July 20–26, 2009The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability and threat activity for this period remained at low levels; however, the activity did include the continued reports of zero-day vulnerabilities in widely used products, such as the Microsoft ActiveX vulnerabilities, as reported in IntelliShield Alerts 18595, 18633, and the Cisco Security Intelligence Operations Blog, continue to be exploited. Additionally, new vulnerabilities that affect Adobe Reader, Acrobat, Flash Player and the download manager are also being actively exploited in the wild. Reports indicate that attackers are exploiting the vulnerabilities using compromised web sites and direct phishing exploits to target executives. On Friday, July 24th, Microsoft published an advanced notification for an out-of-band security bulletin release. Microsoft intends to release two security bulletins, one for Visual Studio and one for Internet Explorer, both bulletins will address a common issue. The Visual Studio issue has the potential of impacting certain types of applications. The bulletins have a target release of 10:00 AM GMT -7 (Pacific Time USA) on Tuesday, July 28, 2009. Microsoft has filed a legal suit against multiple organizations and individuals for using the Microsoft Live Messenger network, reported below in the Legal section. IntelliShield released Threat Outbreak Alert 18678 reporting some examples of these spam messages. U.S. Black Hat and DEFCON security conferences are being held this week in Las Vegas, Nevada. These conferences normally include the release of previously unknown vulnerabilities, new exploit tools, and new methods. Security organizations are advised to monitor the proceedings of these conferences for the release of new security information. IntelliShield published 55 events last week: 30 new events and 25 updated events. Of the 55 events, 35 were Vulnerability Alerts, ten were Security Activity Bulletins, seven were Threat Outbreak Alerts, two were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for the Time PeriodMicrosoft Office Web Components ActiveX Control Arbitrary Code Execution Vulnerability Microsoft Office Web Components contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. This vulnerability exists due to an unspecified error in the Office Web Components ActiveX Control. Reports indicate that exploits of this vulnerability are ongoing. Microsoft Windows Video msvidctl ActiveX Control Code Execution Vulnerability Microsoft Windows XP SP3 and prior and Windows Server 2003 SP2 and prior contain a vulnerability in the msvidctl ActiveX Control that could allow an unauthenticated, remote attacker to execute arbitrary code. Previous Alerts That Still Represent Significant RiskMicrosoft Windows DirectShow QuickTime Media Processing Arbitrary Code Execution Vulnerability Microsoft Windows DirectShow contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Updates are not available, and Microsoft has indicated that limited, active attacks are occurring. Microsoft has released an update that corrects this vulnerability. Microsoft Internet Information Services WebDav Unicode Processing Security Bypass Vulnerability Microsoft Internet Information Services (IIS) versions 5.0, 5.1, and 6.0 contain a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and access sensitive information. The vulnerability is due to improper processing of Unicode characters in HTTP requests. An exploit could allow the attacker to bypass security restrictions and download arbitrary files from the targeted system. Exploit code is available. Microsoft has confirmed this vulnerability in a security bulletin and released software updates. Microsoft Office PowerPoint Arbitrary Code Execution Vulnerability Microsoft has released a security bulletin and software updates to address the arbitrary code execution vulnerability in Office PowerPoint. Reports indicate that targeted attempts to leverage this vulnerability continue to occur. A variant of the Trojan.PPDropper trojan, which is described in IntelliShield Alert 10845, is actively exploiting this vulnerability. Worm: W32/Conficker.worm W32/Conficker has changed its command-and-control communications methods and begun to download malicious files to infected systems. Conficker has now changed from malicious code that infects vulnerable systems to an operational botnet. Conficker is expected to continue to infect vulnerable systems, change command-and-control communication, and download additional malicious files to the infected systems. Adobe Reader getAnnots Function Buffer Overflow Vulnerability Adobe Reader and Acrobat versions 9.1, 8.1.4, and 7.1.1 and earlier contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. The vulnerability is due to insufficient boundary checking on annotation parameters in Adobe PDF documents. An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to view a malicious PDF file. If the user views the document, the attacker could execute arbitrary code with the privileges of the user. Proof-of-concept code is available. Adobe has confirmed this vulnerability and provided software updates. Adobe Acrobat Products PDF File Buffer Overflow Vulnerability Adobe Reader, Acrobat Professional, Acrobat Professional Extended, and Acrobat Standard contain a buffer overflow vulnerability that could allow a remote attacker to create a