August 3–9, 2009The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability and threat activity during the time period increased due to the release of several major vendor and product security updates. For example, Apple released Mac OS X version 10.5.8, which included corrections for 18 vulnerabilities that existed in previous versions. Apple also released an update for an iPhone vulnerability that was presented last at the recent Black Hat security conference. Security researchers also identified multiple vulnerabilities in the XML libraries, which are widely used across the Internet and in numerous products. The researchers are coordinating the release of information through CERT-FI (Finland) and several major vendors, including Sun, the Apache Software Foundation, and the Python Software Foundation. As part of the effort, Sun released JRE Java 6 Update 15, which corrects several of the vulnerabilities. Additional vendors have released announcements, and continued updates are expected. During the time period, Microsoft released the Security Bulletin Advanced Notification for August 2009. Nine bulletins are scheduled for released on August, 11, 2009. Five of the bulletins are rated as Critical, and four are Important. The bulletins will address vulnerabilities in Microsoft Windows, Office, Visual Studio, ISA server, Biztalk server, and the .Net framework. IntelliShield published 137 events last week: 46 new events and 91 updated events. Of the 137 events, 103 were Vulnerability Alerts, nine were Security Activity Bulletins, seven were Threat Outbreak Alerts, 16 were Security Issue Alerts, one was a Malicious Code Alert, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for August 3-9, 2009Microsoft Visual Studio Active Template Library Uninitialized Object Vulnerability Sun has released an alert notification and updated software to address the Microsoft Visual Studio Active Template Library uninitialized object vulnerability. Microsoft Visual Studio Active Template Library contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has released a security bulletin. ISC BIND Dynamic Update Remote Denial of Service Vulnerability ISC BIND contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. ISC, FreeBSD, Red Hat, Sun, and HP have released security bulletins and updated software to address the ISC BIND dynamic update remote denial of service vulnerability. Previous Alerts That Still Represent Significant RiskMicrosoft Office Web Components ActiveX Control Arbitrary Code Execution Vulnerability Microsoft Office Web Components contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. This vulnerability exists due to an unspecified error in the Office Web Components ActiveX Control. Reports indicate that exploits of this vulnerability are ongoing. Microsoft Windows Video msvidctl ActiveX Control Code Execution Vulnerability Microsoft Windows XP SP3 and prior and Windows Server 2003 SP2 and prior contain a vulnerability in the msvidctl ActiveX Control that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft Windows DirectShow QuickTime Media Processing Arbitrary Code Execution Vulnerability Microsoft Windows DirectShow contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has indicated that limited, active attacks are occurring. Microsoft has released an update that corrects this vulnerability. Microsoft Internet Information Services WebDav Unicode Processing Security Bypass Vulnerability Microsoft Internet Information Services (IIS) versions 5.0, 5.1, and 6.0 contain a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and access sensitive information. The vulnerability is due to improper processing of Unicode characters in HTTP requests. An exploit could allow the attacker to bypass security restrictions and download arbitrary files from the targeted system. Exploit code is available. Microsoft has confirmed this vulnerability in a security bulletin and released software updates. Microsoft Office PowerPoint Arbitrary Code Execution Vulnerability Microsoft has released a security bulletin and software updates to address the arbitrary code execution vulnerability in Office PowerPoint. Reports indicate that targeted attempts to leverage this vulnerability continue to occur. A variant of the Trojan.PPDropper trojan, which is described in IntelliShield alert 10845, is actively exploiting this vulnerability. Worm: W32/Conficker.worm W32/Conficker has changed its command-and-control communications methods and begun to download malicious files to infected systems. Conficker has now changed from malicious code that infects vulnerable systems to an operational botnet. Conficker is expected to continue to infect vulnerable systems, change command-and-control communication, and download additional malicious files to the infected systems. Adobe Reader getAnnots Function Buffer Overflow Vulnerability Adobe Reader and Acrobat versions 9.1, 8.1.4, and 7.1.1 and earlier contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. The vulnerability is due to insufficient boundary checking on annotation parameters in Adobe PDF documents. An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to view a malicious PDF file. If the user views the document, the attacker could execute arbitrary code with the privileges of the user. Proof-of-concept code is available. Adobe has confirmed this vulnerability and provided software updates. Adobe Acrobat Products PDF File Buffer Overflow Vulnerability Adobe Reader, Acrobat Professional, Acrobat Professional Extended, and Acrobat Standard contain a buffer overflow vulnerability that could allow a remote attacker to create a denial of service condition or execute arbitrary code with the privileges of the user. The level of user privileges and the code that is executed determine the degree to which the system is compromised. This vulnerability is actively being exploited in the wild by the Pidief family of trojans. Additional information about the trojan is available in IntelliShield alert 14388. Adobe has confirmed the vulnerability and released updated software PhysicalPhysical Security Research Finds Various Flaws in High-Tech LocksTwo presentations at the recent DefCon 17 security conference focused on methods for defeating electronic locks. In the first demonstration, a researcher from Texas State University in the United States noticed that electronic locks in his