Cyber Risk Report

August 23–29, 2010

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity for the period was increased from the previous period due to reporting of new vulnerabilities. The period was highlighted by security advisories and updates related to the Microsoft Dynamic Link Library (DLL) insecure loading vulnerability. The vulnerability is likely to impact a large number of applications that run on Microsoft Windows systems and is dependent on individual vendors releasing security updates for their applications. Microsoft, Adobe, Opera, Apple, and Wireshark have released updates for applications during this period and more are expected in the coming weeks. Public exploits and exploit tools are publicly available for the vulnerability.

Additionally, large security updates were released during the period by Adobe to correct multiple vulnerabilities in Shockwave; Apple, to correct multiple vulnerabilities in Mac OS X; RealNetworks, to correct multiple vulnerabilities in RealPlayer; and PHPMyAdmin, to correct multiple vulnerabilities.

Cisco released security advisories correcting multiple vulnerabilities in Cisco Unified Communications Manager, Cisco Unified Presence, and a previously corrected vulnerability in WebEx. All Cisco Security Advisories and correlated IntelliShield alerts are available on the Cisco Security Intelligence Operations website.

On Friday, August 27, 2010, a route addition by the RIPE NCC Routing Information Service (RIS) exposed a flaw in Cisco IOS XR Software due to improper processing of experimental Border Gateway Protocol (BGP) route attributes. The implementation of the BGP route that contained an experimental attribute caused devices running Cisco IOS-XR Software to close some BGP sessions with BGP peers, resulting in a temporary denial of service (DoS) condition. Cisco corrected the vulnerability the same day and reported the events in a Cisco Security Advisory and IntelliShield alerts 21265 and 21266.

Newly identified spam routines originating from the Zeus botnet are using multiple phishing and spear phishing techniques to target users and compromise their systems. Some spam routines have included reports of celebrity deaths and others have included more targeted social engineering methods. The spam messages include a .zip compressed file attachment that when opened installs the malicious code on the users system. Compressed file attachments (.zip) are a known high risk, and users should be reminded of the dangers of opening e-mail attachments and of secure e-mail message handling practices. The Zeus botnet continues to be one of the most successful and active botnets and is believed to be responsible for the theft of millions of dollars in funds from compromised users' financial accounts around the world.

United States (U.S.) Pentagon officials released details of the compromise of multiple U.S. Department of Defense (DoD) systems in 2008 traced to an infected USB drive inserted in a DoD system. Recent research reports indicate that as much as 25 percent of malicious codes are designed to infect and spread through USB drives inserted in otherwise secure systems. Organizations that have not addressed this risk should consider establishing policy and practices to prevent the infection and spread of malicious code, because the popularity and use of USB devices continues to increase.

IntelliShield published 111 events last week: 72 new events and 39 updated events. Of the 111 events, 84 were Vulnerability Alerts, eight were Security Activity Bulletins, four were Security Issue Alerts, 13 were Threat Outbreak Alerts, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 08/27/2010  18   1  19
Thursday 08/27/2010  16   4  20
Wednesday 06/23/2010  18  10  28
Tuesday 06/22/2010   8  15  23
Monday 06/21/2010  12   9  21
Weekly Total  72  39  111

 


Significant Alerts for August 23–29, 2010

Microsoft Windows Applications Insecure Library Loading Behavior
IntelliShield Vulnerability Alert 21215, Version 2, August 23, 2010
Urgency/Credibility/Severity Rating: 2/5/4

Microsoft has released a security advisory that details an application behavior that could affect a large number of Windows-based applications. An unauthenticated, remote attacker could exploit the vulnerability to execute arbitrary code with the privileges of a user. Exploits are available.

Previous Alerts That Still Represent Significant Risk

Adobe Acrobat and Reader cooltype.dll Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21093, Version 4, August 20, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-2862

Adobe Acrobat and Reader contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system. Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available. Adobe has confirmed this vulnerability and software updates are available.

Multiple Vendor PDF Viewer /launch Program Execution Attack
IntelliShield Vulnerability Alert 20294, Version 3, August 20, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-1240

Adobe has released a security bulletin and updated software to address the multiple vendor PDF viewer /launch program execution attack.

Microsoft Windows Win32k Kernel Driver Window Creation Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 21027, Version 3, August 12, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-1897

Exploits of the Microsoft Windows Win32k kernel driver window creation privilege escalation vulnerability are currently being observed in the wild.

Microsoft Windows XML Core Services Response Handling Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21021, Version 2, August 11, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-2561

Proof-of-concept code that exploits the Microsoft Windows XML core services response handling arbitrary code execution vulnerability is publicly available. The alert update also indicates an increase in the urgency.

Microsoft Windows Tracing Feature for Services Registry Key Access Control Lists Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 21018, Version 3, August 11, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-2554

Exploits are currently being observed in the wild. Microsoft is aware of an increase in the number of targeted attacks that use the readily available exploit code.

Microsoft Windows Server Message Block Packet Processing Pool Overflow Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 21014, Version 4, August 11, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-2550

Exploits are currently being observed in the wild. Microsoft is aware of an increase in the number of targeted attacks that leverage the readily available exploit code.

Microsoft Windows Kernel Win32k Driver Exception Handling Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 21024, Version 2, August 11, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-1894

Proof-of-concept code that demonstrates an exploit of the Microsoft Windows Kernel Win32k driver exception handling privilege escalation vulnerability is publicly available. This updated alert indicates an increase in the urgency.

Microsoft Windows .lnk File Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20918, Version 4, August 2, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-2568

Microsoft has released a security bulletin and updates to address the Windows .lnk file processing arbitrary code execution vulnerability. Functional exploit that is a part of the Metasploit framework is publicly available.