denial of service condition or execute arbitrary code with the privileges of the user. The level of user privileges and the code that is executed determine the degree to which the system is compromised. This vulnerability is actively being exploited in the wild by the Pidief family of trojans. Additional information about the trojan is available in IntelliShield Alert 14388. Adobe has confirmed the vulnerability and released updated software. Microsoft Office Excel Invalid Object Arbitrary Code Execution Vulnerability Microsoft Excel and related products contain a vulnerability that could allow a remote attacker to execute arbitrary code. Attackers are actively exploiting this vulnerability to conduct limited malicious code attacks that are designed to infect targeted systems with a variant of the Mdropper family of trojans. This family of trojans is detailed in IntelliShield Alert 12562. Microsoft has confirmed this vulnerability and has released software updates. Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability Microsoft Internet Explorer Version 7.0 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or crash the browser, resulting in a denial of service condition. On systems that grant users Administrator privileges, an attacker could execute code that may result in the complete compromise of the affected system. Reports have confirmed the existence of exploit code that is delivered using a Microsoft Office Word document saved in the XML format. Exploits have been observed wherein attackers build Word documents using XML constructs, save the documents as .doc files, and deliver the malicious documents via e-mail messages or host them on websites. Several antivirus vendors are reporting the activity. Microsoft has confirmed this vulnerability and has released software updates. Worm: W32.Waledac W32.Waledac is a worm that attempts to open a back door on an infected system. The worm propagates by sending a copy of itself to e-mail addresses on the infected system. The e-mail messages are configured to take advantage of interest in current events or holidays to convince users to open the malicious e-mail attachments. W32.Waledac may download files on an infected system and provide an attacker with backdoor access. The worm also attempts to steal confidential information that is related to numerous online banking entities. PhysicalU.K. Police Raid Birthday Party 'Rave'Police raided what they believed to be an illegal rave party in a field in Devon in the United Kingdom. The party was advertised on Facebook as an "all night" party, which police interpreted as a "rave" under the local statutes. When the police, riot van and helicopter arrived at the site they discovered only 15 people holding a birthday party. The host of the party reported he included the 'all night' statement to allow guests that might be intoxicated to stay overnight. Read More IntelliShield Analysis: This event underscores the risk of violating rules of engagement by security teams. All organizations should maintain clearly defined rules of engagement that dictate the minimum use of force or response required. Organizations must also engage in surveillance, reconnaissance, or monitoring to ensure validation of the activity or event prior to any initiated response. Lastly, when organizations are unfamiliar with social networking sites such as Facebook, they risk triggering such a response with little or no supporting evidence or validation. Security teams too frequently violate these rules of engagement, exposing themselves to high levels of risk from injury, property damage, legal action, public relations, wasted time and effort, and cumulative costs. LegalMicrosoft Live Messenger Phishing Suit Filed Microsoft has filed a lawsuit against Funmobile, Mobilefunster and a number of individuals for misusing the Live Messenger Network. The defendants are accused of using phishing tactics to access Microsoft Live Messenger accounts. The suit also claims the defendants collected e-mail addresses from the contact list of compromised users and sent spam e-mails from the compromised Live Messenger accounts to the contacts. IntelliShield Analysis: Although sppamming and phishing attacks are nothing new; however, in this case Microsoft is filing a lawsuit against phishers and spammers for misusing the Microsoft Live Messenger network. IntelliShield alert 18678 contains an example of the kind of spam the accused might send to known Microsoft Live Messenger users. Some of the messages were created to appear as though Microsoft sent them. Users might be fooled into downloading the supposed fix and infecting their system with malicious code. Microsoft is sending a clear message that they will pursue these cases. Should Microsoft win this case a precedent could be set for other organizations to more effectively defend their operations against spam and phishing attacks. TrustU.S. Black Hat and DEFCON Security ConferencesBlack Hat USA 2009 and DEFCON security conferences are being held this week in Las Vegas, Nevada. The conferences include multiple training events and presentations, as well as several unofficial side-conferences for attendees that generally focus on more specific topics. The events provide attendees with the opportunity to meet their peers, security vendors, and representatives from security organizations. One of the