April 23–29, 2012The IntelliShield Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The Cyber Risk Reports are a result of collaborative efforts, information sharing, and collective security expertise of senior analysts from Cisco security services that include the IntelliShield team (IntelliShield Alert Manager, Applied Intelligence, and IPS), ROS, PSIRT, the Corporate Security Programs Organization, and Legal Support. VulnerabilityVulnerability activity for the period was decreased, although multiple security updates and new threats were reported. Microsoft security vulnerabilities released in the April Security Bulletin Release have been updated with new information and to indicate the availability of proof-of-concept exploit code for the .NET vulnerability, reported in IntelliShield alert 25560, and for the MSCOMCTL ActiveX vulnerability, which is reported in IntelliShield alert 25557. Also, a new zero-day vulnerability was reported in Microsoft Visual Studio. Microsoft released a security update for this researcher-reported vulnerability, which allows the compromise of Hotmail account credentials. Additional information released by the researcher indicates that not only isHotmail vulnerable, but that the same Tamper Data add-on can be used to remotely reset passwords for any Yahoo! and AOL mail accounts. Mozilla released Firefox 12, correcting 14 vulnerabilities. Mozilla rated seven of these vulnerabilities as critical, and four more as high. Proof-of-concept exploit code is already available for multiple vulnerabilities corrected in this updated version. WordPress released updated version 3.3.2, correcting multiple vulnerabilities, and additional cross-site scripting vulnerabilities have been identified in previous WordPress versions. Multiple sources have identified compromised WordPress blogging sites as being compromised and used in attacks on other web sites. Users should install the updated version and monitor the site for malicious activity, particularly if hosting blogs on their commercial web sites. Other vulnerabilities for the period included continued updates for the OpenSSL heap overflow, reported in IntelliShield alert 25706, and vulnerabilities in XMLSoft libxml2, OpenType Sanitizer, Samba LinuxCIFS, and JavaScript v8 that impact multiple products. A researcher released exploit code for an Oracle Database Server TNS Listener remote registration vulnerability. The researcher reported that an Oracle advisory released in the recent April Critical Patch Update had corrected the vulnerability, but it was determined that this was not the corrected vulnerability, and the researcher had inadvertently released a new zero-day vulnerability and exploit. Industrial Control System and SCADA vulnerability activity continued with the reporting of a default vendor-fixed account included in RuggedCom products, and new vulnerabilities in Samsung Net-i ware products. VMware confirmed the compromise of ESX source code, but minimized the risk due to the code being dated and customers having updated to the newer ESXi product versions. Similar to previous source code compromises, it should be noted that, while the investigation continues, the source code appears to have been compromised through third-party and partner sites. During the period Nissan also reported being compromised, although few details of the compromise have been released. In additional threat activity, multiple sources have identified e-mail scams and fraud schemes related to tickets for the upcoming Olympic games in London. As the games draw nearer, criminals are likely to attempt to exploit the Olympic games through multiple vectors, and users should be extremely cautious when looking for information about the games, news updates, or handling unsolicited e-mail messages with Olympic games themes. Users should be encouraged to bookmark known and trusted web sites for updates on Olympic games activity. IntelliShield published 93 events last week: 46 new events and 47 updated events. Of the 93 events, 50 were Vulnerability Alerts, eight were Security Activity Bulletins, two were Security Issue Alerts, 32 were Threat Outbreak Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for April 23-29, 2012OpenSSL ASN.1 asn1_d2i_read_bio() Heap Overflow Vulnerability OpenSSL contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Proof-of-concept code that demonstrates this vulnerability is publicly available. OpenSSL, FeeBSD and Red hat have released security advisories and updates. Microsoft .NET Framework GraphicsPathIterator Validation Arbitrary Code Execution Vulnerability Microsoft .NET Framework contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Updates are available. Proof-of-concept code to exploit the Microsoft .NET Framework parameter validation arbitrary code execution vulnerability is publicly available. Microsoft MSCOMCTL.OCX ActiveX Control Remote Code Execution Vulnerability Microsoft MSCOMCTL.OCX ActiveX control contains a vulnerability that could allow an unauthenticated, remote attacker to execute code on a vulnerable system. Proof-of-concept code that exploits this vulnerability is publicly available. Microsoft has confirmed this vulnerability in a security bulletin and has released updated software. Previous Alerts That Still Represent Significant RiskOracle Java Runtime Environment AtomicReferenceArray Type Violation Remote Code Execution Vulnerability Multiple versions of Oracle Java Runtime Environment (JRE) contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that exploits this vulnerability is publicly available. Oracle has confirmed this vulnerability and released software updates. Red hat, HP and Apple have released security advisories. Red Hat has released an additional security advisory and updated packages. Oracle Java SE Critical Patch Update February 2012 Oracle has released the February 2012 Critical Patch Update to address multiple security vulnerabilities in multiple Oracle Java SE versions. This update remediates 14 vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system. Oracle, CentOS, Red Hat, IBM, HP and Apple have released security bulletins and updated software. Red Hat has released an additional security advisory and updated packages. Apache HTTP Server Reverse Proxy Rewrite URL Validation Vulnerability Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to gain unauthorized access to internal networks. Apache has not confirmed the vulnerability and software updates are not available. The vulnerability is due to a regression error introduced by the vulnerability CVE-2011-3368, documented in IntelliShield alert 24327. Proof-of-concept code that exploits the vulnerability is publicly