Cyber Risk Report

August 22–28, 2011

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity for the period declined from previous periods. The period highlights include a large update for Chrome 13 correcting 11 vulnerabilities, PHP update 5.3.8 correcting a cryptographic bug in the 5.3.7 release, an Ubuntu Linux update correcting 22 vulnerabilities in webkit, three security advisories from Cisco on the Cisco Unified Communications Manager, Unified Presence Server, and Intercompany Media Engine, and an Apache denial of service vulnerability and exploit tool.

Cisco released three security advisories for the Cisco Unified Communications Manager, Unified Presence Server, and Intercompany Media Engine correcting five vulnerabilities. The security advisories, IntelliShield vulnerability alerts, IPS signatures, and Applied Mitigation Bulletins are available on the Cisco Security Intelligence Operations website.

PHP released version 5.3.8 to correct a cryptographic bug that was included in version 5.3.7, released just last period. The cryptographic bug could allow a user to login using any password. PHP quickly warned users not to update to 5.3.7 following its release, and to wait for the correction included in version 5.3.8. All systems running PHP are advised to update to 5.3.8 to prevent unauthorized access.

An Apache vulnerability that can allow a denial of service on the web server, reported in IntelliShield alert 24004, was quickly followed by the release of an attack tool that exploits the vulnerability. As the Apache HTTP or web server is the most widely used web server on the Internet, and is similarly used as an embedded web server in many products, organizations are advised to apply the mitigation methods that are provided within the Apache security advisory. Updates to correct this vulnerability are not yet available.

Multiple security organizations have reported an increasing level of malicious activity on TCP port 3389, which is used by the Windows Remote Desktop Connection service. F-Secure is reporting that it has identified the activity is related to a new Internet worm named Morto. The worm uses brute force in an attempt to login to the RDP service. Once a system is infected, the worm enters the network and continues to attempt to exploit additional systems. The Windows Remote Desktop Connection service is widely used by help desks and support services throughout business, education, and government organizations.

McAfee has released the McAfee Threats Report: Second Quarter 2011 (PDF). The report includes security statistics that show an increasing number of malware samples that target the Android phone. While Cisco Security Intelligence Operations has been closely tracking the increasing threats to mobile devices, this statistic may be misleading to security teams and users. Based on the actual threats identified, not malware samples, the Symbian and Blackberry phones remain the devices with the highest actual threat levels, while the Android and iPhone threat levels rank well below those devices. As IT organizations adjust their procedures and policies to support and secure the growing number of mobile devices, they should be aware of which devices and activities present the highest threats and direct their activities to address those threats.

In preparation for the October National Cyber Security Awareness month, organizations are encouraged to develop plans to raise users awareness of the current threats and best practices. Cisco will be posting a series of security blog articles throughout the month to provide users with the latest information. Several other organizations will be holding similar events and activities throughout the month that can be incorporated by businesses to increase their users' security awareness. Additional information on these planned activities can be found on the National Cyber Security Alliance StaySafeOnline.org website.

IntelliShield published 82 events last week: 42 new events and 40 updated events. Of the 82 events, 52 were Vulnerability Alerts, five were Security Activity Bulletins, two were Security Issue Alerts, one was an Applied Mitigation Bulletin, 21 were Threat Outbreak Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 08/26/2011 3 7 10
Thursday 08/25/2011 5 2 7
Wednesday 08/24/2011 16 10 26
Tuesday 08/23/2011 5 11 16
Monday 08/22/2011 13 10 23
Weekly Total 42 40 82


Significant Alerts for August 22-28, 2011

HTTPKiller: Apache HTTP Server Denial of Service Tool
IntelliShield Vulnerability Alert 23983, Version 3, August 26, 2011
Urgency/Credibility/Severity Rating: 3/5/3

A publicly available exploit tool that exploits a vulnerability in Apache HTTP Server could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected system. Apache has reported that active use of this tool has been observed. The vulnerability exploited by the tool is documented in IntelliShield alert 24004.

Apache HTTP Server Overlapping Ranges Denial of Service Vulnerability
IntelliShield Vulnerability Alert 24004, Version 2, August 26, 2011
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-3192

Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. Proof-of-concept code that exploits this vulnerability is publicly available. Apache has released an additional security advisory with workarounds to address the HTTP Server overlapping ranges denial of service vulnerability.

Previous Alerts That Still Represent Significant Risk

CA ARCserve D2D Security Bypass Vulnerability
IntelliShield Vulnerability Alert 23735, Version 4, August 11, 2011
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2011-3011

CA ARCserve D2D contains a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and gain unauthorized access to a system. Functional code that demonstrates an exploit of this vulnerability is available as part of the Metasploit Framework. CA has confirmed this vulnerability and updates are available.

