Cyber Risk Report

June 15–21, 2009

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.


Vulnerability and threat activity during this period was highlighted by additional large updates from Apple for the iPhone and iPod Touch software, reported in IntelliShield Alert 18537 . The iPhone and iPod Touch updates corrected many of the vulnerabilities that were previously fixed in Mac OS X by Apple Security Update 2009-002. Apple also released a Java update for Mac OS X correcting multiple vulnerabilities.

Cisco Security Intelligence Operations has also identified several new spam messages this week utilizing the social engineering topics of false updates for Microsoft Outlook and Outlook Express, false UPS Delivery Failure messages, false Credit Card Transaction messages, false Wire Transfer messages, and malicious greeting e-card messages. Criminals continue to increase the sophistication and social engineering of these messages in an attempt to trick users into downloading malicious software and compromising their personal and financial information. In addition to updated e-mail filtering to block these malicious messages, users should be made aware of the techniques currently in use to avoid becoming victims.

IntelliShield published 84 events last week: 72 new events and 12 updated events. Of the 84 events, 37 were Vulnerability Alerts, 24 were Security Activity Bulletins, 16 were Threat Outbreak Alerts, two were Malicious Code Alerts, three were Security Issue Alerts, one Applied Mitigation Bulletin, and one Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 06/19/2009 10 5 15
Thursday 06/18/2009 16 5 21
Wednesday 06/17/2009 16 2 18
Tuesday 06/16/2009 20 0 20
Monday 06/15/2009 10 0 10
Weekly Total 72 12 84

Previous Alerts That Still Represent Significant Risk

Microsoft Windows DirectShow QuickTime Media Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 18366, Version 2, June 3, 2009
Urgency/Credibility/Severity Rating: 3/5/4

Microsoft Windows DirectShow contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Updates are not available, and Microsoft has indicated that limited, active attacks are occurring. Microsoft has released a tool that will disable QuickTime parsing without requiring manual registry editing.

Microsoft Internet Information Services WebDav Unicode Processing Security Bypass Vulnerability
IntelliShield Vulnerability Alert 18261, Version 3, June 9, 2009
Urgency/Credibility/Severity Rating: 2/5/3

Microsoft Internet Information Services (IIS) versions 5.0, 5.1, and 6.0 contain a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and access sensitive information. The vulnerability is due to improper processing of Unicode characters in HTTP requests. An exploit could allow the attacker to bypass security restrictions and download arbitrary files from the targeted system. Exploit code is available. Microsoft has confirmed this vulnerability in a security bulletin and released software updates.

Microsoft Office PowerPoint Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 17966, Version 3, May 12, 2009
Urgency/Credibility/Severity Rating: 3/5/4

Microsoft has released a security bulletin and software updates to address the arbitrary code execution vulnerability in Office PowerPoint. Reports indicate that targeted attempts to leverage this vulnerability continue to occur. A variant of the Trojan.PPDropper trojan, which is described in IntelliShield Alert 10845, is actively exploiting this vulnerability.

Worm: W32/Conficker.worm
IntelliShield Malicious Code Alert 17121, Version 18, April 9, 2009
Urgency/Credibility/Severity Rating: 4/5/3

W32/Conficker has changed its command-and-control communications methods and begun to download malicious files to infected systems. Conficker has now changed from malicious code that infects vulnerable systems to an operational botnet. Conficker is expected to continue to infect vulnerable systems, change command-and-control communication, and download additional malicious files to the infected systems.

Adobe Reader getAnnots Function Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 18088, Version 5, May 19, 2009
Urgency/Credibility/Severity Rating: 2/5/4

Adobe Reader and Acrobat versions 9.1, 8.1.4, and 7.1.1 and earlier contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. The vulnerability is due to insufficient boundary checking on annotation parameters in Adobe PDF documents. An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to view a malicious PDF file. If the user views the document, the attacker could execute arbitrary code with the privileges of the user. Proof-of-concept code is available. Adobe has confirmed this vulnerability and provided an official workaround.

Adobe Acrobat Products PDF File Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 17665, Version 11, April 24, 2009
Urgency/Credibility/Severity Rating: 3/5/4

Adobe Reader, Adobe Acrobat Professional, Acrobat Professional Extended, and Acrobat Standard contain a buffer overflow vulnerability that could allow a remote attacker to create a denial of service condition or execute arbitrary code with the privileges of the user. The level of user privileges and the code that is executed determine the degree to which the system is compromised. This vulnerability is actively being exploited in the wild by the Pidief family of trojans. Additional information about the trojan is available in IntelliShield Alert 14388. Adobe has confirmed the vulnerability and released updated software.

