Cyber Risk Report

April 11–17, 2011

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity increased sharply for the period. The most significant activity was the Microsoft scheduled monthly release that included 17 bulletins that addressed 64 vulnerabilities. Additional updates from Apple for iOS and Safari, Adobe for Flash, HP for Network Node Manager, CA for Total Defense Suite, RealNetworks for RealPlayer, Novell ZENworks, and an increase in spam levels contributed to the very active period.

Microsoft released the April monthly security bulletins and included several critical updates for commonly exploited vulnerabilities. Additionally, several of the vulnerabilities have publicly available technical details and proof-of-concept exploit code available. While IntelliShield has seen decreasing exploits of Microsoft vulnerabilities, the vulnerabilities involved in this update provide attackers with an extensive list that allows remote exploitation and that may be used in social engineering attacks. Full details of the vulnerabilities and current risk ratings are available in the IntelliShield alerts, correlated with Cisco IPS signatures and mitigations using your existing Cisco security equipment, at the Cisco Event Response: Microsoft Security Bulletin Release for April 2011. The Microsoft update also included the release of two tools to provide additional security in handling Microsoft Office File Validation and detecting rootkits.

Apple released security updates for iOS and Safari that corrected multiple vulnerabilities. These security updates impact multiple Apple products including iPhones, iPads, and all implementations of the Safari browser.

NSS Labs published a report indicating that multiple security products were vulnerable to a TCP Split Handshake issue. Details of the issue are available at multiple sources and may impact additional products to those reported. Multiple vendors have responded to the NSS Labs report with details on their products, including Cisco with a post to the Security Blog and an IntelliShield alert to provide the latest information on the issue. Organizations should contact their individual vendors for details on impacted products.

In upcoming activity, Oracle announced the release of the Quarterly Critical Patch Update would be April 19, 2011. This update will include 73 vulnerabilities that impact the Oracle database, PeopleSoft suite, JD Edwards suite, Siebel CRM, and server-side Java.

IntelliShield published 199 events last week: 103 new events and 96 updated events. Of the 199 events, 161 were Vulnerability Alerts, five were Security Activity Bulletins, one was a Security Issue Alert, 29 were Threat Outbreak Alerts, two were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:


Weekly Alert Totals

Day Date New Updated Total
Friday 03/11/2011    3   50   53
Thursday 03/10/2011   11    6   17
Wednesday 03/09/2011   12   22   34
Tuesday 03/08/2011   69   12   81
Monday 03/07/2011    8    6   14
Weekly Total   —   103   96  199


Significant Alerts for April 11–17, 2011

Adobe Acrobat, Reader, and Flash Player SWF File Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 22909, Version 2, April 13, 2011
Urgency/Credibility/Severity Rating: 3/5/4

Adobe Acrobat, Reader, and Flash Player contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system. Proof-of-concept code that demonstrates this vulnerability is publicly available. Adobe has confirmed this vulnerability, but updates are not available.

Previous Alerts That Still Represent Significant Risk

Microsoft Windows MHTML Protocol Handler Script Execution Vulnerability
IntelliShield Vulnerability Alert 22310, Version 5, April 15, 2011
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-0096

Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary script in a user's browser session. Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available. Microsoft has confirmed the vulnerability in a security advisory.

Multiple Vendor Issue Revocation for Fraudulent SSL Certificates
IntelliShield Vulnerability Alert 22740, Version 3, April 15, 2011
Urgency/Credibility/Severity Rating: 2/5/3

Multiple vendors have revoked several fraudulent SSL certificates to protect users from spoofing attacks. Apple has released security advisories and software updates to address the fraudulent SSL certificate revocation issue.

EXIM Mail Transfer Agent Arbitrary Configuration Loading Root Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 22053, Version 5, April 15, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-4345

EXIM Mail Transfer Agent contains a vulnerability that can allow an attacker with shell access to gain elevated privileges. Updates are available. Exploitation of this vulnerability has been observed, in conjunction with exploits for a vulnerability detailed in IntelliShield alert 22051 (CVE-2010-4344). CentOS has released additional packages to address the EXIM mail transfer agent arbitrary configuration loading root privilege escalation vulnerability.

LizaMoon SQL Script Injection Attacks
IntelliShield Vulnerability Alert 22869, Version 2, April 8, 2011
Urgency/Credibility/Severity Rating: 3/4/3

Multiple SQL script injection attacks have been detected. These attacks are designed to modify targeted sites and redirect users to malware distribution sites. A Cisco IPS signature that detects SQL script injection attacks is available.

RSA Breach Exposes SecurID Information
IntelliShield Vulnerability Alert 22689, Version 1, March 18, 2011
Urgency/Credibility/Severity Rating: 1/5/3
RSA has issued a security announcement about data compromises related to SecurID two-factor authentication products.

Oracle Critical Patch Update for February 2011
IntelliShield Vulnerability Alert 22466, Version 5, March 18, 2011
Urgency/Credibility/Severity Rating: 3/5/4
Multiple CVEs

Oracle has released the February 2011 Critical Patch Update: Oracle Java SE and Java for Business Critical Patch Advisory for multiple products. The update contains 21 new security fixes that address multiple Oracle product families on Windows, Solaris, and Linux operating systems. Red Hat has released an additional security advisory and updated packages to address multiple vulnerabilities in Oracle Java products.

