Cyber Risk Report

August 9–15, 2010

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity for the period was increased, primarily due to large security updates from Microsoft and Adobe.  The Microsoft security update for August included 14 security bulletins and 34 individual vulnerabilities.  Several of these vulnerabilities are already seeing exploit and threat activity.  The individual Cisco IntelliShield alerts, Applied Mitigation bulletins, and Cisco Intrusion Prevention System signatures for the Microsoft vulnerabilities are available on the Security Intelligence Operations portal, and a complete organized correlation of the activity is in the Cisco Event Response

Adobe released a large security update that addresses multiple vulnerabilities in Adobe Reader, Acrobat, and Flash Player.  Some of these vulnerabilities are also experiencing exploit and threat activity.  Users will need to update multiple applications to install these security updates, often manually using the built-in update features.

Cisco released three product security advisories that address an IOS Software TCP denial of service vulnerability, multiple vulnerabilities in the Cisco ACE Application Control Engine Module and Cisco ACE 4710 Application Control Engine, and a SQL injection vulnerability in the Cisco Wireless Control System.  These security advisories and the accompanying Applied Mitigation Bulletin are available at the Security Intelligence Operations portal and the Cisco Security Advisories and Notices website.

Researchers released public exploits and methods that could be used to jailbreak an Apple iPhone.  The methods would allow the user to legitimately perform the jailbreak to allow the installation of non-Apple applications.  However, they also allow remote attackers to perform malicious attacks against the iPhone, as reported in IntelliShield Alert 21078.

IntelliShield published 178 events last week: 87 new events and 91 updated events. Of the 178 events, 131 were Vulnerability Alerts, 15 were Security Activity Bulletins, 15 were Security Issue Alerts, 13 were Threat Outbreak Alerts, three were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 08/13/2010 7 4 11
Thursday 08/12/2010 7 27 34
Wednesday 08/11/2010 17 15 32
Tuesday 08/10/2010 44 10 54
Monday 08/09/2010 12 35 47
Weekly Total 87 91 178

 

Significant Alerts for the Time Period

Microsoft Windows Win32k Kernel Driver Window Creation Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 21027, Version 3, August 12, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-1897

Exploits of the Microsoft Windows Win32k kernel driver window creation privilege escalation vulnerability are currently being observed in the wild.

Microsoft Windows XML Core Services Response Handling Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21021, Version 2, August 11, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-2561

Proof-of-concept code that exploits the Microsoft Windows XML core services response handling arbitrary code execution vulnerability is publicly available.  The alert update also indicates an increase in the urgency.

Microsoft Windows Tracing Feature for Services Registry Key Access Control Lists Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 21018, Version 3, August 11, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-2554

Exploits are currently being observed in the wild.  Microsoft is aware of an increase in the number of targeted attacks that use the readily available exploit code.

Microsoft Windows Server Message Block Packet Processing Pool Overflow Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 21014, Version 4, August 11, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-2550

Exploits are currently being observed in the wild.  Microsoft is aware of an increase in the number of targeted attacks that use the readily available exploit code.

Microsoft Windows Kernel Win32k Driver Exception Handling Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 21024, Version 2, August 11, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-1894

Proof-of-concept code that demonstrates an exploit of the Microsoft Windows Kernel Win32k driver exception handling privilege escalation vulnerability is publicly available.  This updated alert indicates an increase in the urgency.

Previous Alerts That Still Represent Significant Risk

Microsoft Windows .lnk File Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20918, Version 4, August 2, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-2568

Microsoft has released a security bulletin and updates to address the Windows .lnk file processing arbitrary code execution vulnerability.

Microsoft Windows .lnk File Vulnerability Used for Malware Outbreak Targeting SCADA Systems
IntelliShield Vulnerability Alert 20915, Version 5, August 2, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-2568

Microsoft has released a security bulletin along with software updates to address the vulnerability exploited by malicious software.

Microsoft Windows Help and Support Center Whitelist Bypass Vulnerability
IntelliShield Vulnerability Alert 20691, Version 6, July 15, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-1885

Exploits of the Microsoft Windows Help and Support Center whitelist bypass vulnerability are being observed in the wild.  Functional code that exploits this vulnerability is publicly available.  Microsoft has confirmed this vulnerability in a security bulletin and released updated software.

ICANN Readies Deployment of Signed Root DNS Zones
IntelliShield Vulnerability Alert 20418, Version 2, July 15, 2010
Urgency/Credibility/Severity Rating: 2/5/3

Signed root DNS zones are designated to go into effect during a maintenance window July 15, 2010, establishing the availability of DNSSEC-enabled queries.

Microsoft Exchange Server Outlook Web Access Cross-Site Request Forgery Vulnerability
IntelliShield Vulnerability Alert 20854, Version 1, July 9, 2010
Urgency/Credibility/Severity Rating: 2/4/3

Microsoft Exchange Server contains a vulnerability that could allow an unauthenticated, remote attacker to conduct cross-site request forgery attacks on an affected site.  Proof-of-concept code that exploits this vulnerability is publicly available.  Updates are not available.

Multiple Adobe Products Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20625, Version 7, July 1, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-1297

Multiple Adobe products contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system or cause a denial of service (DoS) condition.  Functional code that exploits this vulnerability is available.  Adobe has confirmed this vulnerability and released updated software.

