October 5–11, 2009The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability and threat activity this week continued to show decreasing levels of vulnerability reporting. Threat activity for the period was highlighted by the compromise of thousands of web email accounts and the arrests of an international phishing organization. Also in threat activity for the period, researchers have released details regarding the Null Byte Certificate vulnerability that can cause unpatched browsers to accept a fake certificate. This vulnerability was originally presented at the Black Hat conference in July, 2009, but the technical details of the exploit have only now become public. This vulnerability is being activity exploited, and is reported in IntelliShield alert 19167. A vulnerability in Adobe Reader and Acrobat is also being actively exploited in limited and targeted attacks. This vulnerability was reported in IntelliShield alert 19180. Adobe announced that it intends to release a patch for this vulnerability on Tuesday, October 13, 2009. Multiple Abode vulnerabilities have been activity exploited throughout the year. Users are advised to update their Adobe applications using the update features, and to ensure they install the updates that are intended to be released on October 13. Microsoft has released the Security Bulletin Advance Notification for October. The advanced notification bulletin lists 13 security bulletins that are scheduled to be released on Tuesday, October 13, 2009. IntelliShield published 46 events last week: 24 new events and 22 updated events. Of the 46 events, 35 were Vulnerability Alerts, one was a Malicious Code Alert, five were Security Activity Bulletins, three were Threat Outbreak Alerts, one was a Security Issue Alert, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Previous Alerts That Still Represent Significant Risk Microsoft Windows SMB2 Remote Code Execution Vulnerability Microsoft Windows Vista SP2 and prior and Windows Server 2008 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. Microsoft has released a security advisory to address the Microsoft Windows SMB2 remote code execution vulnerability Updates are not available, but Microsoft has released an official workaround. Functional exploit code is publicly available. Microsoft Internet Information Services FTPd Remote Buffer Overflow Vulnerability Microsoft Internet Information Services (IIS) versions 5.0, 5.1, and 6 contain a vulnerability in the FTPd service that could allow an authenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code with elevated privileges. Microsoft has confirmed this vulnerability and updated software is available for some platforms. Safeguards are available. Linux Kernel sock_sendpage() Local Privilege Escalation Vulnerability The Linux Kernel versions 2.4 through 2.6.30.4 contain a vulnerability that could allow an unprivileged, local attacker to execute arbitrary code with elevated privileges or cause a denial of service (DoS) condition. Proof-of-concept exploit code is publicly available. Kernel.org has confirmed the vulnerability in a changelog and released updated software. Microsoft Visual Studio Active Template Library Uninitialized Object Vulnerability Microsoft Visual Studio Active Template Library contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has released a security bulletin and software updates to address the Microsoft Visual Studio Active Template Library uninitialized object vulnerability in Microsoft Windows. Microsoft Windows Video msvidctl ActiveX Control Code Execution Vulnerability Microsoft Windows XP SP3 and prior and Windows Server 2003 SP2 and prior contain a vulnerability in the msvidctl ActiveX Control that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has released an additional security bulletin and software updates to address the Microsoft Windows video msvidctl ActiveX control code execution vulnerability. ISC BIND Dynamic Update Remote Denial of Service Vulnerability ISC BIND contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is being exploited in the wild. Exploit code is publicly available. ISC has confirmed this vulnerability and updated software is available. Microsoft Office Web Components ActiveX Control Arbitrary Code Execution Vulnerability Microsoft Office Web Components contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. This vulnerability is due to an unspecified error in the Office Web Components ActiveX control. Reports indicate that exploits of this vulnerability are ongoing. Additional technical information is available to detail the Microsoft Office Web Components ActiveX control arbitrary code execution vulnerability. Microsoft Windows DirectShow QuickTime Media Processing Arbitrary Code Execution Vulnerability Microsoft Windows DirectShow contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has indicated that limited, active attacks are occurring. Microsoft has released an update that corrects this vulnerability. Microsoft Internet Information Services WebDav Unicode Processing Security Bypass Vulnerability Microsoft Internet Information Services (IIS) versions 5.0, 5.1, and 6.0 contain a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and access sensitive information. The vulnerability is due to improper processing of Unicode characters in HTTP requests. An exploit could allow the attacker to bypass security restrictions and download arbitrary files from the targeted system. Exploit code is available. Microsoft has confirmed this vulnerability in a security bulletin and released software updates. PhysicalThere was no significant activity in this category during the time period. LegalFTC Seeking Full Disclosure of Product Endorsements by BloggersThe FTC is implementing new rules to govern product endorsements made by bloggers on the web. The new rules require bloggers who have been paid by an advertiser to endorse a product to divulge this fact to the public. Also, product advertisers themselves may create a blog for endorsing products and this information would be disclosed as well. Read more IntelliShield Analysis: In this new age of the Internet, bloggers appear to be a grass roots or word of mouth conveyance of information. However, this