Cyber Risk Report

March 7–13, 2011

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity increased during the period. Highlights of the period included the Microsoft Security Bulletins for March 2011, updates for VMware, a new Linux Kernel version with security updates from Kernel.org, and large security updates for multiple Apple products.

Microsoft released three security bulletins for March 2011. The most significant of these is likely the Microsoft Windows DVR-MS File Handling Arbitrary Code Execution Vulnerability, reported in IntelliShield alert 22551. Full details of the release are available on the Cisco Security Intelligence Operations website and in the Cisco Event Response: Microsoft Security Bulletin Release for March 2011.

Apple released security updates for iOS, OS X, Safari, and iTunes to correct multiple vulnerabilities. The majority of these updates are for Java security vulnerabilities.

The CanSecWest security conference and Pwn2Own hacking contest came to an end with expected results. Most browsers were exploited in minutes, as were multiple smart phones. The details of these exploits will probably result in another round of security updates from vendors and the release of new exploits and updates for attack tools.

The United States National Collegiate Athletic Association (NCAA) Basketball tournament begins this week and runs through April 4, 2011. The tournament annually results in multiple websites offering streaming video of the games, as well as high levels of online gambling activity that surpass those for the Superbowl. Organizations should consider taking additional measures to remind users of security policies, enforce security procedures, and monitor bandwidth usage for high levels of activity that may require limiting.

IntelliShield published 135 events last week: 43 new events and 92 updated events. Of the 135 events, 102 were Vulnerability Alerts, six were Security Activity Bulletins, 12 were Security Issue Alerts, 12 were Threat Outbreak Alerts, two were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:


Weekly Alert Totals

Day Date New Updated Total
Friday 03/11/2011   15   13   28
Thursday 03/10/2011   11   16   27
Wednesday 03/09/2011    3   47   50
Tuesday 03/08/2011   10   11   21
Monday 03/07/2011    4    5    9
Weekly Total   —   43   92  135


Significant Alerts for March 7–13, 2011

Multiple Apple Products Security Update on March 2, 2011
IntelliShield Vulnerability Alert 22583, Version 2, March 10, 2011
Urgency/Credibility/Severity Rating: 2/5/4
Multiple CVEs

Apple has released security notifications and updated software to address multiple Apple products vulnerabilities.

Previous Alerts That Still Represent Significant Risk

Linux Kernel video4linux and compat_mc_getsockopt() Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 21389, Version 13, March 9, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3081

VMware has re-released a security advisory and updated software to address the Linux Kernel video4linux and compat_mc_getsockopt() privilege escalation vulnerability. Kernel.org has released a changelog and updated software.

Oracle Critical Patch Update for February 2011
IntelliShield Vulnerability Alert 22466, Version 3, March 9, 2011
Urgency/Credibility/Severity Rating: 3/5/4
Multiple CVEs

Oracle has released the February 2011 Critical Patch Update: Oracle Java SE and Java for Business Critical Patch Advisory for multiple products. The update contains 21 new security fixes that address multiple Oracle product families on Windows, Solaris, and Linux operating systems.

ISC BIND IXFR Transfer or DDNS Update Denial of Service Vulnerability
IntelliShield Vulnerability Alert 22512, Version 1, February 23, 2011
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-0414

ISC BIND contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are available.

Microsoft Windows shimgvw.dll Graphics Library Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 22180, Version 4, February 8, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3970

Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that exploits the Microsoft Windows shimgvw.dll graphics library arbitrary code execution vulnerability is publicly available. Microsoft has confirmed this vulnerability in a security bulletin and released software updates.

Microsoft Windows MHTML Protocol Handler Script Execution Vulnerability
IntelliShield Vulnerability Alert 22310, Version 2, January 31, 2011
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2011-0096

Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary script in a user's browser session. Microsoft has confirmed the vulnerability in a security advisory; however, software updates are not yet available. Proof-of-concept code that demonstrates an exploit of Microsoft Windows MHTML protocol handler script execution vulnerability is publicly available.

EXIM Mail Transfer Agent Arbitrary Configuration Loading Root Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 22053, Version 4, January 28, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-4345

EXIM Mail Transfer Agent contains a vulnerability that can allow an attacker with shell access to gain elevated privileges. Updates are available. Exploitation of this vulnerability has been observed, in conjunction with exploits for a vulnerability detailed in IntelliShield alert 22051 (CVE-2010-4344). CentOS has released updated packages to address the EXIM mail transfer agent arbitrary configuration loading root privilege escalation vulnerability.

Adobe Acrobat, Reader, and Flash Player Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21686, Version 10, January 19, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3654

Adobe has released an additional security bulletin and updated software to address the Adobe Acrobat, Reader, and Flash Player arbitrary code execution vulnerability. Sun has released a security notification and patches.

Oracle Critical Patch Update January 2011
IntelliShield Security Activity Bulletin 22251, Version 1, January 18, 2011
Urgency/Credibility/Severity Rating: 2/5/4

Oracle has released the January 2011 Critical Patch Update Advisory for multiple products. The update contains 67 new security fixes that address multiple Oracle product families. IntelliShield has released multiple significant individual vulnerability alerts from the January CPU.