Microsoft Office Excel Invalid Object Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 17689, Version 6, April 14, 2009
Urgency/Credibility/Severity Rating: 3/5/4

Microsoft Excel and related products contain a vulnerability that could allow a remote attacker to execute arbitrary code. Attackers are actively exploiting this vulnerability to conduct limited malicious code attacks that are designed to infect targeted systems with a variant of the Mdropper family of trojans. This family of trojans is detailed in IntelliShield Alert 12562. Microsoft has confirmed this vulnerability, but updated software is not available.

Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability
IntelliShield Vulnerability Alert 17519, Version 6, March 13, 2009
Urgency/Credibility/Severity Rating: 2/5/4

Microsoft Internet Explorer Version 7.0 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or crash the browser, resulting in a denial of service condition. On systems that grant users Administrator privileges, an attacker could execute code that may result in the complete compromise of the affected system. Reports have confirmed the existence of exploit code that is delivered using a Microsoft Office Word document saved in the XML format. Exploits have been observed wherein attackers build Word documents using XML constructs, save the documents as .doc files, and deliver the malicious documents via e-mail messages or host them on websites. Several antivirus vendors are reporting the activity.

Worm: W32.Waledac
IntelliShield Malicious Code Alert 17327, Version 10, March 23, 2009
Urgency/Credibility/Severity Rating: 4/5/4

W32.Waledac is a worm that attempts to open a back door on an infected system. The worm propagates by sending a copy of itself to e-mail addresses on the infected system. The e-mail messages are configured to take advantage of interest in current events or holidays to convince users to open the malicious e-mail attachments. W32.Waledac may download files on an infected system and provide an attacker with backdoor access. The worm also attempts to steal confidential information that is related to numerous online banking entities.


There was no significant activity in this category during the time period.


Tougher EU Privacy Regulation for Social Networking Sites

The Article 29 Working group, which is a group that advises the European Commission, has stated that it believes tighter rules are needed to protect personal data that may come into the hands of third party developers who work with social networking products like Facebook and Twitter. These third-party groups are being integrated into the social networking products as a way to increase revenue for companies like Facebook and Twitter.
Read More
Additional Information

IntelliShield Analysis: If the European Commission does tighten privacy controls on third-party developers working with Facebook, Twitter and other social networking companies, it could seriously impact the business plans and profits for these companies, making it harder for them to do business in Europe. Privacy advocates welcome the recommendations, stating that individuals need to know who has their personal data and what they are doing with it. Business marketing groups that use social networking sites like Facebook and Twitter for messaging and advertising could also be impacted, depending on the extent of the regulation.


There was no significant activity in this category during the time period.


Obama Administration Plans to Scale Back RealID, Implement PassID

Facing significant pressure from the U.S. States, the Obama administration has taken steps to scale back the controversial RealID program. RealID was a coordinated interstate identification system designed to meet recommendations from the U.S. 9/11 Commission and raise the difficulty of obtaining falsified or multiple IDs from several U.S. States. RealID was scheduled to be implemented in May, 2008, but the deadline was pushed to the end of 2009 because of lagging adoption. As an alternative, the US administration has proposed PassID, whose proponents expect it to ease the requirements and help states adopt identification improvements that are not as strict as those required by RealID. Opponents argue that PassID will not be strong enough to be an effective change. Read more

IntelliShield Analysis: Privacy advocates have long criticized the RealID legislation for creating a national identification system in the United States. Requirements in the program would also have created a database that U.S. States would have to use to research identification applicants. Security concerns around such a widely accessible computer database system were also drawn to attention. A poorly-controlled central identity database could be a ripe target for identity theft, which would in turn be a tragic coincidence for a program aimed at stopping that crime. Alternatively, PassID may not go far enough to provide the security recommended by the 9/11 commission, and is not expected to solve all of the problems that RealID was intended to address. It remains to be seen if PassID or other alternatives can provide enough benefit to justify the costs required, even after scaling back from RealID.


There was no significant activity in this category during the time period.


There was no significant activity in this category during the time period.

Upcoming Security Activity

Cisco Live: June 27–July 2, 2009
21st Annual FIRST Conference: June 28–July 3, 2009
International ISACA Conference: July 19–22, 2009
Black Hat Training and Briefings: July 25–31, 2009
DEFCON: July 31–August 3, 2009
18th USENIX Security Symposium: August 12–15, 2009

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
Trial Registration


This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top