Cyber Risk Report

June 14–20, 2010

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.


Vulnerability and threat activity for this period was consistent with previous periods. Highlights for the period include a second Apple security release in two weeks. Last period Apple released a large update and a new version of Safari. This period Apple released a large update for Mac OS X that corrected 23 vulnerabilities and an updated version of iTunes. Similarly following last week’s update for Adobe Flash, this week Adobe released an update that corrects an additional Flash vulnerability. Adobe has announced that they will release additional updates next period for vulnerabilities in Reader and Acrobat.

A vulnerability in Microsoft Windows Help and Support Center Whitelist Bypass Vulnerability reported in IntelliShield alert 20691 continues to see wide-spread media coverage. While many security organizations are expecting a large exploitation of this venerability, the actual numbers of identified exploits continues to remain very low. Following the June 10, 2010 Microsoft update, organizations should continue to follow their normal Microsoft monthly update responses for this vulnerability.

Cisco IronPort Threat Operations Center continues to see elevated levels of malicious spam activity, including false e-mail statements and receipts that include malicious attachments, reported in IntelliShield Threat Outbreak alerts 20748 and 20745. A fairly new type of malicious spam that targets hiring organizations has also emerged. The spam contains a malicious attachment that is presented as a resume document. The spam messages have been reported in IntelliShield Threat Outbreak alert 20712.

Due to the World Cup games, there has been an increased level of activity across the Internet, especially within social networking sites. The activity has increased so much at times that it has caused Twitter to experience several outages. In addition to the activity around the World Cup games, a new round of malicious password reset messages for Facebook has also circulated through e-mail. The spam messages have been reported in IntelliShield Threat Outbreak alert 19875.

Following a rush of pre-orders for the iPhone 4, AT&T reported that customer information on the web site may have been compromised. This incident follows the previously reported issues around the attack launched on the AT&T web sites exposing iPad user information. Orders for the new iPhone 4 have been suspended while the exposure is investigated. Similar to the iPad exposure, reports indicate the information exposed may not have included highly sensitive information such as credit card numbers, but did include some personal information.

IntelliShield published 131 events last week: 45 new events and 86 updated events. Of the 131 events, 87 were Vulnerability Alerts, 15 were Security Activity Bulletins, 11 were Security Issue Alerts, 15 were Threat Outbreak Alerts, two were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 06/18/2010 5 24 29
Thursday 06/17/2010 11 6 27
Wednesday 06/16/2010 15 17 32
Tuesday 06/15/2010 6 21 27
Monday 06/14/2010 8 18 26
Weekly Total 45 86 131


Significant Alerts for the Time Period

Microsoft Windows Help and Support Center Whitelist Bypass Vulnerability
IntelliShield Vulnerability Alert 20691, Version 4, June 16, 2010
Urgency/Credibility/Severity Rating: 2/5/4

Exploits of the Microsoft Windows Help and Support Center whitelist bypass vulnerability are being observed in the wild. Microsoft has confirmed this vulnerability in a security advisory; however, updates are not available.

Previous Alerts That Still Represent Significant Risk

Oracle Java Web Start Java Development Kit ActiveX Control Command-Line Injection Vulnerability
IntelliShield Vulnerability Alert 20314, Version 4, May 19, 2010
Urgency/Credibility/Severity Rating: 3/5/4

Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on the system with the privileges of the user. Systems with Oracle Java JRE and JDK 6 Update 10 and later contain the affected ActiveX control and are vulnerable. Apple has released security updates for Java for Mac OS X 10.6 Update 2 and Java for Mac OS X 10.5. Multiple vendor updates are available.

Kernel Hook Bypassing Engine Affects Multiple Security Applications
IntelliShield Vulnerability Alert 20433, Version 2, May 13, 2010
Urgency/Credibility/Severity Rating: 2/4/4

A security research team has created a tool that is able to bypass security software protections provided by host-based security software on Windows systems and execute arbitrary code with kernel privileges.

DNSSEC-Enabled Queries to the DURZ Serving Root May Affect DNS Services
IntelliShield Vulnerability Alert 20418, Version 1, May 3, 2010
Urgency/Credibility/Severity Rating: 2/5/3

DNSSEC-enabled queries to the root servers may be affected because the last (J-root) of the 13 root servers will begin serving the DURZ on May 5, 2010.

Microsoft SharePoint Server 2007 Cross-Site Scripting Vulnerability
IntelliShield Vulnerability Alert 20415, Version 3, June 8, 2010
Urgency/Credibility/Severity Rating: 2/5/3

Microsoft SharePoint Server 2007 versions SP2 and prior contain a cross-site scripting vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary HTML or script code in a user's browser. Proof-of-concept code that exploits this vulnerability is publicly available. Microsoft has confirmed this vulnerability and released software updates.

McAfee VirusScan DAT Update May Cause Microsoft Windows System Failure
IntelliShield Vulnerability Alert 20375, Version 2, April 22, 2010
Urgency/Credibility/Severity Rating: 4/5/3

A McAfee DAT file that was distributed to VirusScan applications has caused errors on certain Microsoft Windows XP-based systems. As a result of installing the 5958 DAT file and rebooting, systems may be rendered unusable. McAfee has released a knowledgebase article with various workarounds.

