Cyber Risk Report

November 5–11, 2012

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity increased for the period with multiple advisories and software updates for widely used applications. Adobe released an update for Flash Player and AIR correcting multiple vulnerabilities, while reports discussed a possible zero day vulnerability in the latest versions of Adobe Reader circulating in underground channels. Google released an update correcting multiple vulnerabilities in Chrome, which also included the release of the Do Not Track functionality. In addition, Apple released an update for QuickTime for Windows which corrected multiple vulnerabilities. All of these vulnerabilities and software updates will impact large numbers of end users and are frequently exploited by attackers and criminals.

Cisco released two security advisories for a Cisco Secure Access Control System TACACS+ Authentication Bypass Vulnerability and a Multiple Cisco Ironport Appliances Sophos Threat Engine Vulnerabilities, in addition to a Security Response for Cisco Nexus 1000V Series Switches Software Upgrade Virtual Security Gateway Issues.

VMware released multiple advisories and updates for VMware Workstation and Player Improper Process Thread Permissions Vulnerability, VMware Workstation and Player Insecure Path Handling Vulnerability, OVF Tool Format String Arbitrary Code Execution Vulnerability, and VMware Products Multiple Unspecified ActiveX Control Vulnerabilities. All these alerts are available on the Cisco SIO portal. VMware also responded to reports of the public posting of VMware ESX source code dating back to 2004 and is related to source code publicly posted in April 2012.

A Dell Webcam ActiveX Control Buffer Overflow Arbitrary Code Execution Vulnerability was reported. Dell has not confirmed the vulnerability and no updates are available. Exploit samples observed in the wild allow attackers to start a remote shell on a targeted user's machine, allowing the attacker to remotely access a vulnerable system. The attacker could use the remote access to install malicious software or retrieve files from the user's system.

A remote code execution vulnerability may impact multiple Symantec products when handling CAB files. Symantec has not confirmed this vulnerability and updated software is not available. Reports indicate that this vulnerability could be exploited actively in the wild; however, exploit code is not available publicly.

Microsoft released the Advance Notification for November 2012. The announcement reported six security bulletins will be released on November 13, 2012, addressing 19 individual vulnerabilities. The vulnerabilities impact Microsoft Windows, Internet Explorer, Microsoft Office and the .NET Framework.

IntelliShield published 101 events last week: 47 new events and 54 updated events. Of the 101 events, 48 were Vulnerability Alerts, 11 were Security Activity Bulletins, two were Security Issue Alerts, 39 were Threat Outbreak Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Saturday 11/10/2012 3 0 3
Friday 11/09/2012 7 7 14
Thursday 11/08/2012 5 4 9
Wednesday 11/07/2012 16 15 31
Tuesday 11/06/2012 5 17 22
Monday 11/05/2012 11 11 22
Weekly Total 47 54 101

 

Significant Alerts for the Time Period

Apple QuickTime for Windows Security Update for Multiple Vulnerabilities
IntelliShield Security Activity Bulletin 27384, Version 1, November 8, 2012
Urgency/Credibility/Severity Rating: 2/5/4
Apple QuickTime for Windows contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service condition or execute arbitrary code on a targeted system. Updates are available.

Adobe Flash Player and AIR Security Update for November 2012
IntelliShield Security Activity Bulletin 27346, Version 2, November 7, 2012
Urgency/Credibility/Severity Rating: 2/5/4
Adobe Flash Player and AIR contain multiple vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service condition on a targeted system. This update corrects seven vulnerabilities. Adobe has re-released a security bulletin and updated software.

Google Chrome Channel Updates for November 2012
IntelliShield Security Activity Bulletin 27375, Version 1, November 7, 2012
Urgency/Credibility/Severity Rating: 2/5/4
Google Chrome for Mac, Windows, and Linux contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service condition on a targeted system. Google has released a security update.

Previous Alerts That Still Represent Significant Risk

Oracle Java SE Critical Patch Update October 2012
IntelliShield Security Activity Bulletin 27210, Version 4, November 9, 2012
Urgency/Credibility/Severity Rating: 2/5/4
Oracle Java SE contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to bypass security restrictions, access sensitive information, execute arbitrary code, or cause a denial of service condition on a targeted system. Reports indicate these vulnerabilities are being exploited successfully in the wild. Oracle, Apple, Red Hat and IBM have released security advisories and software updates.

Financial Institution Websites Targeted by Distributed Denial of Service Attacks
IntelliShield Security Activity Bulletin 27076, Version 2, October 4, 2012
Urgency/Credibility/Severity Rating: 3/5/3
Websites owned by banks and other financial institutions continue to be targeted by distributed denial of service attacks, decreasing availability of those sites to legitimate customers. DDoS attacks may still be ongoing. Site administrators are advised to take steps to protect their Internet-facing web services. Cisco has released a guide to protecting environments against DDoS attacks at the following link: Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks. Cisco has released an Applied Mitigation Bulletin available at the following link: Identifying and Mitigating the Distributed Denial of Service Attacks Targeting Financial Institutions

Samba Marshaling Code Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 25650, Version 10, October 17, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-1182
Samba contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system. Functional code that demonstrates an exploit in the Samba marshaling code remote code execution vulnerability is publicly available. Samba has confirmed this vulnerability and released updated software. Samba, Apple, FreeBSD, HP Oracle and Red Hat have released security advisories. Oracle has re-released a security notification and patches.