Multiple Apple Products Security Update on March 2, 2011
IntelliShield Vulnerability Alert 22583, Version 2, March 10, 2011
Urgency/Credibility/Severity Rating: 2/5/4
Multiple CVEs

Apple has released security notifications and updated software to address multiple Apple products vulnerabilities.

Linux Kernel video4linux and compat_mc_getsockopt() Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 21389, Version 13, March 9, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3081

VMware has re-released a security advisory and updated software to address the Linux Kernel video4linux and compat_mc_getsockopt() privilege escalation vulnerability. Kernel.org has released a changelog and updated software.

ISC BIND IXFR Transfer or DDNS Update Denial of Service Vulnerability
IntelliShield Vulnerability Alert 22512, Version 1, February 23, 2011
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-0414

ISC BIND contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are available.

Microsoft Windows shimgvw.dll Graphics Library Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 22180, Version 4, February 8, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3970

Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that exploits the Microsoft Windows shimgvw.dll graphics library arbitrary code execution vulnerability is publicly available. Microsoft has confirmed this vulnerability in a security bulletin and released software updates.

Adobe Acrobat, Reader, and Flash Player Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21686, Version 10, January 19, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3654

Adobe has released an additional security bulletin and updated software to address the Adobe Acrobat, Reader, and Flash Player arbitrary code execution vulnerability. Sun has released a security notification and patches.

Physical

There was no significant activity in this category during the time period.

Legal

United States Department of Justice Replaces Coreflood Botnet Command-and-Control Servers

The United States (U.S.) Department of Justice (D.O.J.) announced April 13, 2011, that they had taken both legal and technical actions to disable the Coreflood botnet. The legal actions included restraining orders, civil complaints against 13 defendants, and the seizure of servers and 29 domain names. In an unprecedented action, the D.O.J. replaced five of the Coreflood botnet command and control servers with substitute servers to prevent the botnet from causing additional damage or infections.
Read More
Additional Information
Additional Information

IntelliShield Analysis: While this situation is similar to previous botnet take-down actions, the actions by the D.O.J. expand on previous legal seizures of domain names by replacing the command-and-control servers with servers that will issue commands to infected computers that attempt to communicate with the command-and-control servers. The D.O.J. activity has raised some debate over privacy issues and the extent to which the D.O.J. can or should issue commands to an infected computer. Aside from this debate, the D.O.J. and multiple organizations who work with law enforcement agencies continue to improve on their ability to legally and technically disable criminal computer networks. Organizations can assist by increasing their focus on identifying and cleaning infected systems and ensuring their systems are not participating in these criminal networks.

Trust

There was no significant activity in this category during the time period.

Identity

There was no significant activity in this category during the time period.

Human

There was no significant activity in this category during the time period.

Geopolitical

BRICS Call for a Rebalancing of the Global Economic System

Leaders of the largest emerging or "BRIC" economies—Brazil, Russia, India, China, and now South Africa—gathered on the southern Chinese island of Hainan last week for a one-day summit. Leaders ended the gathering with a joint statement calling for a rebalancing of global institutions to better reflect the emerging multi-polar world in which the five BRICS economies represent 40 percent of the world's population and a quarter of its economic output. The statement called for "comprehensive reform" of the United Nations, currency controls to protect smaller currencies from massive inflows of speculative currency trading, changes in development bank lending, and an improved international reserve currency system that will provide enhanced stability and certainty.
Read More
Additional Information
Additional Information

IntelliShield Analysis: From a Western technology industry perspective, last weeks BRICS summit offered a few noteworthy takeaways. First, the BRICS partners—echoing their developed economy counterparts—pressured China to import more value-added products, particularly IT products and pharmaceuticals. They also complained that China’s undervalued currency hurt their ability to compete, according to a variety of reports. This pressure from fellow emerging market competitors may make it harder for China to argue that it needs to maintain such policies to compete against developed economies. Second, calls for an improved reserve currency system and changes in development bank financing appear aimed at the global financial system dominated by the U.S. dollar. Several BRIC countries are encouraging bilateral trade in local currencies rather than in U.S. dollars, which may impact pricing and financing, possibly to the competitive disadvantage of dollar-denominated product lines. The third takeaway is the official addition of South Africa to the BRICS club. Acceptance into this high-powered, high-growth group may open up South African companies to more opportunities for joint technology development and technology transfer, according to a major South African media outlet. Indeed, as the clout and technological capability of these markets grows, IT devices developed in and for emerging markets are likely to diverge from developed market products because of discrepancies in customer needs, budget, and resources.

Upcoming Security Activity

InterOp Las Vegas: May 8–12, 2011
HITBSecConf2011 (Amsterdam): May 17–20, 2011
23rd Annual FIRST Conference (Austria): June 12–17, 2011
CiscoLive 2011: July 10–14, 2011
Black Hat USA 2011: July 30–August 2, 2011
DEFCON 19: August 4–7, 2011

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

British Royal Wedding: April 29, 2011

 

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top