Cyber Risk Report

January 24–30, 2011

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity was increased from the previous period. Highlights for the period include additional information and IntelliShield alerts on the Oracle Critical Patch Update for January 2011 vulnerabilities and vulnerabilities in SAP Crystal Reports, Novell ZenWorks and GroupWise, and HP LoadRunner. Additionally, a new vulnerability was reported in Microsoft Windows MHTML Protocol Handler, as reported in IntelliShield alert 22310. Cisco released a security advisory on multiple vulnerabilities in the Cisco Content Services Gateway Second Generation, reported in IntelliShield alerts 22259 and 22260.

Shmoocon 2011 presentations during the period highlighted multiple vulnerabilities in smartphones and demonstrated botnet operations exploiting the devices. Similarly, researchers at the City University of Hong Kong and Indiana University released information on the development of trojan malware for the Android OS that is designed to steal financial information from conversations. As reported in the recent Cisco 2010 Annual Security Report, researchers continue to focus on these devices and networks as the user base continues to grow. A recent ComScore report also highlighted the increased activity related to e-mail message handling on smartphones, raising concerns over the shifting risk and limited security features available for these devices

IntelliShield published 108 events last week: 42 new events and 66 updated events. Of the 108 events, 89 were Vulnerability Alerts, four were Security Activity Bulletins, three were Security Issue Alerts, 11 were Threat Outbreak Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 01/28/2011   10  20  30
Thursday 01/27/2011   8  34  42
Wednesday 01/26/2011  13   3  16
Tuesday 01/25/2011   6   4  10
Monday 01/24/2011   5   5  10
Weekly Total   —  42  66  108

 


Significant Alerts for January 24–30, 2011

Microsoft Windows MHTML Protocol Handler Script Execution Vulnerability
IntelliShield Vulnerability Alert 22310, Version 2, January 31, 2011
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2011-0096

Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary script in a user's browser session. Microsoft has confirmed the vulnerability in a security advisory; however, software updates are not yet available. Proof-of-concept code that demonstrates an exploit of Microsoft Windows MHTML protocol handler script execution vulnerability is publicly available.

Previous Alerts That Still Represent Significant Risk

EXIM Mail Transfer Agent Arbitrary Configuration Loading Root Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 22053, Version 4, January 28, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-4345

EXIM Mail Transfer Agent contains a vulnerability that can allow an attacker with shell access to gain elevated privileges. Updates are available. Exploitation of this vulnerability has been observed, in conjunction with exploits for a vulnerability detailed in IntelliShield alert 22051 (CVE-2010-4344). CentOS has released updated packages to address the EXIM mail transfer agent arbitrary configuration loading root privilege escalation vulnerability.

EXIM Mail Transfer Agent Arbitrary Configuration Loading Root Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 22053, Version 4, January 28, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-4345

EXIM Mail Transfer Agent contains a vulnerability that can allow an attacker with shell access to gain elevated privileges. Updates are available. Exploitation of this vulnerability has been observed, in conjunction with exploits for a vulnerability detailed in IntelliShield alert 22051 (CVE-2010-4344). CentOS has released updated packages to address the EXIM mail transfer agent arbitrary configuration loading root privilege escalation vulnerability.

Adobe Acrobat, Reader, and Flash Player Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21686, Version 10, January 19, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3654

Adobe has released an additional security bulletin and updated software to address the Adobe Acrobat, Reader, and Flash Player arbitrary code execution vulnerability. Sun has released a security notification and patches.

Oracle Critical Patch Update January 2011
IntelliShield Security Activity Bulletin 22251, Version 1, January 18, 2011
Urgency/Credibility/Severity Rating: 2/5/4

Oracle has released the January 2011 Critical Patch Update Advisory for multiple products. The update contains 67 new security fixes that address multiple Oracle product families. IntelliShield has released multiple significant individual vulnerability alerts from the January CPU.

Mozilla Firefox, Thunderbird, and Seamonkey DOM Object Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21678, Version 6, January 10, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3765

Mozilla has released updated software to address the Firefox, Thunderbird, and Seamonkey DOM object processing arbitrary code execution vulnerability. Red Hat, CentOS, and Freebase have also released security updates to address the vulnerability. Proof-of-concept code that exploits this vulnerability is publicly available.

Microsoft Windows shimgvw.dll Graphics Library Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 22180, Version 3, January 7, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3970

Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that exploits the Microsoft Windows shimgvw.dll graphics library arbitrary code execution vulnerability is publicly available. Microsoft has confirmed this vulnerability; however, software updates are not available.

Linux Kernel video4linux and compact_mc_gets() Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 21389, Version 11, January 5, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3081

VMware has re-released a security advisory and updated software to address the Linux Kernel video4linux and compact_mc_gets() privilege escalation vulnerability.

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 72, December 16, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555

Multiple Transport Layer Security (TLS) implementations contain a vulnerability when renegotiating a TLS session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Proof-of-concept code that exploits this vulnerability is publicly available.

Microsoft Internet Explorer Cascading Style Sheets Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21736, Version 4, December 15, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3962

Functional code that exploits the Microsoft Internet Explorer Cascading Style Sheets processing arbitrary code execution vulnerability is publicly available. Microsoft has confirmed the vulnerability in a security bulletin and released software updates.

