerability are ongoing. Additional technical information is available to detail the Microsoft Office Web Components ActiveX control arbitrary code execution vulnerability. IntelliShield has re-released this alert to clarify the availability of software updates.


United States Transportation Security Administration Posts Airport Screening Procedures on Internet

During the time period, the United States (U.S.) Transportation Security Administration (TSA) inadvertently published their airport screening procedures to the Internet. Although sensitive material in the PDF document was disguised by blocks of black fill, an individual could copy and paste the sections into a word processor to obtain the hidden information. The TSA promptly removed the document from the Internet; however, due to document caching, it was still available to users for some time.
Read More
Additional Information

IntelliShield Analysis: The TSA has stated that the document was outdated and would be of minimal use to those trying to circumvent airport procedures. However, even a draft of airport screening procedures could provide malicious individuals with useful information, including passports that automatically trigger a secondary screening, tolerance level settings of the metal detectors, and items that can pass screenings without problems. In response, the U.S. National Security Agency (NSA) reminded government agencies to refer to published guidance on preparing redacted documents for public publication. All organizations should consider implementing these practices to remove sensitive information, previous versioning, comments, or editing in documents that will be published on the Internet.


United States Federal Data Accountability Trust Act Passes House

United States (U.S.) House of Representatives 2221, which is also known as the "Data Accountability and Trust Act," recently became the first data breach notification bill to be passed in the U.S. Congress. Data breach notification legislation has been common at the state level, but this is the first legislation to pass the federal government. Although the bill has many similarities to those passed by individual states, it does not affect organizations outside of the jurisdiction of the Federal Trade Commission (FTC). Read more

IntelliShield Analysis: Numerous U.S. states have made efforts to curb the issue of data loss, but large-scale breaches and losses continue to occur. Although the U.S. federal government's recent focus on protection and loss of Personally Identifiable Information (PII) brings attention to the issue, sections of the new bill (for example, the provision for encryption) may not be acceptable to all parties involved in end-to-end networking. In addition, it is imperative that this federal legislation legally and judicially coexist with state-level legislation so as not to allow loopholes through which guilty organizations can escape.


Real-Time Search Results Pressure User Security

Google recently began to include real-time results for searches on popular topics. As a result, search engine queries can present users with microblogging results from services like Twitter or FriendFeed, as well as traditional sources like blogs and web pages, within moments of their publication. Google describes this as a natural evolution of search, bringing users together with the content they are looking for as soon as it becomes available. Others argue that such a narrow window will strain filtering capabilities and allow attackers to capitalize on instant trends, such as tragedies or controversial celebrity news, to take advantage of victims.
Read More
Additional Information

IntelliShield Analysis: Spammers and malware mass-distributors have demonstrated an ability to leverage trends as prime opportunities to poison search engine results and victimize individuals who are interested in emerging topics. Users who are inundated with up-to-the-second content could find that psychological defenses like skepticism are shortcut as they become overwhelmed with updated information. Search features on microblogging sites have provided similar functionality in the past; Google is simply integrating this kind of search into traditional results pages. Organizations are advised to consider the decreasing delay between content publication and user access and ensure that security awareness programs and technical solutions are prepared to defend against threats that are present in these information delivery advancements.


There was no significant activity in this category during the time period.


Facebook Simplifies Privacy Options

Facebook recently introduced new privacy settings that will allow users to control who is able to view their posted items. Users will be prompted and required to complete the privacy setup the first time they log in after the change takes place. Although these modifications will include additional privacy settings with much more granular and customizable controls, many privacy advocates are concerned that, if left unchanged, privacy options will default to the most open settings.
Read More
Additional Information
Additional Information
Additional Information

One of the concerns with Facebook's new privacy policy is that many individuals will disregard it. Reports indicate that many users will accept friend requests even when the individual is a complete stranger. When the new privacy page is displayed the first time, all privacy options will default to allow all Facebook users to view a user's page and information. Many privacy entities are alarmed by the upcoming change, and Internet marketers are anticipating access to the personal information contained in newly accessible pages. IntelliShield recommends that all Facebook users take the time to understand each option under the privacy settings and carefully complete the setup. Organizations with users and a business presence on Facebook should also review the privacy policies and assist their employees with recommendations to protect their personal information.


Implications of Climate Change Legislation

As the international climate change summit in Copenhagen, Denmark comes to a close, technology companies are determining the business impact of any resulting international agreements. With more than 100 heads of state at the summit, including United States President Barack Obama, press reports are indicating that a politically binding agreement is likely to be signed. Without a legally binding treaty, however, the primary issue before technology companies may be prolonged uncertainty about future power costs. For the European Union and Japan, whose economic recoveries are lagging, their established lead in green technologies may provide a welcome economic boost if world leaders agree to encourage private industry to cooperate to share green technology.
Read More
Additional Information
Additional Information

IntelliShield Analysis: For the electricity-intensive technology industry, the impact of near-term climate change policies primarily involves rising energy costs and uncertainty about the new cost of carbon. Longer term, as the cost of travel rises, offsetting business reliance on high-bandwidth data, video, and conferencing technologies may result in greater scrutiny and more robust oversight of network security. While signaling higher energy costs short term, Cap and Trade legislation may spur renewable energy, smart energy allocation technologies, and green technology solutions. Technology companies may rush to market green solutions without fully considering their security. In terms of global trade, climate change issues may foster divisiveness, given that sacrifices made by one nation provide little or no direct benefit, whereas failure to make difficult choices damages the offending country no more than any other. Already, there is talk of legislation that would allow the U.S. to increase taxes on imports from countries that are not making sufficient progress on controlling carbon emissions. Green technology transfer requirements from rich to poor countries are also expected to emerge and create new challenges for protection of intellectual property.

Upcoming Security Activity

Black Hat DC: January 31–February 3, 2010

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

Copenhagen Climate Change Summit: December 7–18, 2009
Hanukkah: December 11, 2009
Christmas: December 25, 2009
New Year's Day: January 1, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top