Microsoft Windows .lnk File Vulnerability Used for Malware Outbreak Targeting SCADA Systems
IntelliShield Vulnerability Alert 20915, Version 6, August 27, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-2568

Microsoft has released a security bulletin along with software updates to address the vulnerability exploited by malicious software.
Microsoft Windows Help and Support Center Whitelist Bypass Vulnerability
IntelliShield Vulnerability Alert 20691, Version 6, July 15, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-1885

Exploits of the Microsoft Windows Help and Support Center whitelist bypass vulnerability are being observed in the wild. Functional code that exploits this vulnerability is publicly available. Microsoft has confirmed this vulnerability in a security bulletin and released updated software.

Multiple Adobe Products Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20625, Version 7, July 1, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-1297

Multiple Adobe products contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system or cause a denial of service (DoS) condition. Functional code that exploits this vulnerability is available. Adobe has confirmed this vulnerability and released updated software.

IBM and Oracle Java Web Start Java Development Kit ActiveX Control Command-Line Injection Vulnerability
IntelliShield Vulnerability Alert 20314, Version 6, July 29, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-0886, CVE-2010-0887, CVE-2010-1423

Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on the system with the privileges of the user. Systems with Oracle Java JRE and JDK 6 Update 10 and later contain the affected ActiveX control and are vulnerable. Red Hat has released an additional security advisory and updated packages to address the Oracle Java Web Start Java Development Kit ActiveX control command-line injection vulnerability.

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 61, August 10, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555

Multiple Transport Layer Security (TLS) implementations contain a vulnerability when renegotiating a TLS session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Proof-of-concept code that exploits this vulnerability is publicly available. HP has released an additional security bulletin and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Physical

iPhone App Used with Webcam to Witness Home Robbery

A Dallas-area resident recently used a combination of an iPhone application and personal webcam to witness the burglary of his own home while on vacation. Upon being alerted remotely by his iPhone app that his house had been invaded, he promptly notified police of the ongoing robbery. Read More

IntelliShield Analysis: Although police were unable to apprehend the criminals who fled the scene, this report is an excellent example of cutting-edge technology being made use of by society. Public and private corporations have been reaping the benefits of rapid technological change to positively impact their bottom line for years. It is a good sign to see individuals beginning to benefit through their own use of collaborative tools and applications.

Legal

U.S. Federal Courts Disagree on Location-based Privacy

A recent decision from the Ninth Circuit of the U.S. Federal Appeals Court would allow government officials to establish continuous location monitoring, ruling that individuals do not have a right to expect privacy from such monitoring. Under this ruling, authorities would not require a warrant to establish location tracking. However, the Fourth Circuit of the U.S. Federal Appeals court recently decided a similar case in the opposite manner, noting that location information that is temporary can be somewhat revealing, but location details tracked over time can become much more revealing and much more invasive. Both courts' rulings are subject to being overturned by the U.S. Supreme Court, but because the Seventh and Eighth Circuits align with the Ninth, it may be more likely that the Fourth Circuit's decision will be reviewed.
Read More
Additional Information

IntelliShield Analysis: GPS has become a key technology for business, quickly pervading the electronic gadgets desired by consumers. While there are many personal and professional benefits of location awareness, in the hands of an overzealous authority, the detailed information that can be gleaned from location, habits, and patterns of an individual could quickly erode privacy and personal freedom. Though it is true that a person's movements in public are open for anyone to see, crossing the line into technical automation of this type of tracking creates scenarios that could never exist if a person's movements were tracked by traditional means. Specifically, an increased number of people can be tracked by fewer investigators and GPS may strongly resist evasion. Individuals may be negatively affected by this broad application of traditional understandings about expectations of privacy and the significant amplification afforded by advanced technology.

Trust

There was no significant activity in this category during the time period.

Identity

There was no significant activity in this category during the time period.

Human

There was no significant activity in this category during the time period.

Geopolitical

Governments Hash Out Social Media Policies

Facebook membership recently passed 500 million, prompting some to observe that if the social networking site were a country, it would now be the third most populous in the world after China and India. Indeed, a variety of recent reports point to the expanding political role being played by social media around the world. Mexican President Felipe Calderon, for example, facing intense public criticism over the mounting casualties generated by his war against drug trafficking, floated on Twitter the idea of legalizing certain drugs as a way to discourage drug violence. Nigerian President Goodluck Jonathon, heading into an election season, uses his Facebook page as a daily platform for communications. And Gamal Mubarak, son of the ailing Egyptian President and possible presidential candidate, recently found his Facebook page had been defaced by hackers.
Read More
Additional Information
Additional Information

IntelliShield Analysis: The time has passed when governments and public officials could ignore or try to stifle social media. If one site is shut down, users find others. Users are also adept at spoofing their locations to circumvent location-based filters or using anonymizers to cover their tracks. Videos of police brutality or the inappropriate comments of a candidate, shot on mobile phone video cameras and tweeted from the street, can go viral in hours, and public denials may ring hollow when contradicted with photographic evidence. Governments are probably concluding that attempts to block or ignore social media will be unsuccessful. Information security specialists may expect and want to plan ahead for government customers looking to private industry for advice and technology solutions focused on harnessing the potential and mitigating the emerging political risk of social networking sites.

Upcoming Security Activity

VMWorld: August 30–September 3, 2010
InterOp NY: October 18–22, 2010

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

World Expo (Shanghai, China): May 1–October 31, 2010
Ramadan: August 11–September 8, 2010
XIX Commonwealth Games (Delhi, India): October 3–14, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top