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 58, June 14, 2010
Urgency/Credibility/Severity Rating: 2/5/3

Multiple Transport Layer Security (TLS) implementations contain a vulnerability when renegotiating a TLS session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Proof-of-concept code that exploits this vulnerability is publicly available. Mozilla and Oracle, in addition to other vendors, have released updates for this vulnerability.

Microsoft Internet Explorer Invalid Pointer Reference Access Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20052, Version 4, March 30, 2010
Urgency/Credibility/Severity Rating: 3/5/4

Microsoft has re-released a security advisory and updated software to address the Microsoft Internet Explorer invalid pointer reference access arbitrary code execution vulnerability. Functional exploit code is being used in ongoing exploits, and Microsoft has released a security bulletin and updated software.

Mozilla Firefox WOFF Decoder Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19968, Version 2, March 23, 2010
Urgency/Credibility/Severity Rating: 2/5/4

Mozilla Firefox contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Mozilla has confirmed this vulnerability and has released updated software.

Microsoft VBScript Unsafe Help File Handling Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20014, Version 3, April 13, 2010
Urgency/Credibility/Severity Rating: 2/5/4

Microsoft has released a security advisory with information about affected products to address the Microsoft Internet Explorer unsafe help file handling arbitrary code execution vulnerability. Proof-of-concept code that demonstrates code execution is available. Microsoft confirmed this vulnerability in a security bulletin and released software updates.


World Cup Striking Security Workers

Security workers and stewards hired to provide services during the World Cup games in South Africa have gone on strike, largely over wages. South African officials called in thousands of regular police officers and in some cases police academy students to fill the positions of the striking workers. Despite the strikes there have been few disruptions to the World Cup activities and few security incidents reported.
Read More

IntelliShield Analysis: Ten days into the World Cup games and despite the strikes, the games and media coverage have continued to be focused on the actual matches. Low levels of malicious activity have been identified by some Internet security organizations, while the levels of non-malicious activity on some social networking sites have caused outages (Twitter) due to surges of activity following popular matches. Gaming officials had contingency plans in place and responded quickly to the strikes, hiring additional forces, to prevent disruptions. At the half-way point, the officials' extensive plans and preparations appear to in place and working, despite a questioning of South Africa's ability to provide a successful event. Monitoring and review of the plans, preparations, and execution, including the extensive use of media, can provide organizations with physical, cyber, and operational lessons learned.


There was no significant activity in this category during the time period.



There was no significant activity in this category during the time period.



There was no significant activity in this category during the time period.



BP Oil Spill Social Networking Incident Response

The continuing oil spill in the Gulf of Mexico and the response from BP has highlighted a shift in the communications and public relations incident response handling. Incident response teams typically include legal, communications, public relations, technical, and management representation. These teams typically have had mitigation plans in place for years, dictating the way an event will be handled, how the event will be messaged, and what forms of communication will be used to send the messages. However, the large use of social networking and instant communication around this particular event (and many other current events) may dictate a need for incident response teams to rethink the way they communicate their messages.
Read More

IntelliShield Analysis: One of the many aspects of this incident is the communications and public relations incident response in social networking media. As millions of people across the globe have shifted to the Internet and social networking sites for news, information, video, and commentary, incident response teams need to review their plans on how they will communicate during an incident. Reviews on the media coverage of the BP spill show that while BP has presented Internet and social network media communications, even purchasing keyword search terms that link to official BP sites, they have been largely overlooked and overwhelmed by contrary opinions and postings. Incident response teams need to consider their organization's Internet and social networking media presence prior to events, and how it can be leveraged during an event.


Iceland to Become Haven for the Outspoken

Last week, Iceland's parliament voted unanimously to support legislation aimed at making the country a haven for freedom of expression. Called the Icelandic Modern Media Initiative, it brings together freedom of speech and whistle-blower protection concepts from several countries into a single law to protect outspoken journalists and other citizens from libel laws around the world. In addition to providing more protections for journalists and sources of sensitive information, the law also allows news organizations around the world to host sensitive content on servers in Iceland where the content—and the Internet Service Provider—will be protected. The genesis of the new law reportedly traces back to an incident during Iceland's financial crisis last year, when a bank in Iceland obtained a last-minute injunction preventing broadcast of a television story featuring a bank document posted on the whistle-blower website WikiLeaks.
Read More
Additional Information
Additional information

IntelliShield Analysis: Regardless of the location of the servers, the new law is unable to provide protection for journalists and bloggers in hostile locations around the world. The law—and its unanimous support in Iceland's parliament—is, however, indicative of an evolving debate over the fundamental issues of privacy, security, and free speech, and the efforts to regulate the borderless electronic environment. The new law highlights the multi-jurisdictional nature of the problem, as do newly-coined terms like libel tourists. For information security professionals, the new law could point to a trend toward basing servers in information safe havens, even if legal actions against the data's publication can be initiated in remote jurisdictions. It may also indicate a growing tendency for the court of public opinion to be more sympathetic to the individual who chooses to go public with data, than to the company that wishes to keep it confidential.

Upcoming Security Activity

Gartner Security & Risk Management Summit: June 21-23, 2010
Cisco Live 2010 (Las Vegas): June 27-July 1, 2010
Black Hat USA (Las Vegas): July 24-29, 2010
DEFCON 18: July 29-August 1, 2010
BSides Las Vegas: July 28-29, 2010

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

World Expo (Shanghai, China): May 1-October 31, 2010
FIFA World Cup (South Africa): June 11-July 11, 2010
G20 Summit (Toronto, Canada): June 26-27, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top