Oracle Java Security Manager Bypass Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 26751, Version 10, October 19, 2012
Urgency/Credibility/Severity Rating: 4/5/4
CVE-2012-4681
Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that exploits the vulnerability is publicly available as part of the Metasploit Framework. The Black hole toolkit is also reported to include an exploit, and multiple threats have been reported targeting this vulnerability. Oracle has confirmed the vulnerability and released software updates. Oracle, Apple, FreeBSD, Red Hat, IBM, and HP have released security advisories and updated software.

Oracle Java Multiple Unspecified Vulnerabilities Update
IntelliShield Security Activity Bulletin 26831, Version 5, October 19, 2012
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2012-0547, CVE-2012-1682, CVE-2012-3136, CVE-2012-4681
Java SE 7 Update 7 mitigates a widely reported vulnerability, CVE-2012-4681, as described in IntelliShield Alert 26751. The update also mitigates two remote code execution vulnerabilities that are due to unspecified errors in the affected software. The three vulnerabilities can be exploited only through untrusted Java Web Start applications and untrusted Java applets on client deployments of the affected software. In addition, a security-in-depth issue in the Abstract Window Toolkit (AWT) has also been addressed. Direct exploitation of the AWT security-in-depth issue is not possible; however, the issue can be used to aggravate security vulnerabilities that can be directly attacked. Oracle, Apple, Red Hat, IBM and HP have release security advisories and software updates.

OpenSSL ASN.1 asn1_d2i_read_bio() Heap Overflow Vulnerability
IntelliShield Vulnerability Alert 25706, Version 18, October 12, 2012
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2012-2110, CVE-2012-2131
OpenSSL contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Proof-of-concept code that demonstrates this vulnerability is publicly available. OpenSSL, FreeBSD, Red Hat, HP, Oracle, MontaVista, IBM, Balabit and VMware have released security advisories and updates. MontaVista Software has re-released a changelog and updated software

Microsoft Internet Explorer execCommand Method Use-After-Free Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 26936, Version 4, September 21, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-4969
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that demonstrates an exploit of this vulnerability is publicly available. Microsoft has released Security Advisory MS12-063 with updated software.

Physical

US District Court: Warrentless Surveillance of Rural Property Permissible

In July 2012, the United States Drug Enforcement Agency (DEA) arrested two individuals for marijuana cultivation and charged them with federal drug charges. The DEA partially based it's arrest on evidence obtained by the warrantless placement of multiple surveillance devices on the 22-acre property owned by one of the defendants in the case. The defendants filed a motion to suppress the evidence on Fourth Amendment grounds. The defendants noted that the property had multiple "No Trespassing" signs and was protected by a locked gate. The United States District Court for the Eastern District of Wisconsin has sided with the U.S. Department of Justice and denied the motion to suppress, noting the 1984 Supreme Court case "Oliver v. United States", where it was held by the Court that "The government's intrusion upon open fields is not one of those 'unreasonable searches' proscribed by the Amendment." The court also noted that "Because open fields are accessible to the public and the police in ways that a home, office, or commercial structure would not be, and because fences or 'No Trespassing' signs do not effectively bar the public from viewing open fields, the asserted expectation of privacy in open fields is not one that society recognizes as reasonable."
Read More
Additional Information

IntelliShield Analysis: In this age of increasingly powerful and invasive surveillance technologies, privacy rights are under mounting scrutiny. Technology is rapidly outpacing the legal frameworks that protect these rights. Although the Court has found that 'because fences or "No Trespassing" signs do not effectively bar the public from viewing open fields', never before has the public had so many technological means to view "open fields", and never before has the public-at-large had open access to such wide-spread satellite and web camera coverage. Businesses and individuals with elevated risk profiles, privacy requirements, intellectual property or trade secret concerns are advised to review access control measures and policies to ensure that the individuals or businesses expectations of privacy are adequately protected from both a technological and legal perspective.

Legal

There was no significant activity in this category during the time period.