Mozilla Firefox, Thunderbird, and SeaMonkey DOM Object Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21678, Version 6, January 10, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3765

Mozilla has released updated software to address the Firefox, Thunderbird, and SeaMonkey DOM object processing arbitrary code execution vulnerability. Red Hat, CentOS, and FreeBSD have also released security updates to address the vulnerability. Proof-of-concept code that exploits this vulnerability is publicly available.

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 72, December 16, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555

Multiple Transport Layer Security (TLS) implementations contain a vulnerability when renegotiating a TLS session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Proof-of-concept code that exploits this vulnerability is publicly available.

Microsoft Internet Explorer Cascading Style Sheets Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21736, Version 4, December 15, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3962

Functional code that exploits the Microsoft Internet Explorer Cascading Style Sheets processing arbitrary code execution vulnerability is publicly available. Microsoft has confirmed the vulnerability in a security bulletin and released software updates.

Physical

Japan Hit By 8.9-Magnitude Earthquake

The 8.9-magnitude earthquake and following tsunami that hit Japan has resulted in thousands of dead and missing and severely impacted the world's third largest economy. Damage is still being assessed, but multiple technology companies in Japan have halted production, supply chains for numerous products have been impacted or damaged, the economic impact has resulted in drops on most world trading markets, and Japan continues to try to control the damage to the Fukushima Daiichi nuclear power plant. The earthquake was so strong that it reportedly widened the Japanese island eight inches, moved the world's axis four inches, and triggered volcanic eruptions in Eastern Russia , Kamchatka, and Indonesia.
Read More
Additional Information

IntelliShield Analysis: A telling quote came from Kevin Martin, lead scientist at TheWeatherSpace.com: "Waves from the earthquake have been ringing the planet like a bell." Markets and technology production are likely to be impacted for an extended time. Surprisingly, while most telecoms were jolted, the Internet remained up for most of Japan throughout and following the earthquake. Japan is one of the most well-prepared countries for earthquakes and many lessons learned are likely to come from the final reviews and reports of this event.

Legal

Data Breach Costs Up Five Percent in United States

According to the recently released sixth annual Cost of a Data Breach study by the Ponemon Institute, the cost of a data breach in the United States (U.S.) rose five percent in 2010 to US$214 per compromised record. The study also reported that the causes of data breaches remained consistent with previous years, with negligence accounting for 41 percent of breaches. The percentage of data breaches from criminal and malicious attacks increased the most for 2010, and cost the most at US$318 per record.
Read More

IntelliShield Analysis: This report has several interesting points for IT and risk managers to consider. In addition to the directly impacted data-breached technologies, the majority of the cost results from legal, public and customer relations, and business impact. For security organizations attempting to demonstrate return on investment, this report shows that relatively small investments in security improvements can result in the prevention of thousands of dollars in costs to respond to a security event.

Trust

There was no significant activity in this category during the time period.

Identity

There was no significant activity in this category during the time period.

Human

There was no significant activity in this category during the time period.

Geopolitical

China’s New Growth Plan Prioritizes Technology and Sustainability

At China's annual People's Congress last week, Premier Wen Jiabao presented the country's new five-year economic growth plan (2011-16). The plan dials back economic growth targets slightly from 7.5 percent to about 7 percent and puts a greater emphasis on sustainability, correcting wealth imbalances, and boosting domestic demand. The plan lays out priorities for strengthening domestic capabilities in seven strategic industries, including next-generation information technology, green technologies, biotechnology, new materials and energy, and energy-efficient automobiles. Similar to the last five-year plan, it calls for continued emphasis on globalizing Chinese companies through mergers and acquisitions, increasing the percentage of GDP achieved through value-added products, and developing more broadly recognized, globally competitive Chinese brands.
Read More
Additional Information
Additional Information

IntelliShield Analysis: For multinational technology companies looking for clues to trends in China's technology sector, Wen's speech confirms China's intent to become a major global technology competitor. Plans to boost domestic demand through improving social safety nets and raising tax thresholds, as well as expansive investment plans, promise tempting foreign business opportunities. Information security specialists tasked with protecting intellectual property wherever their management decides to do business will welcome plans to improve intellectual property protections, renewed corruption crackdown, and plans to more aggressively enforce existing laws. At the same time, information security specialists may want to keep a close eye on local content requirements and technology transfer requests that accompany many partnerships and acquisitions.

Upcoming Security Activity

Black Hat Europe: March 15–18, 2011
CiscoLive Melbourne: March 28–31, 2011
CiscoLive Bahrain: Postponed
InterOp Las Vegas: May 8–12, 2011
HITBSecConf2011 Amsterdam: May 17–20, 2011
23rd Annual FIRST Conference, Vienna, Austria: June 12–17, 2011

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

US NCAA Tournament: March 15–April 4, 2011

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top