available. HP has released a security bulletin and updated software to address the Apache HTTP Server reverse proxy rewrite URL validation vulnerability. Oracle has released an additional security advisory and patches. Multiple Products Hash Collisions Denial of Service Vulnerability Multiple products contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are available. Apache, Microsoft, CentOS, IBM, ruby, FreeBSD, Red Hat, Oracle and HP have released security advisories and updates. Samba Marshaling Code Remote Code Execution Vulnerability Samba contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system. If successful, the attacker could execute arbitrary code with root-level privileges. MIT Kerberos 5 Telnet Service Buffer Overflow Arbitrary Code Execution Vulnerability MIT Kerberos 5 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the system. Functional code that exploits this vulnerability is available as part of the Metasploit framework. MIT has confirmed the vulnerability and released software updates. Oracle, VMWare, Cisco, FreeBSD, GNU.org and Red Hat have released security advisories. Microsoft Windows Remote Desktop Uninitialized Memory Access Arbitrary Code Execution Vulnerability Microsoft Windows contains a vulnerability in Remote Desktop that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Microsoft has confirmed the vulnerability in a security bulletin and released updated software. Proof-of-concept code that exploits the vulnerability is publicly available. ICS-CERT has released a security advisory to address the Microsoft Windows Remote Desktop uninitialized memory access arbitrary code execution vulnerability. Apple iOS 5.1 Security Update Apple iOS contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to conduct information disclosure, security bypass, denial of service, code execution, or cross-site scripting attacks. Apple has released an additional security update and updated software to address the vulnerability in multiple Apple products security update. Apple added products Apple Safari versions prior to 5.1.4 and Apple Safari for Windows version prior to 5.1.4. PhysicalNIST Iris Biometric Testing ResultsThe U.S. National Institute of Standards and Technology (NIST) has released the Iris Exchange (IREX) III report. The report describes the testing of 92 different algorithms and how accurate they were in identifying an individual within a large database of potential identities. Findings show that accuracy ranges from 90 to 99 percent and that some algorithms could execute up to 8 million matches per second. IntelliShield Analysis: The search continues for an algorithm that would be both fast and accurate, and there are some signs that this may be getting closer. If achieved, this will enable even small mobile devices to positively identify an individual. This will also shift the control of identities to whoever possesses and controls the database. It is easy to envision a small camera in a busy street capturing photos of the eyes of passersby and matching them against a database. It could be relatively easy to distinguish between criminals and ordinary citizens. LegalThere was no significant activity in this category during the time period. TrustHealth Information Trust Alliance Establishes Cybersecurity Incident Response and Coordination CenterThe Health Information Trust Alliance (HITRUST), a healthcare industry security advocacy group, has announced the establishment of the Cybersecurity Incident Response and Coordination Center. The coordination initiative is designed to allow healthcare organizations to share intelligence on emerging threats against data breaches. This health care-focused warning system would give health care organizations advanced warning regarding threats and best practices on protecting records. IntelliShield Analysis: Although the HITRUST response center is a good resource for organizations to stay aware of threats to patient records, survey data shows that the majority of data breaches result in employee errors. In addition to hardening and monitoring data systems, organizations that store and process medical records should train employees on proper handling of customer data. In addition, technical controls should be used to ensure that only designated employees can perform approved actions while preventing loss through copying of files to personal devices and data loss through devices being stolen. IdentityThere was no significant activity in this category during the time period. HumanThere was no significant activity in this category during the time period. GeopoliticalQuantifying the Cost of IP LeakageA survey of 600 German companies found that industrial espionage would cost them 4.2 billion euros (US $5.5 billion) this year. About half of respondents said they had been the victims of industrial espionage, with attacks attributed primarily to China, Russia, and the United States. The survey also revealed that small- and medium-sized businesses are frequently targeted because they are less likely to employ security experts trained in counter-intelligence. Other attempts to put a number on the losses include an estimate of (US)$100-$150 billion per year for U.S. companies, according to the Financial Times quoting U.S. intelligence officials. The U.S. International Trade Commission (ITC) attempted to quantify losses due to intellectual property infringement and indigenous innovation policies in China, putting the number at (US)$48 billion in 2009. IntelliShield Analysis: As losses due to data breaches and IP theft mount, many companies are pressuring their governments to update existing laws and create new ones to help them fight back. In making their case, industry specialists look for data to back up their claims, despite the challenges of estimating, for example, unrealized sales or jobs that may have existed if intellectual property had not been lost to a competitor. One of the most effective ways of taking the temperature of this complicated issue is conducting industry surveys, a strategy that is vastly more palatable for individual companies than publicly airing case-specific losses. The ITC also used statistical modeling to project losses by first estimating the positive economic effects of strong IPR enforcement. For information security experts, these reports may underscore the value that can be derived from working with industry associations and government partners to quantify losses as a first step toward positive regulatory change. Upcoming Security ActivityInterop May 6–10, 2012 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following: May Day Holiday: May 1, 2012 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
