April 2–8, 2012The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability activity for the period was slightly decreased from previous periods. Highlights for the period include security advisories and updates from Oracle for Kerberos, HP for multiple products, Ghostscript, Invensys Wonderware and other products, IBM, and Google for the Chrome browser. Microsoft released the Security Bulletin Advance Notification for April 2012. The monthly release will include six security bulletins, four that are rated Critical and two that are rated Important by Microsoft. The announced security bulletins list Windows, Internet Explorer, Office, SQL Server, and Forefront as impacted. The security bulletins will be released publicly on April 10, 2012. Cisco will provide detailed analysis and reporting of the Microsoft release, including the correlated Cisco security intelligence and updates in the Event Response, on the Cisco Security Intelligence Operations website. Cisco released a security advisory that included three buffer overflow vulnerabilities in the Cisco WebEx Recording Format Player. The vulnerabilities are reported in IntelliShield alert 25546. The WebEx Cisco Product Security advisory, IntelliShield alert, and associated IPS signatures are available on the Cisco Security Intelligence Operations website. Threat and vulnerability activity continues to focus on Java products. Mozilla added security controls to check and prevent the use of a vulnerable version of Java in the Firefox browser. There is widely reported exploit activity associated with exploitation of a Java vulnerability in Mac OS X. A trojan malware named Flashback and multiple variations have reportedly infected an estimated 600,000 Mac OS X systems. The Flashback trojan has been known for over a year, but this latest variation exploits a new but known Java vulnerability that was reported in the Oracle February 2012 Critical Product Update. Apple released a security update for Mac OS X to fix the Java vulnerability during this period. Sources reported the first identification of an Android bootkit malicious code, DKFBootKit. The bootkit can be included with legitimate Android applications. The bootkit requires root-level privileges to execute properly, and will likely be enclosed with utility-type applications that would run with that level of permission. The Anonymous group turned its attention to China, defacing a reported 500 Chinese government-related websites during the period. IntelliShield published 101 events last week: 42 new events and 59 updated events. Of the 101 events, 63 were Vulnerability Alerts, five were Security Activity Bulletins, five were Security Issue Alerts, 26 were Threat Outbreak Alerts, one was a Malicious Code Alert, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for April 2–8, 2012Oracle Java Runtime Environment AtomicReferenceArray Type Violation Remote Code Execution Vulnerability Previous Alerts That Still Represent Significant RiskOracle Java SE Critical Patch Update February 2012 Oracle has released the February 2012 Critical Patch Update to address multiple security vulnerabilities in multiple Oracle Java SE versions. This update remediates 14 vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system. Oracle, CentOS, Red Hat, IBM, HP and Apple have released security bulletins and updated software. MIT Kerberos 5 Telnet Service Buffer Overflow Arbitrary Code Execution Vulnerability MIT Kerberos 5 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the system. Functional code that exploits this vulnerability is available as part of the Metasploit framework. MIT has confirmed the vulnerability and released software updates. Oracle, VMWare, Cisco, FreeBSD, GNU.org and Red Hat have released security advisories. Apache HTTP Server Reverse Proxy Rewrite URL Validation Vulnerability Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to gain unauthorized access to internal networks. Apache has not confirmed the vulnerability and software updates are not available. The vulnerability is due to a regression error introduced by the vulnerability CVE-2011-3368, documented in IntelliShield alert 24327. Proof-of-concept code that exploits the vulnerability is publicly available. HP has released a security bulletin and updated software to address the Apache HTTP Server reverse proxy rewrite URL validation vulnerability. Microsoft Windows Remote Desktop Uninitialized Memory Access Arbitrary Code Execution Vulnerability Microsoft Windows contains a vulnerability in Remote Desktop that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Microsoft has confirmed the vulnerability in a security bulletin and released updated software. Proof-of-concept code that exploits the vulnerability is publicly available. ICS-CERT has released a security advisory to address the Microsoft Windows Remote Desktop uninitialized memory access arbitrary code execution vulnerability. Apple iOS 5.1 Security Update Apple iOS contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to conduct information disclosure, security bypass, denial of service, code execution, or cross-site scripting attacks. Apple has released an additional security update and updated software to address the vulnerability in multiple Apple products security update. Apple added products Apple Safari versions prior to 5.1.4 and Apple Safari for Windows version prior to 5.1.4. Apple iTunes and iTunes for Windows Multiple Memory Corruption Vulnerabilities Apple iTunes and iTunes for Windows contain multiple vulnerabilities that could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks, cause a denial of service condition, or execute arbitrary code on the targeted device. Multiple Products Hash Collisions Denial of Service Vulnerability Multiple products contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are available. Apache, Microsoft, CentOS, IBM, Ruby, FreeBSD, Red Hat, and HP have released security advisories and updates. Trend Micro Control Manager CmdProcessor.exe Arbitrary Code Execution Vulnerability Trend Micro Control Manager contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Proof-of-concept code that demonstrates an exploit of the Trend Micro Control Manager CmdProcessor.exe arbitrary code execution vulnerability is publicly available. Proof-of-concept code that exploits this vulnerability is available as part of the Metasploit framework. Increase SSH Scanning Activity on Industrial Control Systems ICS-CERT has released a security alert to address recent activity involving SSH scanning of Internet-facing control systems that could allow an unauthenticated, remote attacker to access sensitive information. Oracle Critical Patch Update January 2012 Oracle has released the January 2012 Critical Patch Update. The update contains 78 new security fixes that address multiple Oracle product families. The fixes correct multiple vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service condition on targeted systems. Red Hat has released a security advisory and updated packages to address vulnerabilities listed in the Oracle Critical Patch Update January 2012. PhysicalThere was no significant activity in this category during the time period. LegalIndia Approves VoIP servicesIndia's Telecom Commission approved the offering of VoIP services throughout the country. The decision will reportedly go into effect this month and will likely coincide with service provider VoIP deployments across the country. The commission cited improving affordability as a primary cause behind the decision. Read More IntelliShield Analysis: This news may come as a bit of a surprise considering that India has long been a large consumer of network and mobile services. The commission reported concern over the readiness of the service providers to deploy VoIP services and legal licensing issues for the delays in deployments. India currently has VoIP services, but services are limited to calls to phones within India. The deployment of VoIP services is part of a larger plan to provide broadband services across the country by 2020, and like most countries, broadband plans are increasingly considered a necessary service by governments. TrustDoes Apple Have the Key to Your iPhone?An excerpt from training materials for the California United States (U.S.) District Attorneys Association raised speculation that Apple has the ability to circumvent device passcodes on iPhones and presumably iPads. The specific language that is suggested for use by law enforcement cites examples for both Apple and Android devices. Read More IntelliShield Analysis: While Apple has not publicly commented on whether they have an undisclosed method to override passcodes for iOS, there is agreement among most experts that this probably is not the case. What is likely, however, is that the majority of end users who do set a passcode on their iPhones use a four-digit numeric code which can be overridden by so-called brute force attacks with relative ease by hackers and law enforcement alike. The relative simplicity of a four-digit numeric code is the default level of complexity if a user chooses to set a passcode on the device; setting a more complex passcode requires additional steps. As with any device for which the security of its contents is desired, employing a more complex passcode increases the difficulty of circumventing its security. The trade-off continues to be ease of quick access versus data protection. Policies that state minimal levels of complexity and ease of use should be regularly reviewed and adjusted as more sophisticated methods to bypass passcodes emerge. IdentityFTC Final Privacy Report - Do Not TrackThe U.S. Federal Trade Commission (FTC) has released a final report on digital consumer privacy issues. The name of the game is Do Not Track because the focus of the report, which was commented on by more than 450 companies, is on supporting Do Not Track programs, constructs such as the Do Not Track browser header, and advocacy for privacy legislation. Moreover, the FTC fully supports the Do Not Track flag, which will inform companies (via the web browser) that an individual does not want to be tracked. In addition, support for rights groups, such as the Digital Advertising Alliance and the World Wide Web Consortium (W3C), is a priority as the FTC seeks to foster the communication needed to strengthen the program, the focus on Do Not Track, and educate society. IntelliShield Analysis: The mere mention of more than 450 companies providing comments to the FTC speaks loudly to the security arena and specifically to society's focus and outlook on privacy. Work will need to continue in this space because a great deal of improvement is needed; however, the efforts to support programs and solutions for Do Not Track should alert everyone that privacy is a major issue and concern. The Administration providing a privacy white paper that supports the Do Not Track effort, W3C's ongoing support, and now the FTC bringing attention to those groups, including itself, is a key indication that privacy concerns are mounting. The FTC and other industry figures are becoming authoritative entities from which privacy policies and regulations will be crafted. HumanThere was no significant activity in this category during the time period. GeopoliticalThere was no significant activity in this category during the time period. Upcoming Security ActivityInterop: May 6–10, 2012 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following: France Presidential Elections: April 22, 2012 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
