Cyber Risk Report

April 18–24, 2011

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity increased during the time period, primarily due to Oracle's Quarterly Critical Patch Update (CPU) and releases from several additional vendors. The April 2011 Oracle CPU addressed 73 vulnerabilities across multiple products and was reported in IntelliShield alert 22957. Technical details for several vulnerabilities have been reported publicly. Last week, HP also released vulnerability updates for the HP System Management Homepage, Proliant Support Pack, Performance Insight, Insight Control Performance Management, and Network Node Manager. IBM also released a security update to address multiple vulnerabilities in IBM Tivoli Directory Server.

A critical, new vulnerability was reported recently the Adobe Reader and Acrobat CoolType Library. Exploits of this vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.
During the time period, Verizon Business released the 2011 Data Breach Investigations Report, which is the result of a study performed by the Verizon RISK Team, the United States Secret Service, and the Dutch High Tech Crime Unit. The report, which includes analyses of forensic investigations that were conducted throughout 2011, is a rich resource of security metrics and threats.

IntelliShield published 114 events last week: 57 new events and 57 updated events. Of the 114 events, 73 were Vulnerability Alerts, nine were Security Activity Bulletins, nine were Security Issue Alerts, 21 were Threat Outbreak Alerts, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Saturday 04/23/2011 1 0 1
Friday 04/22/2011 11 4 15
Thursday 04/21/2011 17 8 25
Wednesday 04/20/2011 10 26 36
Tuesday 04/19/2011 8 5 13
Monday 04/18/2011 10 14 24
Weekly Total 57 57 114

 

Significant Alerts for April 18–24, 2011

Multiple Adobe Products SWF File Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 22909, Version 5, April 22, 2011
Urgency/Credibility/Severity Rating: 3/5/4

Multiple Adobe products contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system. Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available. Adobe has released additional security bulletins and updated software to address the SWF file processing arbitrary code execution vulnerability.

Microsoft Windows MHTML Protocol Handler Script Execution Vulnerability
IntelliShield Vulnerability Alert 22310, Version 6, April 20, 2011
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-0096

Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary script in a user's browser session. Microsoft has confirmed the vulnerability in a security advisory; however, software updates are not yet available. Proof-of-concept code that demonstrates an exploit of Microsoft Windows MHTML protocol handler script execution vulnerability is publicly available. IntelliShield has updated this alert to report an increase in intrusion prevention system activity that is related to the Microsoft Windows MHTML protocol handler script execution vulnerability.

Previous Alerts That Still Represent Significant Risk

Multiple Vendor Issue Revocation for Fraudulent SSL Certificates
IntelliShield Vulnerability Alert 22740, Version 5, April 21, 2011
Urgency/Credibility/Severity Rating: 2/5/3

Multiple vendors have revoked several fraudulent SSL certificates to protect users from spoofing attacks. Microsoft has re-released a security advisory to address the multiple vendor SSL certificate revocation issue.

Oracle Critical Patch Update for April 2011
IntelliShield Vulnerability Alert 22957, Version 1, April 19, 2011
Urgency/Credibility/Severity Rating: 2/5/4
Multiple CVEs

Oracle has released the April 2011 Critical Patch Update to address 73 new vulnerabilities in multiple products.

LizaMoon SQL Script Injection Attacks
IntelliShield Vulnerability Alert 22869, Version 2, April 8, 2011
Urgency/Credibility/Severity Rating: 3/4/3

Multiple SQL script injection attacks have been detected. These attacks are designed to modify targeted sites and redirect users to malware distribution sites. A Cisco IPS signature that detects SQL script injection attacks is available.

RSA Breach Exposes SecurID Information
IntelliShield Vulnerability Alert 22689, Version 1, March 18, 2011
Urgency/Credibility/Severity Rating: 1/5/3

RSA has issued a security announcement about data compromises related to SecurID two-factor authentication products.

Multiple Apple Products Security Update on March 2, 2011
IntelliShield Vulnerability Alert 22583, Version 2, March 10, 2011
Urgency/Credibility/Severity Rating: 2/5/4
Multiple CVEs

Apple has released security notifications and updated software to address multiple Apple products vulnerabilities.

Linux Kernel video4linux and compat_mc_getsockopt() Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 21389, Version 13, March 9, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3081

VMware has re-released a security advisory and updated software to address the Linux Kernel video4linux and compat_mc_getsockopt() privilege escalation vulnerability. Kernel.org has released a changelog and updated software.

ISC BIND IXFR Transfer or DDNS Update Denial of Service Vulnerability
IntelliShield Vulnerability Alert 22512, Version 1, February 23, 2011
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-0414

ISC BIND contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are available.

Microsoft Windows shimgvw.dll Graphics Library Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 22180, Version 4, February 8, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3970

Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that exploits the Microsoft Windows shimgvw.dll graphics library arbitrary code execution vulnerability is publicly available. Microsoft has confirmed this vulnerability in a security bulletin and released software updates.

