August 2–8, 2010The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability activity for this time period was consistent with previous weeks. Security updates included advisories for Red Hat Apache HTTP Server and Tomcat, HP ProCurve Switch and Network Node Manager, EMC Disk Library, Hitachi, and CentOS. Linux.org also released the stable and mainline Linux Kernel 2.6.35 to correct multiple vulnerabilities. Monthly vulnerability activity for July 2010 decreased from the high level of activity in June but remains consistent with previous months in 2010 and 2009. Activity levels peaked in 2008 and have remained lower throughout 2009 and 2010. During the time period, Microsoft released a security bulletin and updates to correct a vulnerability that has been included in the Stuxnet attacks on Microsoft Windows and SCADA systems. This vulnerability is being widely exploited with automated attacks, and public exploit code is available. This update should be considered critical for nearly all Microsoft Windows systems. Additional information on this vulnerability and updates is available in IntelliShield Alerts 20915 and 20918 on the Security Intelligence Operations web portal. Adobe recently reported that they are developing an update to correct vulnerabilities in the current versions of Reader and Acrobat. These vulnerabilities could allow for code execution and the compromise of user systems. Reports indicate that users can leverage another similar vulnerability to jailbreak the current Apple iPhone. Adobe indicated that the update is expected to be released on August 16, 2010. Until the update is available, users should continue to use caution when handling PDF documents. Last week, Cisco released security advisories to address multiple vulnerabilities in Cisco ASA Adaptive Security Appliances and the Cisco Firewall Services Module (FWSM). Cisco PSIRT security advisories, IntelliShield Alerts, Cisco IPS signatures, and Applied Mitigation Bulletins for these vulnerabilities are available on the Security Intelligence Operations web portal. Cisco also released the first of the Quarterly Global Threat report during the time period. The report for the second quarter of 2010 is available at 2Q10 Global Threat Report. The report includes the latest Global Threat Correlation data that was collected by Cisco Security Intelligence Operations using web, e-mail, spam, and intrusion protection signature activity. IntelliShield published 124 events last week: 50 new events and 74 updated events. Of the 124 events, 96 were Vulnerability Alerts, 12 were Security Activity Bulletins, four were Security Issue Alerts, 11 were Threat Outbreak Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
2010 Monthly Alert Totals
Significant Alerts for August 2–8, 2010Microsoft Windows .lnk File Processing Arbitrary Code Execution Vulnerability Microsoft has released a security bulletin and updates to address the Windows .lnk file processing arbitrary code execution vulnerability. Microsoft Windows .lnk File Vulnerability Used for Malware Outbreak Targeting SCADA Systems Microsoft has released a security bulletin along with software updates to address the vulnerability exploited by malicious software. Previous Alerts That Still Represent Significant RiskMicrosoft Windows Help and Support Center Whitelist Bypass Vulnerability Exploits of the Microsoft Windows Help and Support Center whitelist bypass vulnerability are being observed in the wild. Functional code that exploits this vulnerability is publicly available. Microsoft has confirmed this vulnerability in a security bulletin and released updated software. DNSSEC-Enabled Queries to the DURZ Serving Root May Affect DNS Services Signed root DNS zones are designated to go into effect during a maintenance window July 15, 2010, establishing the availability of DNSSEC-enabled queries. Microsoft Exchange Server Outlook Web Access Cross-Site Request Forgery Vulnerability Multiple Adobe products contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system or cause a denial of service (DoS) condition. Functional code that exploits this vulnerability is available. Adobe has confirmed this vulnerability and released updated software. IBM and Oracle Java Web Start Java Development Kit ActiveX Control Command-Line Injection Vulnerability Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on a system with the privileges of the user. Systems with Oracle Java JRE and JDK 6 Update 10 and later contain the affected ActiveX control and are vulnerable. Red Hat has released an additional security advisory and updated packages to address the Oracle Java Web Start Java Development Kit ActiveX control command-line injection vulnerability. Kernel Hook Bypassing Engine Affects Multiple Security Applications A security research team has created a tool that is able to bypass security software protections provided by host-based security software on Microsoft Windows systems and execute arbitrary code with kernel privileges. Microsoft SharePoint Server 2007 Cross-Site Scripting Vulnerability Microsoft SharePoint Server 2007 versions SP2 and prior contain a cross-site scripting vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary HTML or script code in a user's browser. Proof-of-concept code that exploits this vulnerability is publicly available. Microsoft has confirmed this vulnerability and released software updates. Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability Multiple Transport Layer Security (TLS) implementations contain a vulnerability when renegotiating a TLS session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Proof-of-concept code that exploits this vulnerability is publicly available. HP has released an additional security bulletin and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability. PhysicalThere was no significant activity in this category during the time period. LegalProliferation of Personal Video Recording Tests Existing Laws, PoliciesA United States man is facing 16 years in prison for violating state wiretap laws, stemming from a traffic stop that he recorded on video. The man felt that the police officer involved made an atypical traffic stop and subsequently posted the video, which recorded the officer's actions and communications, online. The officer was neither in uniform nor in a marked police vehicle, and he brandished a weapon before identifying himself as a state police officer. The video attracted the attention of over 3 million viewers on YouTube, with many commenting on the impropriety of the officer's actions. Read More IntelliShield Analysis: Organizations should consider how the proliferation of this video and audio recording could impact business policy. Just as end users have readily adopted social networking (often in the workplace), they may also leverage smart phones with recording capabilities as they do in their personal time. Organizations should be reminded that recording sensitive information can result in data compromise or loss, and they must also recognize how such recordings could impact retention requirements, personnel matters, customer interactions, and even incident response. Employees should be clearly guided on inappropriate uses of technology and, when possible, given the freedom to experiment with innovative ways to apply new capabilities for business benefit. TrustThere was no significant activity in this category during the time period. IdentityThere was no significant activity in this category during the time period. HumanThere was no significant activity in this category during the time period. GeopoliticalEmerging Markets Pressure BlackBerry VendorResearch in Motion (RIM), maker of the BlackBerry smart phone, is facing demands from a growing list of countries, including the United Arab Emirates (UAE), Saudi Arabia, Kuwait, Indonesia, India, and Lebanon, to provide government access to private communications. Last week, the UAE government announced that it would ban BlackBerry messaging services starting October 2010, a move that would impact travelers who transit the country as well as residents. BlackBerry users in Saudi Arabia reported temporary outages last week as authorities announced an imminent cutoff, but reports now indicate that the Saudi government may have reached an agreement with RIM. The latest moves come after a 2009 incident in which UAE BlackBerry users received an update from carrier Etisalat that included spyware capable of bypassing RIM encryption. Other reports allege that some countries have made deals with RIM to obtain encryption keys or establish in-country servers to ensure access to information for security purposes. RIM has argued that it cannot decrypt BlackBerry communications because customers create their own encryption keys and, in many cases, maintain their own enterprise servers. IntelliShield Analysis: Tensions between governments and information technology companies are rising as corporate imperatives for data privacy clash with nation-state security mandates. Finding a reasonable compromise between these conflicting priorities is playing out in emerging market economies, where legal systems are less developed and perceptions of privacy may differ from the West. Information security professionals may find themselves performing the mutually exclusive feats of providing government access while promising customers a high level of privacy and security. From a positive perspective, host governments, anxious to outperform neighbors by nurturing business-friendly markets, have a solid incentive to compromise. Indeed, the UAE-threatened October ban may simply represent an attempt to garner attention for the issue. However, any compromise appears likely to force organizations to reconsider what levels of government monitoring are admissible, and if the level is zero, where they conduct business in the future. Upcoming Security ActivityUSENIX Security: August 11–13, 2010 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: World Expo (Shanghai, China): May 1–October 31, 2010 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
