Cyber Risk Report

April 5–11, 2010

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerabilities returned to lower levels during the time period.  The most significant vulnerability was a new Oracle Java Web Development Toolkit ActiveX vulnerability that was not addressed in the recent Oracle Java updates.  VMware released Security Advisory VMSA-2010-0007 correcting 10 vulnerabilities that impacted multiple VMware products.  Additional updates were released for McAfee Email Gateway,  CA XOSoft products, and ClamAV.

Microsoft, Adobe, and Oracle have pre-announced an April 13 release of additional security updates.  The Microsoft Advance Notification reported 11 bulletins that will address 25 vulnerabilities across multiple products.  Five bulletins are rated critical by Microsoft in this release.

The Oracle pre-release announcement for their quarterly Critical Patch Update includes 47 vulnerabilities across multiple products.  Following the acquisition of Sun Microsystems, the Critical Patch Update will also include Sun security updates, reported to account for 16 of the vulnerabilities.

Adobe will release their Security Advisory APSB10-09 with security updates for Adobe Reader and Acrobat, but have not provided a specific number of vulnerabilities. 

Researchers reported this week that the Zeus botnet appears to have moved to fastflux methods following the disconnection of several command-and-control systems from their service provider.  Previously, fastflux was not a primary method used by the Zeus botnet, but indicates that the disconnection of the service providers hosting numerous Zeus botnet systems may have had a stronger impact than was initially believed.  The Zeus botnet remains one of the most financially damaging botnets, primarily focused on compromising account credentials and stealing funds from those accounts.  It appears that the actions by the service providers and law enforcement are impacting Zeus botent operations.

IntelliShield published 77 events last week:  40 new events and 37 updated events.  Of the 77 events, 62 were Vulnerability Alerts, five were Security Activity Bulletins, four were Security Issue Alerts, five were Threat Outbreak Alerts, and one was a Cyber Risk Report.  The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 04/09/2010

  4

  3

  7

Thursday 04/08/2010

  13

  9

  22

Wednesday 04/07/2010

  8

  10

  18

Tuesday 04/06/2010

  2

  13

  15

Monday 04/05/2010

  13

  2

  15

Weekly Total   40   37 77

 


Significant Alerts for April 5-11, 2010

Oracle Java Web Start Java Development Toolkit ActiveX Control Command-Line Injection Vulnerability
IntelliShield Vulnerability Alert 20314, Version 1, April 9, 2010
Urgency/Credibility/Severity Rating: 3/5/4

Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on the system with the privileges of the user.  Systems with Oracle Java JRE and SDK 6 Update 10 and later contain the affected ActiveX control and are vulnerable as a result.  Updates are not available.

Previous Alerts That Still Represent Significant Risk

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 44, April 7, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555

Multiple TLS implementations contain a vulnerability when renegotiating a Transport Layer Security (TLS) session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack.  Proof-of-concept code that exploits this vulnerability is publicly available.  Mozilla and Oracle, in addition to other vendors, have released updates for this vulnerability.

Microsoft Internet Explorer Invalid Pointer Reference Access Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20052, Version 4, March 30, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-0806

Microsoft has re-released a security advisory and updated software to address the Microsoft Internet Explorer invalid pointer reference access arbitrary code execution vulnerability.  Functional exploit code is being used in ongoing exploits.  Microsoft has released a security bulletin and updated software to address the invalid pointer reference access arbitrary code execution vulnerability in Microsoft Internet Explorer.

Mozilla Firefox Unspecified Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19968, Version 2, March 23, 2010
Urgency/Credibility/Severity Rating: 2/5/4

Mozilla Firefox contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code.  Mozilla has confirmed this vulnerability and has released updated software.

Microsoft Internet Explorer Unsafe Help File Handling Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20014, Version 2, March 2, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-0483

Microsoft has released a security advisory with information about affected products to address the Microsoft Internet Explorer unsafe help file handling arbitrary code execution vulnerability.  Proof-of-concept code that demonstrates code execution is available.

Adobe Download Manager Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19979, Version 4, February 26, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-0189

Adobe Download Manager contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user.  Adobe has confirmed the vulnerability and released updated software.

Microsoft Internet Explorer Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19726, Version 5, February 25, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-0249

Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code.  Microsoft has confirmed this vulnerability and released software updates.  Additional information is available regarding mitigations and exploit code related to the Internet Explorer remote arbitrary code execution vulnerability.

Multiple Symantec Products ActiveX Control Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19970, Version 1, February 19, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-0107

Multiple Symantec products contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the system.  Symantec confirmed this vulnerability and released software updates.

Physical

There was no significant activity in this category during the time period.