EXIM Mail Transfer Agent Arbitrary Configuration Loading Root Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 22053, Version 5, April 15, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-4345

EXIM Mail Transfer Agent contains a vulnerability that can allow an attacker with shell access to gain elevated privileges. Updates are available. Exploitation of this vulnerability has been observed, in conjunction with exploits for a vulnerability detailed in IntelliShield alert 22051 (CVE-2010-4344). CentOS has released updated packages to address the EXIM mail transfer agent arbitrary configuration loading root privilege escalation vulnerability

Physical

There was no significant activity in this category during the time period.

Legal

There was no significant activity in this category during the time period.

Trust

There was no significant activity in this category during the time period.

Identity

Location Tracking Data on Smartphones

Apple's iOS recently faced criticism for storing persistent location data not only on user devices but also in device backups that are stored on users' computers. This scrutiny follows a visualization project publicized by Pete Warden and Alisdair Allen that provided users with a tool to extract data from device backups and plot locations on a map. While initial claims suggested that this tracking was unique to iOS 4 and that other devices (notably Google's Android) did not collect similar data, further investigation indicates that early reports are incorrect. Since Allen and Warden's tool was made available, at least one other tool that allows users to gather location information stored on Android devices has been released publicly. Further, mobile device forensic experts clarified that, although the manner in which iOS 4 stores this information has changed from previous versions, the behavior is not new.
Read More
Additional Information

IntelliShield Analysis: The collection and storage of this information should not be surprising. Various books about mobile device forensics have been published, and the extent of available information is not limited to location data. Organizations should recognize what is stored on mobile devices and, in turn, archived on user PCs through device backups. The most troubling aspects of such forensically significant data are that it is poorly understood and retained for long periods of time. Organizations that are sensitive to protecting this data should consider it a good candidate for at-rest data protection policies, such as encryption or regular purges.

Human

Spring Cleaning the Computer

During the time period, Microsoft released a message to assist home or office Microsoft Windows users in "spring cleaning" and updating their computer systems. The message includes links and tips on security, performance, e-mail organization, and managing data and files. Read More

IntelliShield Analysis: This message is a good and timely reminder from Microsoft. While many of the activities can and should be automated and continued throughout the year, some items accumulate over time and must be discarded or stored. Taking a few minutes to focus on cleaning user systems of unnecessary and possibly sensitive data, installing updates, adding or configuring new security features, changing account passwords, and running full scans for system errors and malicious code not only improve a system's security but can also improve performance and reliability. In addition to the information provided by Microsoft, several no-cost tools and utilities are available to clean Microsoft, Linux, UNIX, and Apple systems.

Geopolitical

Brazil remains a Challenging Market for Foreign Technology Companies

According to press reports, Brazil's Science and Technology Minister Aloizio Mercadante aims to make his country a hub for science and technology innovation. Mercadante reportedly commented that Brazil is a leader in agriculture, aviation, and energy but has lagged in technology innovation. Along with President Dilma Roussef, who came to office in January 2011, Mercadante hopes to convince Western companies to establish research and development facilities in Brazil. Some large-scale organizations that are already active in Brazil include IBM, Motorola, and General Electric. There are also government-supported research centers, including one located in Rio de Janeiro that was launched by energy giant Petrobras. The center hosts 180 IT companies and institutes. As noted in last week's Cyber Risk Report, an important takeaway from President Dilma's recent visit to China was a commitment from Taiwan's Foxconn to spend up to US$12 billion to increase manufacturing in Brazil.
Read More
Additional Information

IntelliShield Analysis: Attracting Western technology investment to Brazil faces hurdles, despite the new emphasis on innovation. First, one of President Dilma's top priorities is limiting inflation and reducing government spending, which was generous under her predecessor, President Lula da Silva. Indeed, many were surprised when Dilma cut the Science and Technology Ministry's already-approved budget by 23 percent early this year. While Dilma has already made business-friendly policy adjustments, including taking a politically courageous stand against her own populist party by containing a proposed minimum wage hike, some foreign governments and technology organizations hope she will also address numerous formal and informal barriers to trade. These include tariffs on imports of high tech products and automatic preference in government procurement bids for domestic companies, even if bids are up to 25 percent more expensive. The revival of state-run Telebras to administer Brazil's new national broadband plan, moreover, has intensified concern about government intervention in the telecommunications sector. Given upcoming events, such as the 2014 FIFA World Cup games and 2016 Olympic Games, both of which Brazil will host, Brazil's enormous growth potential may tempt foreign technology investors but may need to be balanced by friendlier trade policies.

Upcoming Security Activity

InterOp Las Vegas: May 8–12, 2011
HITBSecConf2011 (Amsterdam): May 17–20, 2011
23rd Annual FIRST Conference: June 12–17, 2011
CiscoLive 2011: July 10–14, 2011
Black Hat USA 2011: July 30–August 2, 2011
DEFCON 19: August 4–7, 2011

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

United Kingdom Royal Wedding: April 29, 2011

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top