Cyber Risk Report

December 13–19, 2010

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity increased during the period. Contrary to quietly moving into the holidays with many organizations implementing freezes on systems and code, it appears many vendors are attempting to close out their backlog of vulnerabilities and security updates. This period was highlighted by large security updates from Microsoft, SAP, Novell, Sun, RealNetworks and Red Hat.

The Microsoft Security Bulletin Release for December 2010 included 17 bulletins correcting 40 vulnerabilities. While several of the vulnerabilities are rated critical by Microsoft, Cisco Security Intelligence Operations considers the most significant vulnerabilities to be in the Cumulative Security Update for Internet Explorer (MS10-090) bulletin that corrects seven vulnerabilities and in the Vulnerabilities in the OpenType Font (OTF) Driver Could Allow Remote Code Execution (MS10-091) bulletin that corrects three vulnerabilities. Cisco IntelliShield alerts, Applied Mitigation Bulletins, IPS Signatures, and additional information on the Microsoft Security Bulletin Release for December 2010 are available on the Cisco Security Intelligence Operations website and in the Cisco Event Response.

SAP has reportedly released a total of 525 security notes impacting the Business Suite prior to Business Suite 7. While SAP does not publicly release their security notes, several have already appeared in public sources. Organizations can minimize the security updates by updating their systems to Business Suite 7, but will still need to install a small number of individual security updates.

IntelliShield will not publish the Cyber Risk Reports for the weeks of December 26, 2010, or January 2, 2011 due to the holidays.

IntelliShield published 203 events last week: 103 new events and 100 updated events. Of the 203 events, 162 were Vulnerability Alerts, 12 were Security Activity Bulletins, 10 were Security Issue Alerts, 15 were Threat Outbreak Alerts, three were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Saturday 12/18/2010   1 1
Friday 12/29/2010 8 5 13
Thursday 12/28/2010 12 32 44
Wednesday 12/27/2010 17 14 31
Tuesday 12/26/2010 47 11 58
Monday 12/25/2010 19 37 56
Weekly Total 103 100 203

 

Significant Alerts for December 13–19, 2010

Microsoft Internet Explorer Cascading Style Sheets Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21736, Version 4, December 15, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3962

Functional code that exploits the Microsoft Internet Explorer Cascading Style Sheets processing arbitrary code execution vulnerability is publicly available. Microsoft has confirmed the vulnerability in a security bulletin and released software updates.

Previous Alerts That Still Represent Significant Risk

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 72, December 16, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555

Multiple Transport Layer Security (TLS) implementations contain a vulnerability when renegotiating a TLS session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Proof-of-concept code that exploits this vulnerability is publicly available

EXIM Mail Transfer Agent Arbitrary Configuration Loading Root Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 22053, Version 2, December 13, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-4345

EXIM Mail Transfer Agent contains a vulnerability that can allow an attacker with shell access to gain elevated privileges. Updates are available. Exploitation of this vulnerability has been observed, in conjunction with exploits for a vulnerability detailed in IntelliShield alert 22051 (CVE-2010-4344).

Adobe Acrobat, Reader, and Flash Player Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21686, Version 9, December 2, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3654

Adobe has released an additional security bulletin and updated software to address the Adobe Acrobat, Reader, and Flash Player arbitrary code execution vulnerability.

Linux Kernel video4linux and compat_mc_getsockopt() Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 21389, Version 10, December 1, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3081

VMware has released a security advisory and updated software to address the Linux Kernel video4linux and compat_mc_getsockopt() privilege escalation vulnerability.

Mozilla Firefox, Thunderbird, and SeaMonkey DOM Object Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21678, Version 5, November 18, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3765

Mozilla has released updated software to address the Firefox, Thunderbird, and SeaMonkey DOM object processing arbitrary code execution vulnerability. Red Hat, CentOS, and FreeBSD have also released security updates to address the vulnerability. Proof-of-concept code that exploits this vulnerability is publicly available.

Microsoft Office Excel Ghost Record Parsing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21499, Version 5, November 12, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-3242

IntelliShield has updated this alert to report an increase in intrusion prevention system activity that is related to the Microsoft Office Excel ghost record parsing arbitrary code execution vulnerability.

Adobe Shockwave Player dirapi.dll Module rcsL Chunk Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21649, Version 2, October 29, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3653

Adobe has released an additional security bulletin and updated software to address the Shockwave Player dirapi.dll module rcsL chunk processing arbitrary code execution vulnerability. US-CERT has also released a vulnerability note. Proof-of-concept code that demonstrates code execution is available.

Microsoft Internet Explorer Uninitialized Memory Access Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21508, Version 2, October 13, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-3328

Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.

Adobe Reader and Acrobat CoolType.dll Remote Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 21341, Version 4, October 07, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-2883

Adobe Reader and Acrobat versions 9.3.4 and prior and versions 8.2.4 and prior contain a vulnerability that can allow an unauthenticated, remote attacker to execute arbitrary code on an affected system. Adobe has acknowledged that exploits for this vulnerability are occurring in the wild. Adobe has confirmed this vulnerability and released updated software. US-CERT has also released a vulnerability note to address this vulnerability.