IBM and Oracle Java Web Start Java Development Kit ActiveX Control Command-Line Injection Vulnerability
IntelliShield Vulnerability Alert 20314, Version 6, July 29, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-0886, CVE-2010-0887, CVE-2010-1423

Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on the system with the privileges of the user.  Systems with Oracle Java JRE and JDK 6 Update 10 and later contain the affected ActiveX control and are vulnerable.

Microsoft Windows SharePoint Services Help.aspx Cross-Site Scripting Vulnerability
IntelliShield Vulnerability Alert 20415, Version 3, June 8, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2010-0817

Microsoft SharePoint Services versions SP2 and prior contain a cross-site scripting vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary HTML or script code in a user's browser.  Proof-of-concept code that exploits this vulnerability is publicly available.  Microsoft has confirmed this vulnerability and released software updates

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 61, August 10, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555

Multiple Transport Layer Security (TLS) implementations contain a vulnerability when renegotiating a TLS session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack.  Proof-of-concept code that exploits this vulnerability is publicly available. Microsoft has released a security bulletin and updated software to address the TLS renegotiation remote man-in-the-middle attack vulnerability.

Physical

World Health Organization Declares H1NI Flu Pandemic Over

The World Health Organization (WHO) released an announcement on August 10, 2010, declaring the H1N1 (swine flu) pandemic over.  The announcement stated that flu experts advised that the pandemic had completed its highest level and was on the decline. WHO Director, General Margaret Chan, said the flu levels had now returned to normal levels seen during the influenza season.  Over 18,000 deaths have been attributed to the pandemic, and some areas of the world and particularly vulnerable groups should continue to take measures to counter outbreaks.
Read More
Additional Information

IntelliShield Analysis: This pandemic was one that caught many governments, businesses, and organizations across the globe unprepared.  Following the initial outbreaks, many had to resort to emergency response actions because no prepared plans were in place.  In many cases, no plan had even been considered.  Now that the pandemic has moved into decline, organizations are encouraged to review their responses and adjust or prepare more thorough plans for the next similar event.  Because of being largely unprepared and responding rapidly, many may have used large amounts of resources on activities that resulted in no value or increased protection.  In particular, incident response organizations should review the communications that were provided to them and that they presented to their organizations because many complaints were reported throughout the pandemic that the communications were confusing, misinformed the organization, or provided little effective guidance.

Legal

Payment Card Industry Data Security Standards 2.0 Changes Released for Comments

The PCI Security Standards Council (PCI SSC) has released the changes for the next versions of the PCI Data Security Standard (PCI DSS) and Payment Application-Data Security Standard (PA-DSS) standards that are projected to become effective in October 2010.  The standards updates have adopted a 3-year update cycle, increased from the previous 2-year cycle, to ensure that the standard remains current with the threat activity.  The preview of the change highlights is provided to allow comments and feedback prior to the October 2010 effective date.
Read More
Additional Information

IntelliShield Analysis: The initial response to the new version has widely noted what is not included, as opposed to what changes are included.  Although the changes do address some areas of concern around virtualization, alternate technologies, and risk-based vulnerability management, the details about these issues remain vague.  While the standards have been widely adopted globally, and organizations require compliance with the standard, organizations are also reminded that compliance does not provide the security required in many cases.  Multiple incidents have demonstrated that organizations will need to exceed the standard to provide the level of security needed to protect data and transactions.  Particularly with the change to a 3-year cycle, which may be too long a period for the rapid changes seen in threat activity, organizations will need to adjust more quickly to developing threats.

Trust

There was no significant activity in this category during the time period.

Identity

Improper Record Disposal Exposes up to 24,000 in Massachusetts

Four community hospitals in the Boston, Massachusetts area are investigating what appears to be a years-long mishandling of sensitive patient information. The hospitals contracted with pathologists, who in turn relied on a contractor to handle their billing. It appears that the contractor was not following required state records disposal laws, which demand that personally identifying records must be disposed of as unreadable. The records were discovered by chance, as a photographer for the Boston Globe newspaper noticed a large pile of paper while he was at the disposal site dumping his own garbage. Further investigation is ongoing to determine the full scope of exposure, including whether or not other hospitals or patients are affected.
Read More
Additional Information

IntelliShield Analysis: Disclosures of this sort are both sensational and disheartening.  Still, the Verizon 2010 Data Breach Investigation Report suggests that mishandling of data by partners accounts for only 1 percent of data losses.  Thankfully, clear policy and enforced requirements throughout the chain of outsourcing can easily raise awareness and set expectations about data handling.  Not only should contracting companies be aware of laws governing their work, but their customers should also communicate expectations, helping to control much of this kind of improper data handling.

Human

There was no significant activity in this category during the time period.

Geopolitical

There was no significant activity in this category during the time period.

Upcoming Security Activity

GFIRST: August 15–20, 2010
VMWorld: August 30–September 3, 2010
InterOp NY: October 18–22, 2010

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

World Expo (Shanghai, China): May 1–October 31, 2010
Ramadan: August 11-September 8, 2010
Australia General Elections: August 21, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top