FreeType PostScript Type 1 Font Parsing callothersubr Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 23602, Version 4, August 11, 2011
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2011-0226

FreeType versions prior to 2.4.5 contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional exploit code for this vulnerability is used publicly in conjunction with other vulnerabilities to provide web-based "jailbreak" capabilities for Apple iOS devices. Other sites or exploits may be able to repurpose this exploit code for malicious purposes. Apple, Red Hat, and FreeBSD have released security updates.

Multiple Oracle Products Authentication Bypass Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 22963, Version 2, August 8, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-0807

Oracle Sun GlassFish Enterprise Server and Sun Java System Application Server contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that demonstrates an exploit of this vulnerability is publicly available. Oracle has confirmed the vulnerability and released updated software.

Microsoft Windows Client/Server Run-time Subsystem Console Object Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 23555, Version 3, August 5, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-1281

Microsoft Windows contains a vulnerability that could allow a local attacker to gain elevated privileges on the system. Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available. Microsoft has confirmed the vulnerability in security bulletin MS11-056 and released software updates.

Mozilla Firefox and SeaMonkey Dangling Pointer Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 23046, Version 3, August 5, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-0065

Mozilla Firefox and SeaMonkey contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system. Functional code that demonstrates an exploit of this vulnerability is publicly available. Mozilla has confirmed this vulnerability and released updated software.

Citrix XenApp and XenDesktop XML Interface Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 23777, Version 2, July 29, 2011
Urgency/Credibility/Severity Rating: 2/5/3

Citrix XenApp and XenDesktop contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Citrix has confirmed this vulnerability and released software updates. Proof-of-concept code that demonstrates an exploit of the Citrix XenApp and XenDesktop XML interface remote arbitrary code execution vulnerability is publicly available.

Microsoft Internet Explorer toStaticHTML Information Disclosure Vulnerability
IntelliShield Vulnerability Alert 23357, Version 2, July 22, 2011
Urgency/Credibility/Severity Rating: 3/5/2
CVE-2011-1252

Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to access sensitive information on a targeted system. Proof-of-concept exploit code is publicly available. This code could allow an attacker to convert existing functional cross-site scripting exploits into formats that bypass protections by exploiting this vulnerability. Updates are available.

Apple iOS IOMobileFrameBuffer Queueing Local Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 23653, Version 1, July 18, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-0227

Apple iOS contains a vulnerability that could allow an unprivileged, local attacker to execute arbitrary code. Functional exploit code for the vulnerability is publicly available and used in conjunction with other vulnerabilities to provide web-based "jailbreak" capabilities for Apple iOS devices. Other sites or exploits may be able to repurpose the exploit code for malicious purposes. Updates are available.

Adobe Flash Player Flash Content Processing Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 23412, Version 4, June 23, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-2110

Adobe Flash Player contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Reports indicate that the vulnerability is being exploited in the wild by means of active, targeted attacks. Cisco has released an Applied Mitigation Bulletin to address the Adobe Flash Player Flash content processing remote code execution vulnerability that can be identified or mitigated using Cisco devices. Adobe, Red Hat and FreeBSD have released security updates.

Mozilla Firefox and SeaMonkey nsTreeRange Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 23048, Version 2, June 20, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-0073

Mozilla Firefox and SeaMonkey contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Available exploit samples report the ability to execute code on Windows XP and Windows 7 systems and even defeat address space layout randomization (ASLR) and Data Execution Prevention (DEP) protections. Mozilla has confirmed this vulnerability and released updated software.

Microsoft Internet Explorer layout-grid-char Memory Corruption Vulnerability
IntelliShield Vulnerability Alert 23362, Version 3, June 17, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-1260

Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a vulnerable system. Microsoft has released a security bulletin MS11-050. Functional code that demonstrates an exploit of the Microsoft Internet Explorer layout-grid-char memory corruption vulnerability is publicly available.

Microsoft Internet Explorer Time Element Memory Corruption Vulnerability
IntelliShield Vulnerability Alert 23359, Version 3, June 17, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-1255

Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a vulnerable system. Microsoft has released a security bulletin MS11-050. According to some reports, exploits are being observed in the wild. However, exploit code is not available publicly.

Adobe Flash Player Flash Content Processing Cross-Site Scripting Vulnerability
IntelliShield Vulnerability Alert 23307, Version 5, June 14, 2011
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2011-2107

Adobe has re-released a security bulletin to address the flash content processing cross-site scripting vulnerability in Adobe Acrobat and Reader. FreeBSD has also released a VuXML document and updated ports collection to address this vulnerability. Research In Motion has released a security advisory.