interesting side conferences is the awards for the most over-hyped security events throughout the previous year. Read More IntelliShield Analysis: Although some critics claim that security conferences place too much emphasis on vendor marketing than security, there is little room for hype during live presentations of vulnerabilities, exploits, tools, and research in front of a knowledgeable, technically skilled, and experienced audience. Similarly, events like the Annual Pwnie Awards are a time for the security industry to consider the nominated events and re-calibrate trust levels for vulnerability research and reporting with increased due diligence and skepticism. IdentityUniversity of Washington Software Allows for Time-Limited Access of Encrypted DataThe University of Washington has developed a new utility called Vanish, which allows its users to encrypt data and set a time limit for accessing the encrypted data. By storing keys on a torrent Distributed Hash Table (DHT) infrastructure, Vanish ensures that over time network peers will erode and eventually remove the pieces of the key used to retrieve the encrypted data. As a result, it will become nearly impossible to retrieve encrypted messages after the specified time period has elapsed. The software is aimed at home users to limit the time that private email messages or blog, message board, or social networking site posts are available in order to ensure that statements made in the public medium of the Internet could not be retrieved and used against the user. Read More IntelliShield Analysis: The new software could be very popular for some users who wish to protect against the ever-existent nature of data on the Internet. By limiting the time that information could be viewed, users could provide some assurance that information could not be used against them later. However, Vanish may be unsuitable for use in business environments where key recovery is a requirement, perhaps in order to comply with regulation requirements or auditing. Additionally, the software relies on bit torrent networks, which may expose cooperating systems to other security risks. It should be noted that although encryption keys are irrevocably lost, the encrypted data itself still persists, opening up the opportunity for attackers to defeat the encryption protecting the messages. Although such attacks may require significant amounts of time and computing resources on the scale of months or years, the potential remains for data to be recovered. HumanU.S. Unable to Fill Critical Network Security PositionsA recent report indicates that until the United States is able to improve the quality of its "cyber security work force" it cannot and will not be able to properly defend its networks against attacks from hackers, criminals, terrorists, and foreign governments. Unless the United States (U.S.) begins to adequately train and subsequently hire candidates with the necessary network security skills, the cyber security posture of the country will continue to be at risk. Read more IntelliShield Analysis: In the U.S. and several other countries, there has been a shortage of qualified candidates for positions in Information Technology (IT). Although efforts to heighten interest in IT careers through various programs in the educational system continue, these efforts have not been sufficient to drive an increase in both the quantity and quality of candidates for available network security positions. With the renewed vigor to strengthen national cyber security in many countries, governments must also provide additional emphasis on preparing an increased number of highly educated and skilled candidates for the field of network security. GeopoliticalIndia Defense Budget Jumps by 25 Percent The government of India has announced plans to boost defense spending 25 percent next year, to almost US$30 billion. In related news, the United States last week penned a bilateral agreement for defense cooperation, raising hopes for billions of dollars in sales of military equipment and nuclear technology to India. A Science and Technology Agreement will allow the launch of satellites on Indian space launch vehicles that contain U.S. components. The agreement will intensify industry competition for the fast growing Indian defense market at a time when India, along with China, is likely to outperform most other markets through 2010. IntelliShield Analysis: Although the U.S. remains the worlds biggest defense spender, followed by China, the boost in Indian spending is a reflection of the shifting balance of the defense market away from U.S. dominance. The boost also reflects India's heightened interest in defense, beyond border issues with Pakistan, to include homeland security response to terrorism and the need to protect increasingly vital sea lanes in the Indian Ocean. This represents both an opportunity for defense companies and a challenge as non-Indian companies navigate complex foreign investment regulations, domestic export control laws, offsets, and end-use restrictions. This tangle of regulations is increasingly important for information security professionals as more emphasis than ever before is placed on the security of sophisticated communications networks. Upcoming Security ActivityBlack Hat Training and Briefings: July 25–31, 2009 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
