Cyber Risk Report

April 12–18, 2010

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity for this period was elevated due to the monthly and quarterly scheduled security updates from Microsoft, Oracle, and Adobe on April 13, 2010.  Microsoft released 11 bulletins addressing 25 vulnerabilities, which were reported in multiple IntelliShield alerts.  Adobe released Security Bulletin APSB10-09, addressing 15 vulnerabilities in Reader and Acrobat, reported in IntelliShield Alert 20338 and multiple additional alerts.  Oracle released the April 2010 Critical Patch Update to address 47 vulnerabilities in multiple products, reported in IntelliShield Alert 20339 and multiple additional alerts.  In addition, this was the first Oracle Critical Patch Update that included Sun product security updates following the Oracle acquisition of Sun Microsystems.  The April 2010 Oracle Critical Patch Update included 16 vulnerabilities in Sun products.

While these updates from Microsoft, Adobe, and Oracle addressed a large number of vulnerabilities, the majority are not considered to be critical and can be addressed through normal patch procedures and update features of these products.  The Oracle updates require additional testing for most organizations to ensure that the updates do not negatively impact product performance or operation or the applications that communicate with these products.

Additional security advisories and updates were released by VMware, RealNetworks, and McAfee during the period.

An antivirus scam circulating on the Internet, which has been so successful at fooling users that it was selected as the Cisco crimeware of the year for 2009, has a new variation that now appears as an anti-piracy warning.  The warning indicates the user's system has pirated software installed and instructs the user to make a credit card payment at the link provided to settle the software piracy. The scam is well constructed and plays on the increased attention to pirated software and recent three-strikes rules passed in some countries.  Users should be advised that this message is not legitimate and should not follow any links provided in the pop-up windows or warnings.

IntelliShield published 98 events last week: 74 new events and 24 updated events.  Of the 98 events, 78 were Vulnerability Alerts, two were Security Activity Bulletins, one was a Security Issue Alert, 14 were Threat Outbreak Alerts, two were Applied Mitigation Bulletins, and one was a Cyber Risk Report.  The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 04/16/2010 5 8 13
Thursday 04/15/2010 22 3 25
Wednesday 04/14/2010 3 5 8
Tuesday 04/13/2010 31 5 36
Monday 04/12/2010 13 3 16
Weekly Total 74 24 98

 

Significant Alerts for the Time Period

Oracle Java Web Start Java Development Kit ActiveX Control Command-Line Injection Vulnerability
IntelliShield Vulnerability Alert 20314, Version 2, April 16, 2010
Urgency/Credibility/Severity Rating: 3/5/4

Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on the system with the privileges of the user.  Systems with Oracle Java JRE and JDK 6 Update 10 and later contain the affected ActiveX control and are vulnerable as a result.  Updates are available.

Previous Alerts That Still Represent Significant Risk

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 45, April 16, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555

Multiple TLS implementations contain a vulnerability when renegotiating a Transport Layer Security (TLS) session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack.  Proof-of-concept code that exploits this vulnerability is publicly available.  Mozilla and Oracle, in addition to other vendors, have released updates for this vulnerability.

Microsoft Internet Explorer Invalid Pointer Reference Access Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20052, Version 4, March 30, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-0806

Microsoft has re-released a security advisory and updated software to address the Microsoft Internet Explorer invalid pointer reference access arbitrary code execution vulnerability.  Functional exploit code is being used in ongoing exploits.  Microsoft has released a security bulletin and updated software to address the invalid pointer reference access arbitrary code execution vulnerability in Microsoft Internet Explorer.

Mozilla Firefox Unspecified Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19968, Version 2, March 23, 2010
Urgency/Credibility/Severity Rating: 2/5/4

Mozilla Firefox contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code.  Mozilla has confirmed this vulnerability and has released updated software.

Microsoft VBScript Unsafe Help File Handling Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20014, Version 3, April 13, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-0483

Microsoft has released a security advisory with information about affected products to address the Microsoft Internet Explorer unsafe help file handling arbitrary code execution vulnerability.  Proof-of-concept code that demonstrates code execution is available.

Adobe Download Manager Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19979, Version 4, February 26, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-0189

Adobe Download Manager contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user.  Adobe has confirmed the vulnerability and released updated software.

Microsoft Internet Explorer Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19726, Version 5, February 25, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-0249

Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code.  Microsoft has confirmed this vulnerability and released software updates.  Additional information is available regarding mitigations and exploit code.

Multiple Symantec Products ActiveX Control Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19970, Version 1, February 19, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-0107

Multiple Symantec products contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the system.  Symantec confirmed this vulnerability and released software updates.