Legal

United Kingdom Copyright Protection Law

The Digital Economy bill is on track for passage in the United Kingdom (U.K). Among the provisions in the bill is one that would deny Internet service to someone who has repeatedly violated on-line piracy laws. The bill contains a three-strikes-and-you're-out provision that would allow the government to cut off Internet service to repeat offenders. This action allow the government to force commercial businesses to help in the policing effort with regard to copyrights. The U.K. is not the first European Union (E.U.) member country to pass such a provision, France passed a similar measure last year. Opposition to the bill has been strong from British citizens, with over 20,000 voters writing to Parliament to voice their opinion. The bill also allows the government to block websites without primary legislation, that is, without an act of Parliament or the normal scrutiny given to primary legislation.
Read More
Additional Information
Additional Information

IntelliShield Analysis: The United Kingdom's anti-piracy law is similar to the law in France, and seemingly at odds with the E.U. statutes. It remains to be seen whether other E.U. members and countries outside of the E.U. pass such legislation, and whether countries where the majority of pirate sourcing activities take place increase their policing efforts. All the measures passed so far have drawn the ire of civil liberty groups that are worried the legislation leaves open the possibility for prosecution of individual casual down-loaders.

Trust

There was no significant activity in this category during the time period.

Identity

There was no significant activity in this category during the time period.

Human

Third-Party E-mail Privacy

A New Jersey Supreme court ruled in a discrimination and harassment lawsuit that an employee's third-party e-mail messages were protected under a reasonable expectation of privacy.  There were several specific details pertinent to the ruling, including the use of password-protected accounts, encrypted messages and connections, and the employer's policies that the court found vague.  Some legal reviews of the case suggest it may set a new precedent for employee privacy, and employer monitoring of third-party e-mail of its employees, even when the third-party e-mail is used on the employers' systems and networks. 
Read More
Additional Information

IntelliShield Analysis:  With the current focus on data loss prevention, protection of intellectual property and security of the systems and network, many employers have tightened their policies and increased monitoring of employees' activity.  Previously, employees had little expectation of privacy when using the employers' systems, but this ruling shifts the line in favor of the employees.  The most interesting result of the case were the legal reviews that suggested that even if the policy had been better written, it would not have stood up to legal challenge or changed the ruling.  Businesses may need to review and reconsider their policies and monitoring of employee third-party e-mail.

Geopolitical

In Asia, Anti-Government Protests on the Ground have Online Component

In Thailand, anti-government protests, which have been heating up over the past month, turned briefly violent last week when red-clad protesters took control of a Thaicom Satellite Company television station, meeting only temporary resistance from security forces.  The protesters support exiled prime minister Thaksin Shinawatra, who has stayed in close communication with his supporters through various electronic media, including Twitter.  As part of the state of emergency declared by the government of current Prime Minister Abhisit Vejjajiva, a long list of opposition websites have been blocked.  Meanwhile, another Asian country suffered the violent overthrow of its government last week when Kyrgyzstan President Bakiyevh himself brought to power by violent overthrow in 2005 was chased out of the capitol.  A former foreign minister has taken charge and things appeared quiet in Bishkek over the weekend. 
Read More
Additional Information
Additional Information
Additional Information

IntelliShield Analysis: For information technology specialists, the reflection of these real-world events online is noteworthy.  The Thai situation is more transparent to the English-speaking world thanks to a much larger English-speaking population, giving Western media quicker access to the dialogue between the two sides.  Moreover, with a larger percentage of Thailand's population plugged into mass media, it should come as no surprise that Thai protestors targeted a major television station and immediately began using it to expand control.

Meanwhile, in Kyrgyzstan known in the West primarily for Manas Air Base, a key transshipment point for NATO troops into Afghanistan English-language media have found the Kyrgyzstan government overthrow noteworthy mostly in that it has not played out online.  One writer called it an analog revolution, but the facts suggest that there may no longer be any such thing.  One Central Asian blogger countered that Twitter activity was taking place, but mostly in languages other than English.   Kyrgyzstan was also the target of one of the world's first geopolitically-motivated, large-scale DDOS attacks in 2008, when a cyber militia attributed to Russian groups angry over U.S. use of Manas Air Base brought down Kyrgyzstan networks.

Upcoming Security Activity

Black Hat Europe: April 12–15, 2010
InfoSec World 2010: April 17–23, 2010
INTEROP Las Vegas: April 25–29, 2010
Infosecurity Europe: April 27–29, 2010
AusCERT2010: May 17–20, 2010
Gartner Security & Risk Management Summit: June 21–23, 2010
Cisco Live 2010, Las Vegas, June 27–July 1, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

 


This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top