The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity was increased for the period. Multiple large vendors including HP, Red Hat, MonteVista, CentOS, and Cisco released new security updates for previously reported vulnerabilities. Additional security advisories and software updates were released for SAP NetWeaver, Apache Struts, and the Google Chrome browser.

The use of multiple web browsers remain a serious security risk for many organizations. While most organizations provide a standard build and supported browser, they also allow users to install other browsers that may not be known or supported by the IT and patch management organizations. As the use of multiple browsers continues to increase and shift in popularity, organizations should develop policies that address the risks, maintain updated software, and educate users on the risks, secure configuration, and maintenance of multiple browsers.

Proof-of-concept code that exploits the Microsoft Windows Media Player MIDI file processing arbitrary code execution vulnerability is publicly available, reported in MS12-004 and IntelliShield alert 24880, and may be a targeted vulnerability by malware. Media players are another group of products that are frequently targeted and like web browsers, users often have multiple media players installed, which can present a significant risk to an organization.

Cisco has released an Applied Mitigation Bulletin to address the MIT Kerberos 5 Telnet service buffer overflow arbitrary code execution vulnerability reported in IntelliShield alert 24838. Cisco has also has re-released a security advisory and updated software to address the Apache HTTP Server overlapping ranges denial of service vulnerability, which was also reported in IntelliShield alert 24004.

Details and additional information continue to be released on the exposure of product source code from Symantec, which this period resulted in the release of an advisory and hotfix for pcAnywhere users. The multiple announcements appear to be causing some confusion for users. Ultimately, Symantec and multiple security organizations are advising users to limit use of pcAnywhere or remove the software.

IntelliShield published 129 events last week: 54 new events and 75 updated events. Of the 129 events, 77 were Vulnerability Alerts, 14 were Security Activity Bulletins, three were Security Issue Alerts, 33 were Threat Outbreak Alerts, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Significant Alerts for January 23–29, 2012

Microsoft Windows Media Player MIDI File Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 24880, Version 2, January 27, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4108

Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are available. Proof-of-concept code that exploits the Microsoft Windows Media Player MIDI file processing arbitrary code execution vulnerability is publicly available. Reports indicate malware activity exploiting this vulnerability has been observed in the wild.

Previous Alerts That Still Represent Significant Risk

OpenSSL Datagram Transport Layer Security Plaintext Recovery Issue
IntelliShield Vulnerability Alert 24893, Version 6, January 25, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4108

OpenSSL versions prior to 0.9.8s and versions prior to 1.0.0f contain an issue that could result in easier recovery of plaintext information from encrypted text. Cisco has discovered a potential issue in the patch for the OpenSSL Datagram Transport Layer Security plaintext recovery issue. OpenSSL, CentOS, FreeBSD, HP and Red Hat have released security advisories and updates.

Oracle Java Applet Rhino Script Engine Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 24470, Version 6, January 24, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-3544

Multiple versions of Oracle Java contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Oracle and multiple other vendors have confirmed this vulnerability and released updated software. Functional code that demonstrates an exploit is publicly available.

Oracle Java SE Critical Patch Update October 2011
IntelliShield Vulnerability Alert 24433, Version 8, January 24, 2011
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2011-3389, CVE-2011-3516, CVE-2011-3521, CVE-2011-3544, CVE-2011-3545, CVE-2011-3546, CVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3550, CVE-2011-3551, CVE-2011-3552, CVE-2011-3553, CVE-2011-3554, CVE-2011-3555, CVE-2011-3556, CVE-2011-3557, CVE-2011-3558, CVE-2011-3560, CVE-2011-3561

Oracle has released the Oracle Java SE Critical Patch Update for October 2011. The update addresses 20 new security vulnerabilities. An unauthenticated, remote attacker could leverage several of the vulnerabilities to completely compromise an affected system. Oracle, Red Hat, CentOS and Apple have released updates. Oracle, Apple, CentOS, HP and Red Hat have released security advisories and updates.

Apache HTTP Server Overlapping Ranges Denial of Service Vulnerability
IntelliShield Vulnerability Alert 24004, Version 24, January 24, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-3192

Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. Proof-of-concept code that exploits this vulnerability is publicly available. Apache has confirmed this vulnerability and updated software is available. Oracle and multiple additional vendors have released security advisories. HP has released an additional security bulletin. MontaVista has released a security alert and updated software. Cisco has re-released a security advisory and updated software.