Microsoft Office Excel Ghost Record Parsing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21499, Version 5, November 12, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-3242

IntelliShield has updated this alert to report an increase in intrusion prevention system activity that is related to the Microsoft Office Excel ghost record parsing arbitrary code execution vulnerability.

Physical

Moscow Airport Attack Prompts Security Review

On Monday, January 24, 2011, at Moscow's Domodedovo International Airport, an explosive attack killed an estimated 35 people and injured nearly 200 more. The source of the attack is still unknown, but the explosive device was reportedly detonated by a suicide bomber. The bomb exploded in a public area that did not require security entrances.
Read More
Additional Information

IntelliShield Analysis: The attack in Moscow demonstrated the weaknesses inherent in securing any physical location. Checkpoints that exist to keep attackers off aircraft create passenger lines that present a target of opportunity. Wherever perimeters and bottlenecks exist and groups of people gather, there is a potential target. Some sites may choose to expand security perimeters in an attempt to deter potential attackers. Extending security checks from airports and other venues may serve to keep attacks away from the core operations of a location; however, the same risks to operations personnel and civilians remain.

Legal

EU Delegating Increasing Internet Enforcement to Internet Service Providers

The European Digital Rights organization has released a report on European Union (EU) countries that are increasingly delegating the responsibility for controlling illegal activity to Internet service providers. The report notes that existing and pending regulations and guidelines across multiple EU countries require the Internet service providers to police their users. Research by Universidad Carlos III de Madrid finds that a relatively small number of publishers (around 100) are responsible for approximately 66 percent of copyright-protected uploads. In the context of the report, a publisher does not necessarily translate into a physical person. Out of that percentage, anti-piracy organizations upload approximately the same amount as publishers who contribute copyrighted material.
Read More
Additional Information

IntelliShield Analysis: This report may be used as a new argument that the Internet should be policed more aggressively. While governments may have legitimate reasons to access and, if necessary, filter Internet traffic, implementing that in practice is much harder than politicians may think. From a legal standpoint things are clear: illegal material should be expunged and perpetrators brought to justice. To provide an equivalent of control existing in the non-cyber world, Internet service providers would have to filter not only incoming and outgoing traffic but also all intra-national traffic. If such a level of control were possible, Internet service providers would need to make fairly significant investments in equipment and people who could perform the job, and governments are thus far unwilling or unable to help with financing.

Trust

There was no significant activity in this category during the time period.

Identity

There was no significant activity in this category during the time period.

Human

There was no significant activity in this category during the time period.

Geopolitical

North Africa/Middle East Instability Poses Hard Questions for Internet Companies

Over the weekend, tens of thousands of citizens across Egypt defied curfews and took to the streets, demanding the ouster of President Hosni Mubarak, following hard on the heels of a popular uprising that toppled the longstanding ruler of Tunisia. Abruptly last Friday, as demonstrations in Cairo reached critical mass, the Egyptian government took down Internet and cell phone networks, an unprecedented move for a major industrializing economy, according to the San Francisco Chronicle. Other demonstrations taking place across Lebanon, Yemen, Morocco, Jordan, and Algeria all are being attributed to one extent or another to the rising awareness among youthful populations—thanks largely to Internet and mobile phone access—of their economic and political status in the global context.
Read More
Additional Information

IntelliShield Analysis: The issue at hand is no longer whether or even to what extent the revolution is being tweeted, the question henceforth is how are information networks to be managed, given that they already are and will be used as virtual town squares, where good and bad in equal measures may play out. In many countries, Internet traffic runs through state-controlled Internet Service Providers, giving local regulators the option of blocking sites they perceive to be threats. Being blocked absolves companies from having to take sides, but has obvious downside risks. Taking sides, on the other hand, already has proved problematic for several Internet, financial, and social media companies. If managers of a site perceive that user accounts are being hacked, they may react tactically and surgically to the security breach. Longer term, however, multinational companies must formulate strategies to fundamental questions including whether they can live by a country's laws that may be seen by Western media as undemocratic or illegitimate, where their business ends and state to state diplomatic matters begin, and how they will react if they find their networks and products are being used as venues for political debates with global consequences.

Miscellaneous

Department of Homeland Security Retires Color-Coded Threat Level

Secretary of Homeland Security Janet Napolitano announced on Thursday, January 27, 2011, that the Department of Homeland Security color-coded Terrorism Threat Level is being retired. The Terrorism Threat Level was vague, not well understood, and the subject of many jokes on late-night television. It is being replaced by the National Terrorism Advisory System. Instead of using color codes to convey a threat level, the new system will provide information to law enforcement and, when necessary, to businesses, airlines, and the general public. When information is to be conveyed to the public, normal media and social channels will be used.
Read More
Additional Information

IntelliShield Analysis: The familiar Terrorism Threat Level announcements made in the United States quickly faded into background noise. One way to get people to ignore a system such as the Terrorism Threat Level is to provide vague or little additional information other than the current level. People were left wondering what the different threat levels really meant. Administrators are advised when attempting to engage users or the public in an effort, whatever the effort may be, to provide useful information as to why the effort is necessary and what actions an individual should take.

Upcoming Security Activity

Cisco Live London: January 31–February 3, 2011

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

Chinese New Year: February 3, 2011

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top