Physical

Hurricane Irene Blows through the US East Coast

Hurricane Irene blew through the United States (US) East coast from North Carolina to New England, accounting for 11 deaths, power outages to millions of people, stranded travelers, and estimates of billions of dollars in property damages. The hurricane weakened as it traversed the coast line, being downgraded to level 1 hurricane, and then to a tropical storm. Government authorities and emergency response organizations provided extensive early warnings and guidance, and ordered mandatory evacuations of many lower and coastal areas.
Read More
Additional Information
Additional Information
Additional Information

IntelliShield Analysis: Early indications are that the mandatory evacuations, emergency planning, and pre-positioning of response teams will aid the impacted areas in a faster recovery from the storm. Most of the major population centers have their power restored and people are returning to the costal areas to asses the physical damage. While the post-storm assessments continue, government and emergency response organizations will better determine the effectiveness of the measures taken, their costs, and lessons learned. Areas of particular interest include the effectiveness of messaging technologies that are now used by many government agencies, the resiliency of the cell phone networks and the Internet, and the general population's awareness, preparations, and responses. As many learned during hurricane Katrina six years prior, the after effects of the storm, including flooding, power interruptions, and displaced persons and businesses, will require continued attention for weeks and months in order to limit additional damage and restore the area to pre-storm levels.

Legal

Google AdWords Fine Brings Greater Examinations of Online Advertisements

Google accepted a $500 million (USD) penalty for placing Canadian pharmaceutical advertisements within its AdWords service. The United States Department of Justice charged that by displaying the advertisements, Google aided in the illegal import of medicines from Canada. Google, as required as part of the settlement with the United States federal government, has promised to put into place better processes to prevent illegal advertising.
Read More
Additional Information

IntelliShield Analysis: Advertisements have long been a source of both revenue and conflict for web-based companies. While being the main source of income for search engines and content providers, malicious, illegal, or compromised advertisements may attempt to exploit users instead of selling legitimate products. The fine from the United States Department of Justice, along with increased scrutiny from consumer advocacy groups, may signal a change in advertising on the web. More careful examination of advertisements may lower revenues but make a safer, more compliant Internet.

Trust

Insider Attack on Japanese Pharmaceutical Firm Shionogi

In legal proceedings, a former employee of a United States subsidiary of the Japanese pharmaceutical company Shionogi entered a guilty plea to a charge of attacks against the company's data systems. The employee removed critical virtual systems from the company's datacenter after the employee left the company following a conflict with a manager. As a result of the attacks, Shionogi was unable to conduct normal operations and quoted damages as a result of the attacks at $800,000 USD.
Read More
Additional Information

IntelliShield Analysis: This incident shows again the necessity of careful human resources and account management procedures when hiring and dismissing employees. The employee left the company under duress, and measures were apparently not taken to safeguard against any malicious activity. The account passwords were not changed after the individual left the company and remote access mechanisms were not disabled. Businesses must understand that the releasing of a privileged employee is a very high risk function, and are advised to establish employee exit procedures and carefully review procedure compliance.

Identity

There was no significant activity in this category during the time period.

Human

There was no significant activity in this category during the time period.

Geopolitical

Technology and the Security Versus Freedom Debate

An incident this month involving the temporary disabling of cell phone services in Bay Area Rapid Transit (BART) stations, aimed at thwarting planned protests, evoked sharp public criticism. Shortly after, the BART website suffered a retaliatory hacking attack. The legality of the move is now being investigated by the Federal Communications Commission (FCC). The BART cell phone outage followed close on the heels of street riots in London, during which UK authorities' discussion of social media connectivity curbs led some critics to draw parallels with censorship in more authoritarian countries. Some pointed to the fact that the same online networks used to coordinate rioting and looting were also used to organize volunteer clean up groups. Last week, British authorities met with representatives of Twitter, Facebook, and Blackberry to discuss ways to limit access during times of unrest last week, although the companies declined to comment on the meetings.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Social media and the mobile communications devices that enable them are showing a growing power to impact popular movements by giving users a sense of connectedness and common purpose, be they hooligans or freedom fighters. By effectively enabling the best and the worst of the information age, these technologies are forcing the companies that provide them into the political limelight. As a globally diverse population of service providers and public sector authorities seek a sustainable balance in each of their unique jurisdictions and political systems, the risk of involvement in politically or socially sensitive incidents is increasing. Some global technology suppliers are seeking to preempt public relations misunderstandings by communicating clear policies on public security versus privacy issues, while making clear their legal obligations in diverse markets.

Upcoming Security Activity

ISC2 Security Congress: September 19–22, 2011
ASIS International 57th Annual Seminar and Exhibits: September 19–22, 2011
NIST National Initiative for Cybersecurity Education (NICE) Workshop: September 20–22, 2011
RSA Europe: October 11–13, 2011

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

Ramadan: August 1–29, 2011
9/11 10th Anniversary: September 11, 2011
U.N. General Assembly Palestinian Statehood Vote: September 22, 2011

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top