facility were employing predictable TCP sequence IDs. Simply replaying an unlock command with the appropriate TCP ID could unlock one or all locks in a facility without generating a log for the event. Other researchers found methods for defeating hybrid electromechanical lock systems. Intruders could leverage these vibration methods to use low-security mechanical keys to bypass high-security electromechanical locks in the same facility. IntelliShield Analysis: Physical security is rapidly converging with IT security, and the overall effect is beneficial for managing organizational risk. In some cases, however, the attack surface against controls can be increased, especially in instances where physical security devices are attached to networks that allow remote access. Likewise, low-tech attacks like the vibration compromise of the electromechanical lock reiterate the concept that physical access can also subvert electronic controls. If audits can be bypassed on control systems that are believed to be impenetrable, attackers can leverage this false sense of security to implicate the last authorized entrant. Strong, hybrid controls are the future of physical security, but they must be deployed appropriately and not be trusted implicitly, because an attacker with physical access to a device increases the risk of compromise. As with all defense-in-depth strategies, physical controls must be complimented with other measures to monitor or limit access to devices. LegalMicrosoft Proposes New Options to Settle European Union Anti-Trust CasesIn response to an anti-trust case in the European Union, Microsoft has proposed a browser ballot that would allow users to select which browser is installed with a Windows operating system. The available choices have not been determined, but reports suggest that they would include the top 10 most popular browsers. Microsoft is also proposing a default file format ballot for Office 2010 that would allow users to configure Microsoft Office products to use a file format that is consistent with other office products, such as Star Office. IntelliShield Analysis: These proposals are the result of lingering anti-trust suits in the European Union (EU). Browser vendors, such as Opera and Mozilla, welcome the change but would prefer that the proposal was more global in nature. The ballot for Office 2010 has not been described in detail, but it has been stated that the Open Document Format (ODF) that is used by Open Office and several other applications may be an available selection. It is unlikely that Microsoft will offer the ballot choices outside the EU, unless the vendor faces court cases in other markets, such as the United States. These choices could impact build and configuration options that are presented to businesses and users and eventually create a more diverse application environment for support and security teams. For these reasons, organizations are advised to consider the impact of the options in system policies. TrustThere was no significant activity in this category during the time period. IdentityRadio Frequency Identification Vulnerabilities Demonstrated at DefConAt the annual DefCon security conference, a new capture technology was added for eventual usage in the infamous "Wall of Sheep" security awareness project: Radio Frequency Identification (RFID) scanning coupled to a web camera. In an effort to highlight the insecurity of RFID for any forms of identification, a station was set up to read devices with RFID information and simultaneously capture an image of the credential's probable owner. Numerous United States Federal officials were in attendance as part of a panel discussion at the conference, and although it has not been confirmed whether any sensitive information was compromised, panel participants were surprised after being informed of the effort. IntelliShield Analysis: Researchers continue to mine the security risks of RFID technology that is deployed in a variety of scenarios. RFID chips are increasingly embedded in passports and other identification documents with the intent of providing quick access to information through proximity, as opposed to requiring physical contact. Raising the awareness of governmental officials at a security conference whose attendees are known to be unforgiving might have been brazen, but it also highlights potential misuse. Organizations are advised to weigh any identity-determination system that is under consideration against the sensitivity of the data, in addition to the possibility that the data could be compromised in an innovative manner. Users should also understand the risk of compromise through RFID and consider options such as shielding and only carrying the RFID objects when required. HumanUnited States Government Reviews Web 2.0 TechnologiesWhile the United States (U.S.) Pentagon continues to analyze the presence of Web 2.0 technologies (for example, Twitter, Facebook, and MySpace) on their computer systems, the U.S. Marine Corps recently banned these types of social networking technologies. The Marine Corps directive was issued in an effort to limit the exposure of information that is carried on their networks. IntelliShield Analysis: All types of organizations that leverage the Internet have experienced the explosion of Web 2.0 technologies, including educational institutions, private and public enterprises, federal governments, and the military. The expedient nature with which these technologies allow individuals to communicate has enabled a variety of individuals to maintain an almost real-time electronic dialogue with others around the world. Unfortunately, these new avenues for information flow also present new conduits in which proprietary information can be accessed maliciously or inadvertently communicated externally. To reap the benefits of Web 2.0 and minimize the risk of private information exposure, organizations must ensure that they continue to focus on the implementation and periodic reassessment of necessary security policies, procedures, and technologies in their network environments. GeopoliticalThere was no significant activity in this category during the time period. Upcoming Security Activity18th USENIX Security Symposium: August 12–15, 2009 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: Pakistan Independence Day: August 14, 2009 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