Adobe Acrobat and Reader Universal 3D Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 24698, Version 6, January 24, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-2462

Adobe Reader and Acrobat contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Targeted attacks against Adobe Reader version 9.4.6 on Microsoft Windows operating systems have been observed in the wild. Adobe has released a security bulletin and software updates to address the Adobe Acrobat and Reader Universal 3D remote code execution vulnerability. Functional code that exploits this vulnerability is available as part of the Metasploit framework. FreeBSD has released a security bulletin and updated technical details.

Multiple Products Hash Collisions Denial of Service Vulnerability
IntelliShield Security Activity Bulletin 24871, Version 5, January 23, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4461, CVE-2011-4815, CVE-2011-4885

Multiple products contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are available. Apache, Microsoft, CentOS, IBM, ruby, FreeBSD and Red Hat have released secvurity advisories and updates.

Oracle Critical Patch Update January 2012
IntelliShield Vulnerability Alert 24972, Version 1, January 18, 2012
Urgency/Credibility/Severity Rating: 2/5/3

Oracle has released the January 2012 Critical Patch Update. The update contains 78 new security fixes that address multiple Oracle product families. The fixes correct multiple vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service condition on targeted systems.

ISC BIND Recursive Query Processing Denial of Service Vulnerability
IntelliShield Vulnerability Alert 24590, Version 11, January 4, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4313

ISC BIND version 9 contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system. It should be noted that there are external reports that this vulnerability is being actively exploited in the wild, as DNS server crashes have been observed. It is not, however, fully determined that exploitation of this vulnerability is the root cause for the recently observed crashes. ISC and multiple vendors have confirmed this vulnerability and released updated software.

Microsoft Windows TrueType Font Parsing Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 24500, Version 3, December 13, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-3402

Microsoft has released a security advisory to address the TrueType font parsing remote code execution vulnerability. Reports suggest that this vulnerability is being exploited by W32.Duqu to install itself on a targeted system. This trojan has been documented in IntelliShield Alert 24425. Microsoft has released a security advisory to address the TrueType font parsing remote code execution vulnerability.

Apache HTTP Server Reverse Proxy Rewrite URL Validation Vulnerability
IntelliShield Vulnerability Alert 24625, Version 1, November 28, 2011
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4317

Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to gain unauthorized access to internal networks. Apache has not confirmed the vulnerability and software updates are not available. The vulnerability is due to a regression error introduced by the vulnerability CVE-2011-3368, documented in IntelliShield alert 24327. Proof-of-concept code that exploits the vulnerability is publicly available.

Physical

Solar Activity Increasing

On Monday, January 24, a huge solar storm erupted on the Sun and the solar wind reached the Earth shortly after. The National Oceanic and Atmospheric Administration (NOAA) Space Weather Prediction Center released a warning about possible disruptions in satellite communications. Airlines that operate flights over the Arctic modified their flight plans and took a more southern course from their usual routes.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Solar flares and other space weather can damage satellites, represent a danger for astronauts in space, and cause disruptions in airplanes. What is relatively less known is that space weather can cause disruptions in power grids and pipelines. This effect becomes more prominent the further north one travels. Given the reliance on communication technologies and the rising prominence of the shale oil and gas (transported from the north of Canada), space weather will have to be taken into consideration more frequently. As the Sun nears the high point of the solar activity cycle, potential interruptions will likely increase and should be considered in business continuity and disaster recovery plans.

Legal

Protests in Europe Over the Anti-Counterfiting Trade Agreement

Days after the Stop On-line Piracy Act (SOPA) was tabled in the United States, the Anti-Counterfeiting Trade Agreement (ACTA) has been signed by 22 members of the EU. This agreement was previously signed by the Obama administration although the negotiation began initially during the Bush administration. Most of the negotiations over ACTA have been held behind closed doors and many of the details of the agreement are still unknown. The Whitehouse under both the current and the previous administrations have declined to release the text of the agreement citing national security concerns. The news of the signing caused protests to breakout in parts of Europe, some of these quite widespread.
Read More
Additional Information
Additional Information
Additional Information

Intellishield Analysis: Although exact details of the agreement are still somewhat sketchy, some of the more onerous provisions of this agreement could make sharing information such as what was learned in a classroom setting illegal, or make it illegal to sell generic drugs, a concern for much of the developing parts of the world. This agreement could also force Internet service providers into an enforcement role by holding the ISP liable for the actions of their customers. Enterprises are advised to keep an eye on the ratification progress of this agreement. Although eventual passage is not assured, it could impose many new requirements on the enterprise concerning reporting on users' activities.

