Cyber Risk Report

April 19–25, 2010

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat activity levels during the period remained consistent with previous weeks. Activity was highlighted by a problematic McAfee DAT file that was distributed to VirusScan applications during the period. As a result of installing the 5958 DAT and rebooting, certain Microsoft Windows XP-based systems could be rendered unusable. Impacted systems may continuously reboot after reporting false virus infections that are related to the W32/Wecorl.a virus. This activity was reported in IntelliShield Alert 20375.

During the time period, Microsoft re-released security bulletin MS10-025 to address errors in software updates that were released in response to a stack-based buffer overflow vulnerability in Microsoft Windows Media Services, which was reported in IntelliShield Alert 20273. The previous software updates did not completely correct exploitation vectors related to this vulnerability. Microsoft ceased distributing the patch in response to these errors. Until functional fixes are available, Microsoft recommends the use of approved workarounds to prevent exploits. Additionally, a new vulnerability that can result in a local denial of service was recently reported in the win32k.sys Microsoft Windows Kernel Driver. Although proof-of-concept code is available publicly, Microsoft has not confirmed this vulnerability or released updates.

Additional highlights for this period include an authentication bypass vulnerability in Cisco Small Business Video Surveillance Cameras and the Cisco RVS4000 4-Port Gigabit Security Router (reported in IntelliShield Alert 20352), an buffer overflow vulnerability in Adobe Reader and Acrobat Download Manager (reported in IntelliShield Alert 20377), and a Google Chrome security update for multiple vulnerabilities (reported in IntelliShield Alert 20374).

IntelliShield published 84 events last week: 30 new events and 54 updated events. Of the 84 events, 66 were Vulnerability Alerts, five were Security Activity Bulletins, one was a Security Issue Alert, ten were Threat Outbreak Alerts, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 04/23/2010 3 4 7
Thursday 04/22/2010 4 17 21
Wednesday 04/21/2010 9 17 26
Tuesday 04/20/2010 6 5 11
Monday 04/19/2010 8 11 19
Weekly Total 30 54 84

 

Significant Alerts for the April 19–25, 2010

McAfee VirusScan DAT Update May Cause Microsoft Windows System Failure
IntelliShield Vulnerability Alert 20375, Version 2, April 22, 2010
Urgency/Credibility/Severity Rating: 4/5/3

A McAfee DAT file that was distributed to VirusScan applications has caused errors on certain Microsoft Windows XP-based systems. As a result of installing the 5958 DAT file and rebooting, systems may be rendered unusable. McAfee has released a knowledgebase article with various workarounds.

Previous Alerts That Still Represent Significant Risk

Oracle Java Web Start Java Development Kit ActiveX Control Command-Line Injection Vulnerability
IntelliShield Vulnerability Alert 20314, Version 3, April 20, 2010
Urgency/Credibility/Severity Rating: 3/5/4

Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on the system with the privileges of the user. Systems with Oracle Java JRE and JDK 6 Update 10 and later contain the affected ActiveX control and are vulnerable. Updates are available.

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 47, April 23, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555

Multiple TLS implementations contain a vulnerability when renegotiating a Transport Layer Security (TLS) session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Proof-of-concept code that exploits this vulnerability is publicly available. Mozilla and Oracle, in addition to other vendors, have released updates for this vulnerability.

Microsoft Internet Explorer Invalid Pointer Reference Access Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20052, Version 4, March 30, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-0806

Microsoft has re-released a security advisory and updated software to address the Microsoft Internet Explorer invalid pointer reference access arbitrary code execution vulnerability. Functional exploit code is being used in ongoing exploits, and Microsoft has released a security bulletin and updated software.

Mozilla Firefox Unspecified Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19968, Version 2, March 23, 2010
Urgency/Credibility/Severity Rating: 2/5/4

Mozilla Firefox contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Mozilla has confirmed this vulnerability and has released updated software.

Microsoft VBScript Unsafe Help File Handling Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20014, Version 3, April 13, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-0483

Microsoft has released a security advisory with information about affected products to address the Microsoft Internet Explorer unsafe help file handling arbitrary code execution vulnerability. Proof-of-concept code that demonstrates code execution is available.

Adobe Download Manager Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19979, Version 4, February 26, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-0189

Adobe Download Manager contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. Adobe has confirmed the vulnerability and released updated software.

Microsoft Internet Explorer Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19726, Version 5, February 25, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-0249

Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has confirmed this vulnerability and released software updates. Additional information is available regarding mitigations and exploit code.

Multiple Symantec Products ActiveX Control Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19970, Version 1, February 19, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-0107

Multiple Symantec products contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the system. Symantec confirmed this vulnerability and released software updates.