Physical

There was no significant activity in this category during the time period.

Legal

Attacks by "Anonymous" Wikileaks Proponents not Anonymous

Over the past couple of weeks, a group of vandals known as AnonOps (or Anonymous) has coordinated and incited attacks against websites they deemed were not supportive of Wikileaks and its founder Julian Assange. The group has encouraged others to support this effort using a number of tools including Twitter, Fax, and the now infamous web-based Low Orbit Ion Cannon (LOIC) bot agent. One of the advantages provided by the LOIC tool, at least in the mind of the vandals launching the attacks, was the anonymity that this tool was providing for the sources of these attacks. It is now evident that this supposed anonymity while using LOIC was based on a false assumption by some participants.
Read More
Additional Information
Additional Information

IntelliShield Analysis: The simplicity and apparent anonymity of the tools used to launch these attacks made it particularly attractive to those who wanted to help AnonOps make a stand against those that were not sympathetic of the efforts of Wikileaks. Fortunately for those expending resources in stifling these attacks, the actual source IP addresses of the attacking machines is transmitted when using the LOIC tool. Knowledge of this information should hopefully deter many potential vandals from utilizing this tool going forward and will also greatly aid law enforcement in the identification, and hopefully the subsequent prosecution, of those responsible for these attacks. Additionally, businesses that have employees or systems being used in these attacks can be identified. Organizations are advised to protect themselves from possible liability by monitoring and blocking traffic associated with the attacks.

Trust

There was no significant activity in this category during the time period.

Identity

The Growing Risk and Regulations for Electronic Medical Records

The U.S. White House has released the President's Council of Advisors on Science and Technology (PCAST) Health Information Technology report. The report includes recommendations on the planned architecture and implementation of Electronic Medical Records (EMR). There has been a marked increase in health care breaches throughout 2010, summarized in the recent Ponemon report.
Read More
Additional Information

IntelliShield Analysis: While past years have been focused on financial information breaches and threats to secure credit cards, financial accounts, and personal information, the coming years may be a greater risk to the compromise of personal identification information. The financial industry has consistently been very security conscious and provides legal protections to individuals. The health care industry is far behind the financial industry in security, regulations, and controls on electronic records. The increased risk of medical information may also have a higher impact because this sensitive information cannot be replaced, recovered or insured against: The individual's sensitive personal medical information is permanently exposed. Similarly attackers have identified weaknesses in electronic medical records and are shifting their focus to this highly sensitive information for exploitation and sale. Organizations and individuals will need to learn to protect this sensitive medical information as carefully and as diligently as they learned to do with their financial information.

Human

U.S. Internet Use Catches Up With Television

A report released this week details the increasing usage of the Internet by Americans. The report from Forrester Research shows Internet usage averaged over all age groups has now pulled equal to the amount of time people spent watching television. The report was broken down into age groups with younger groups preferring the Internet more than television and older groups continuing to prefer television over Internet usage. The report did not break out the time spent watching television content over the Internet.
Read More
Additional Information
Additional Information

IntelliShield Analysis: The way that humans communicate has evolved significantly throughout the years. England used to employ the Town Crier to broadcast messages to the public. With wider availability of the printing press, the Town Crier disappeared. Email is supplanting content formerly sent via postal mail. Newspapers are steadily declining in popularity. Television is not immune from the effects of the Internet either. Enterprises who advertise would be well advised to adjust spending to target their markets accurately and track the media their target audiences prefer.

Geopolitical

Doing Business in China Becomes More Expensive

The latest official government figures show that China's inflation rate has topped 5.1 percent. The rise in prices is an outgrowth of the rapidly improving Chinese economy, which has exacerbated recent shortages of food and fuel by boosting demand, and high levels of liquidity in the country thanks to recent aggressive stimulus measures. Employers are also increasing wages to attract workers away from other companies as the labor pool, particularly for educated technology workers, proves unable to meet demand. In addition, beginning in December, a longstanding exemption from certain maintenance and education taxes enjoyed by foreign firms is expiring. Taken together, these factors make doing business in China more expensive for foreign firms.
Read More
Additional Information

IntelliShield Analysis: Because the relative cost increases in China are still moderate, a quick relocation by foreign companies of partners or branch facilities to other, cheaper parts of the world is unlikely. Relocating requires forging new business relationships and bringing new partners up to speed, a costly and time-consuming process, so most companies will resist making that move. Rather, information security professionals are likely to see more subtle consequences, such as employee retention challenges with existing partners as workers look for better salaries. Some companies are complaining that once-responsive IT outsourcers are no longer picking up the phone or answering emails as employees leave for greener pastures, frequently taking valuable IP and company knowledge with them. Ultimately, a leveling of the playing field is good for China and its trading partners in the West, but over the short term, information security professionals may wish to be aware of the shifting balance.

Upcoming Security Activity

Black Hat DC: January 16–19, 2011
RSA Conference 2011: February 14–18, 2011

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

Muharram: December 7–January 4, 2011
Christmas: December 25, 2010
New Year: January 1, 2010
World Economic Forum Annual Meeting 2011: January 26–30, 2011

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top