Trust

Full or Responsible Disclosure Impact on the ICS Industry

The recent presentations at the 12th Industrial Control Systems (ICS) Security Conference were heavily impacted by vendors pressuring and threatening legal actions to prevent the disclosure of vulnerabilities and weaknesses in multiple ICS and SCADA systems. The organizers, vendors, and presenters engaged in heated public debates over this activity and the problems facing the security of these products and the ICS industry. The focus of the debates was over disclosures related to systems used in nuclear facilities, the security of those facilities, and the potential from the disclosure of the vulnerabilities.
Read More
Additional Information

IntelliShield Analysis: This is a long debated topic, and despite most in the security community practicing responsible disclosure, there are certainly those that practice full disclosure. The debate in the case of ICS and SCADA systems is different though, in that it potentially includes the disclosure of information that could impact national security, critical infrastructures, and in some cases can have real physical and severe impact not only for the operators but potentially thousands of others. Most in the industry are now aware of the critical situation involving the vulnerabilities in ICS systems and the need to address them. In all responsible disclosure practices, the vendors must not only be active participants in the identification of the vulnerabilities, but also in the timely corrections. Here again, as many experts have noted, correcting these vulnerabilities in some cases is no small effort, but would require a complete rewrite of the code and replacement of thousands of devices, and they have to be addressed quickly, safely, and with the cooperation of everyone involved.

Identity

Privacy Guide for Users

Facebook has released a new privacy guide that walks new users step-by-step through the privacy and security settings for their Facebook accounts. The new guide also assists new users in understanding how to protect their privacy while using Facebook posts, photo and video sharing, and connecting with other users. The privacy information is also available to existing users in the Facebook Help Files to further educate those users and update them on changes to the privacy and security settings. The Facebook privacy and security settings have gone through several changes, policy updates, and challenges by users, advocates, and government privacy agencies.
Read More
Additional Information

IntelliShield Analysis: For those that have Facebook accounts, or those that have followed the debates, legal cases, and investigations in to privacy issues with Facebook and other social media, this user guide is a welcome sign. It not only indicates that social media is finally maturing in to commercial products, but that the social media environments are stabilizing and becoming more responsible in their practices. As businesses continue to address managing the risk around social media use by their employees, they now have a clear and concise user guide for Facebook to reference, educate their users, and build policies for their employees' use.

Human

Market Changes in Mobile Devices

Two recent reports show the shifting market involving users and criminal activity with mobile devices. International Data Corporation has released the latest market statistics on user adoption of the mobile devices, showing that the Android operating system is surpassing the others in smartphones and tablets. As Android, Apple, Microsoft, and RIM continue to release new products and features, the consumer driven market continues to shift, as does the criminal activity targeting these devices. Along with the market shift, researchers reported a review of the applications available for the Android devices and identified a large number of applications that present a risk around the use device information, personal information, and GPS data, which can lead to criminal exploitation.
Read More
Additional Information
Additional Information

IntelliShield Analysis: As this market continues to rapidly evolve, the consumers are driving the markets and the risks. Companies attempting to address the mobile devices and Bring You Own Device (BYOD) policies need to remain aware of the changes and their impact on their policies and risk assessments. Being a primarily consumer driven market, businesses and organizations will need to continually reevaluate their environments, employee, and business needs to evolve with it. The users and businesses must also remain aware that as the mobile market evolves, the criminal activity is moving to exploit the new and growing mobile user base. The Android growth also brings the old debate of open development vs. proprietary software back to the forefront of discussion in the new light of the mobile environments. Regardless of your position in that debate, it does change the environment when assessing and managing the associated risk.

Geopolitical

Implications Of A Second Obama Term

U.S. citizens voted for the status quo in general elections last week, reelecting the incumbent President while leaving the House of Representatives and the Senate party balances virtually unchanged. Once the polling returns were official, media attention turned quickly to whether the Congress would be able to avert a headlong dive over the so-called “fiscal cliff”–deep, automatic spending cuts due in January if a compromise is not reached. The tech world is also watching signs from the new administration on issues such as visas for skilled IT workers, cyber security guidance, and online privacy legislation.
Read More
Additional Information
Additional Information
Additional Information

IntelliShield Analysis: With pre-election uncertainty cleared up, many information security experts expect the White House to issue an Executive Order on cyber security soon. However, other pressing issues including the fiscal cliff and the holidays may put off this action until after the first of the year. It would be a stop-gap measure meant to buy time while a comprehensive bill—which will have to be re-negotiated after the failure of the Cyber Intelligence Sharing and Protection Act (CISPA) bill this summer—can be drafted. In 2013, President Obama has vowed to take up comprehensive immigration reform, which may include an expanded visa program for skilled IT workers. Moreover, along with other new legislation expected on online privacy and copyright protection, the administration may soon announce new Cabinet appointments affecting the U.S. Trade Representative and the Departments of State, Treasury, and Commerce—all with potential implications for information security and international trade.

Upcoming Security Activity

Black Hat Abu Dhabi: December 3-6, 2012
Cisco Live London: January 28-February 1, 2013
RSA Conference 2013: February 25-March 1, 2013
Cisco Live ANZ: March 5-8, 2013
Cisco Live US: June 23-27, 2013

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:

EU Summit: December 13-14, 2012
South Korea Presidential Election: December 19, 2012
World Economic Forum: January 23-27, 2013

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top