Physical

Digital Photocopiers Disclose Secrets

A recent news story about hard drives in photocopier machines recently caused a health insurance company to disclosure the potential release of confidential personal information. A team of reporters and representatives from a software company purchased four copiers from a warehouse in New Jersey in the United States and removed the hard drives. Using a free forensics tool, they were able to examine the contents of the hard drives and recover images of documents that were previously scanned by the copiers. Names, dates of birth, social security numbers, and sensitive medical information were all visible on the images.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Personal information remaining on disposed equipment is not a new phenomenon. Personal computers and servers have been the subject of previous data leakage and resulting reports. Hard drives in printers and copiers are receiving extra scrutiny now, but information is stored on more that just magnetic media. Most modern electronic devices contain some sort of nonvolatile memory for the storage of configuration and user information, whether it is magnetic media, flash memory, or another form of storage that retains data without external power. Both corporations and individuals would be well advised to examine all electronic devices that are destined for disposal and remove information that is not appropriate for the public domain. Organizations should not rely on a leasing company or a repair center to delete data or reset devices to default settings.

Legal

United States Supreme Court Hears Arguments on Texting Privacy Rights

The United States (U.S.) Supreme Court recently heard arguments on a case involving a California police officer who used a department-owned device to send and receive sexually explicit text messages to his wife and girlfriend. City officials reviewed the messages after noticing that the officer had exceeded monthly messaging limits. The officer's lawyer argued for a reasonable expectation of privacy, while his client claims that the department's policy was unclear in regards to personal use. Read More

IntelliShield Analysis: Smartphones and similar devices blur the lines of communication between work and personal life for many employees. Individuals who are expected to respond to business requests after hours are unlikely to carry separate devices for office and personal use, but the outcome of this case could prompt some to do so. Although the court has not reached a decision, the implications for corporations will likely serve as clarion call to ensure that electronic communications policies are as specific as possible, and that employees are educated on rules that the company will enforce. Regardless of the court's decision, workers in the private sector should use caution when conveying personal information by means of company-owned equipment to avoid embarrassing revelations, termination of employment, or both.

Trust

There was no significant activity in this category during the time period.

Identity

There was no significant activity in this category during the time period.

Human

University Study Shows Youths are Privacy-Conscious, Risk-Naive

Contrary to popular belief, a recent study from the University of California-Berkeley and the University of Pennsylvania in the United States has shown that youths (aged 18 to 24) have very similar attitudes toward privacy as members of other age groups. The study surveyed nearly 1,000 respondents on privacy issues, online practices, and their understanding of legal privacy protections. Although the various age groups shared similar attitudes toward protecting their privacy, youths have a much less accurate understanding of legal protections that exist for their privacy. Read More

IntelliShield Analysis: The findings of this study correct the widely held assumption that youths are imprudent with personal information. Instead, they have the same concerns but demonstrate an overconfidence in the protections afforded to them by the law. Because the same misconceptions could exist in enterprise users of the same age, organizations are advised to examine whether their employee education and awareness programs set realistic expectations for users regarding security controls. Users that are naive about the effectiveness of security may be overconfident in the ability of controls to mitigate the impact of risky behavior.

Geopolitical

Volcano Highlights European Union Coordination Issues and Supply Chain Risk

Ash from Iceland's erupting Eyjafjallajokull volcano shut down air space over much of northwest Europe recently, leading to hundreds of airport shutdowns, cancellation of tens of thousands of flights, and the inconveniencing of millions of travelers. The impact on business was severe, particularly on the travel industry and exporters of perishable products from Africa and India; early estimates put the loss to airlines alone at around $US1.7 billion. European Union (EU) authorities were widely criticized for closing airspace for five days based on what some claim was outdated science and an inability to orchestrate a quick response. Moving forward, EU authorities will review crisis response mechanisms and consider establishing a single European airspace coordinator. Read More

IntelliShield Analysis: As air traffic over Europe returns to normal, organizations are reviewing crisis management and supply chain systems. Scientists claim that only luck and the relatively short period of time that air travel has been essential to the world economy can explain why a similar crisis has not occurred sooner. Although air freight accounts for only about five percent of world trade by weight, it comprises a comparatively large proportion of high-value electronic and other sensitive components to manufacturers. Moreover, many companies within the high-tech industry have become reliant on "just-in-time" supply chains, which increase vulnerability to short-term disruptions. As companies rerouted supplies, reports indicate that questions arose over the potential effect of humid maritime or vibrating train transport on sensitive components. For information technology professionals, the incident may be a reminder that building redundancy into systems means not only establishing alternate routes for information, but routinely using them.

Upcoming Security Activity

INTEROP Las Vegas: April 25–29, 2010
Infosecurity Europe: April 27–29, 2010
AusCERT2010: May 17–20, 2010
Gartner Security & Risk Management Summit: June 21–23, 2010
Cisco Live 2010 (Las Vegas): June 27–July 1, 2010

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

World Expo (Shanghai, China): May 1–October 31, 2010
United Kingdom Elections: May 6, 2010
Poland Elections: June 20, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top