Physical

Iceland Volcano Force Majeure

The volcanic ash that has disrupted air travel across Europe since April 15, 2010, continued through the weekend with the vast majority of European air traffic halted.  While airlines, air traffic officials, and agencies have released statements on the dangers of the volcanic ash to the aircraft engines, some reporters have criticized the closing.  The grounded aircraft are reported to be costing the airlines US$200 million or more per day, not including the additional costs to stranded passengers and businesses unable to ship or receive goods.  While the Iceland volcano continues to erupt, recent weather patterns indicate the air streams have shifted to the west. This shift may help clear the European airspace, but it could threaten air routes in Canada and the northern United States.
Read More
Additional Information

IntelliShield Analysis: This "act of God" is commonly referred to as a force majeure in contracts, insurance policies, and business continuity and disaster response language.  The European air hubs are central to travel and commerce across five continents, with few potential alternatives until the force majeure passes.  Although this type of incident is normally considered in travel and business planning, this event has a widespread and lengthy impact. The loss of business, supply chain interruptions, and additional costs can devastate businesses and travelers who cannot absorb the delays and cost until insurance or other plans can be implemented. Interruptions of this type have taken on additional impact in recent years with the shifts to "just in time" supply chains.  Fortunately, unlike many other recent natural disasters, this force majeure has not included the loss of life. However, it may continue to affect transportation for several days or weeks.

Legal

There was no significant activity in this category during the time period.

Trust

Apache Software Foundation Compromise

The Apache Software Foundation (ASF) experienced a targeted attack using a previously undisclosed vulnerability. The attack began on April 6, 2010, and was detected on April 9. According to a blog entry posted on April 13 by ASF Vice President of Infrastructure, Philip M. Gollucci, the attack used a combination of cross-site scripting and password brute forcing to gain initial access to ASF systems. After attackers gained access, they used additional tactics to access user credentials, filesystem contents, and other ASF computer systems.
Read More
Additional Information
Additional Information
Additional Information

IntelliShield Analysis: Although targeted attacks such as this are not new, the detailed analysis and transparency provided by the ASF is a refreshing glimpse into the operations of one of the largest open source software organizations. A similar level of transparency was also demonstrated for previous attacks against the ASF in August 2009 and May 2001. In addition to reinforcing the importance of log monitoring and the risks of password reuse, this attack illustrates the real security risk of two considerations often downplayed in security circles: the potential impact of cross-site scripting vulnerabilities, and the concealment of malicious URLs using URL shortening services (which in this case was used to hide the cross-site scripting attack). These attacks also serve as a potent reminder of the high amount of implicit trust we place in software vendors—open source and otherwise—and that organizations should take steps to verify the authenticity of software.

Identity

There was no significant activity in this category during the time period.

Human

There was no significant activity in this category during the time period.

Geopolitical

Lessons from Poland's Air Disaster

An airplane crash on April 10, 2010, over Smolensk, Russia, took the lives of 96 people according to the Polish government, including Poland's President Lech Kaczynski and his wife Maria.  Other high-level Polish government and military officials aboard the plane included the head of the national bank, the army chief of staff, the deputy foreign minister, the head of the Polish Olympic committee, two presidential aides, and the head of the National Security Office. Russian Prime Minister Vladimir Putin is personally overseeing the investigation into the causes of the crash.  The high-level Polish delegation was traveling to Russia to commemorate the 1940 Katyn massacre, in which over 20,000 Polish people died at the hands of Josef Stalin's secret police.
Read More
Additional Information

IntelliShield Analysis: Poland's loss of so many high-level government leaders in a single incident is a remarkable tragedy, and one that was felt worldwide. Polish democratic institutions and markets held firm in the immediate aftermath and, following a week of national mourning, the Polish prime minister has scheduled elections for June.  As Poland recovers, governments and enterprises may take a hard reminder from the tragedy of the risk of concentrating critical assets.  This includes not only government or company leaders without whom a crisis of confidence and leadership can be devastating, but also physical assets channeled through a single chokepoint or sharing a common point of failure.  Indeed, one of the primary sources of the Internet's resiliency is the practice of packet switching, which allows critical data transmissions to avoid problematic chokepoints.  On the human level, building redundancy and strength into systems can be as simple as ensuring that key aspects of critical systems are not managed by a single person.  This is not a complicated concept, but it is one that may be easy to overlook in the rush of business and government activities, sometimes with tragic consequences.

Upcoming Security Activity

InfoSec World 2010: April 17–23, 2010
INTEROP Las Vegas: April 25–29, 2010
Infosecurity Europe: April 27–29, 2010
AusCERT2010: May 17–20, 2010
Gartner Security & Risk Management Summit: June 21–23, 2010
Cisco Live 2010, Las Vegas, June 27–July 1, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top