Trust

Chip Cards Are On the Way

VISA and MasterCard are set to distribute chip cards throughout the United States by April 2013. These cards will be in the form of both credit and debit cards. These chip cards, also known as integrated circuit (IC) cards, leverage the Europay, MasterCard and VISA (EMV) standard to provide cards that contain an embedded microchip. This solution provides increased security by leveraging standards across cards and infrastructure devices that will authenticate transactions, such as ATMS and point-of-sale (POS) systems. United States-based credit card companies are looking forward to the adoption of these chip cards as a means to curtail and mitigate security incidents, specifically skimming which continues to cost these organizations a great deal.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Many organizations and individuals have been advocating chip cards for years, as it significantly impacts credit card fraud. Furthermore, the United States has seen an advantage in this migration as they have been fortunate to view and analyze the experiences of European nations that have already made the transition. This view has provided the United States with the ability to review the lessons learned from the European nations and understand the costs associated with the impending transition.

There is no question that the security imposition of chip cards is a major step forward in the smart card arena. The next question in this saga will be the total cost of this transition and the inherent maintenance required to support it. The cost-focus is not so much about the cards themselves, but upgrading the nation's infrastructure to accommodate the EMV standard and in essence the chip card technology. This includes the ATM upgrades, card readers/scanners, authentication programs for e-commerce, and unique solutions to accommodate the standard across contact and contact-less cards. The evolution of technological advances (specifically for the sake of security), such as smart cards continues to emphasize the importance of security in today's society.

Identity

O2 Leaks Mobile Phone Number Information

Over a two week span, the UK-based cell provider O2 inadvertently sent users' mobile phone numbers, along with other technical information, to website owners that were not among those on the O2 trusted partners list. This information, including mobile phone numbers, is regularly communicated to the O2 trusted partners to verify the age of mobile users, enable billing of premium content, and to provide customized website content based on the identity of the user. O2 Responded to the reported leak saying they had corrected the error. Read More

IntelliShield Analysis: The communication of internet-based device information (for example, Internet cookies) to website owners has been a common practice for quite some time now, so extrapolating this practice to now include mobile phone numbers for internet-enabled smart phones does not seem like much of a stretch. The issue here is that, while many internet users either dont know or are not concerned with the sharing of their cookies, the thought of their mobile number being shared is more disconcerting in that it probably feels much more personal. For mobile phone owners that have concerns about this information being shared with website owners, it would be to their advantage to check with the information sharing practices of their providers to see what types of information are communicated and to take advantage of the opportunity, should it exist, to opt-out of such agreements.

Human

There was no significant activity in this category during the time period.

Geopolitical

Counterfeiters Compete with Technologists to Out-Innovate

Counterfeiting of high-tech equipment are growing problems, according to industry experts. High-tech multinationals, working with law enforcement in many countries, are working to break up crime groups involved in the trade, but criminals are working just as hard to outwit them. The accounting firm KPMG estimates that up to 10 percent of global high tech product sales are counterfeit, providing further impetus for IT manufacturers to actively monitor their marketplace.

As criminal groups learn ways to elude detection and defeat anti-counterfeiting technologies, tech companies are working on preventive measures to stay one step ahead. The US Defense Logistics Agency is working with industry partners, for example, to determine whether DNA marking can be used to authenticate microchips, according to a recent press report.
Read More
Additional Information

IntelliShield Analysis: With challenging economic times cutting into enterprise and government budgets, many IT equipment purchasers are prioritizing price over other considerations. This has compounded IT industry losses from counterfeiters as gains in anti-counterfeiting technologies are offset by criminal groups' evasive techniques. In particular, industry experts are witnessing a move up the value chain, drawing in the newest, priciest, critical product lines. Criminal groups are using tricks such as warranty abuse, discount abuse, and counterfeit upgrades to sell products at a price point that they could not have approached before. In addition to eroding profits and brand reputation, counterfeit components can create safety hazards, particularly if used in critical networks, and increase downtime and servicing requests. These concerns can increase legal risk as well. For information security specialists, staying one step ahead of counterfeiters is likely to be increasingly important to their employer's bottom lines in the future.

Protecting our corporate brand and our reputation for quality is a serious issue for Cisco. Please notify the Cisco Brand Protection team if you suspect a breach of intellectual property by sending an email to brandprotection@cisco.com. For more information on Cisco Brand Protection, please go to www.cisco.com/go/brandprotection.

Upcoming Security Activity

RSA Conference: February 27–March 2, 2012
Cisco Live London 2012: January 30-February 3, 2012
CanSecWest 2012: March 7–9, 2012
Global Privacy Summit: March 7–9, 2012
Black Hat Europe: March 14–16,2012
Cisco Live US: June 10–14, 2012

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

Presidential Election Russia: March 4, 2012
World IPv6 Launch: June 6, 2012

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top