is often not the case. Many times advertisers will offer free products to bloggers or pay them for endorsements. The FTC wants this kind of information to be disclosed in order for the public to have a clear idea of any vested interests the blogger may have when endorsing a product. The actual enforcement of these new rules may prove to be difficult, however, due to the sheer number of bloggers. As a result the FTC may focus its efforts on advertisers to identify when they are working with bloggers, and enforce the rules from this direction. TrustMajor Phishing Account Compromises and ProsecutionTwo major developments came to light this week on the subject of phishing. First, a series of public disclosures were made that revealed login details for tens of thousands of accounts from AOL, Gmail, Hotmail, and Yahoo. Officials from the various impacted companies have taken steps to isolate affected accounts, force password resets, or otherwise protect customers. The second major phishing development this week regards an apparently unrelated announcement that the Federal Bureau of Investigation (FBI) has made dozens of arrests related to an international phishing scheme. In the United States, 53 individuals have been targeted for arrest for their involvement in a plot to funnel money from compromised accounts back to criminals in Egypt. This investigation had been ongoing since 2007. IntelliShield Analysis: Phishing is a complex security problem without a clear solution. It is a problem that is often perpetrated by highly organized, global criminal organizations. Phishing lacks a clear solution because of its high degree of difficulty in each of the three components of security problems: technical challenge, human factors, and adversarial motive. Organizations must provide an easy-to-use and cost-effective system of user identification and re-identification. Users face the challenge of managing a large number of credentials combined with a wide variety of interfaces and efforts made to identify them. Attackers stand to gain much when provided with a user's real-life or online identity. Security professionals are making various attempts to draw data from the published account credentials in an effort to gain more insight into this problem. Unfortunately, the data seen from this latest release only applies to those victims who failed to recognize a phishing attack. Does it really matter how strong their passwords were if they were willing to give them away? Or conversely, should it surprise us that there is a collection of (allegedly valid) simple passwords from those that fall victim to this attack? Users do need strong passwords, but most of all they need a password strategy -- Cisco Blog: Here, Have the Keys to My Whole Life -- something simple but effective, with variety but only limited complexity to operate. Organizations are further challenged by the variety in password complexity requirements, password reset methods, and how much information they convey to users over e-mail. Without a clear standard to follow, sites take it upon themselves to enforce security and risk alienating customers through stringent security requirements or through increased costs because of the use of frequent password reset services. Back-end controls are also an important consideration. Organizational investment in monitoring, suspension, or disabling of accounts that exhibit signs of malicious compromise, or activity that suggests a large-scale attack against users can help to reduce some of the effects of these coordinated assaults. Finally, the FBI and other law enforcement groups, as well as the companies targeted by phishing scammers, need to continue cooperating and sharing information. Penalizing scammers and sharing best practices on how to combat their latest techniques can gradually remove the incentives they have by raising their costs to do business. Making a large effort in this area could also increase confidence in hosted services. As more services are pushed into the cloud and expectations of security are likewise pushed to the providers, those organizations that make customers feel safest will have a distinct advantage. IdentityThere was no significant activity in this category during the time period. HumanThere was no significant activity in this category during the time period. GeopoliticalNorway and Russia Settle Differences on Telecoms Norway's telecommunications carrier Telenor and Russia's Alfa Group unexpectedly resolved their differences after a five-year battle over telecoms business in Ukraine. Following a meeting between Telenor's CEO and Russian Prime Minister Vladimir Putin, it was announced that Vimpelcom and Kyivstar, joint mobile phone ventures in Russia and Ukraine, would be merged. If the deal proceeds as outlined, this will result in Telenor losing its majority stake in Ukraine in exchange for a minority voting stake in the larger, merged entity. The deal was hailed by all parties, and Telenor's stock value leapt at the prospect of putting the dispute behind it, in part because it allows Telenor to put aside the $1.7 billion fine levied against it by a Siberian court earlier this year. IntelliShield Analysis: The Telenor case has been watched closely by investors interested in Russia and former Soviet states such as Ukraine. There had been hopes that the presidency of Dmitry Medvedev, a former business man himself, might bode well for Russia's interactions with Western companies seeking to involve themselves in critical sectors such as energy and telecommunications. At the same time, President Medvedev's call for a shift away from dependence on hydrocarbons toward the high tech sector suggests that, if anything, pressure on foreign telecoms companies will increase. Russian government involvement in business disputes likely will continue to be a serious risk for foreign investors, and if disputes lead to legal action, sympathy in regional courts may be hard to come by. Upcoming Security Activity U.S. National Cyber Security Awareness Month: October, 2009 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: Daylight Saving Time Ends (U.S.): November 1, 2009 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
