January 31–February 6, 2011The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability activity declined from the previous period and January 2011 activity levels declined from January 2010. Highlights for the period include security advisories from Cisco, Microsoft, HP, Symantec, and Chrome. Microsoft released the Security Bulletin Advance Notification for February 2011. The security bulletins will be released on Tuesday, February 8, 2011, and will include 12 security bulletins correcting 22 vulnerabilities in Internet Explorer, Windows and Visio. Cisco also released the Cisco 4Q10 Global Threat Report, based on the data collected by Cisco Security Intelligence Operations. The report details the threat activity for October–December 2010, and contains analysis of the trends and perspectives on the threat for the period. On February 3, 2011, ICANN announced in a ceremony the assignment of the remaining IPv4 address blocks. While this event has been long anticipated and many organizations have begun the transition to supporting IPv6 addresses, it remains an Internet benchmark event. Cisco has initiated a series of IPv6 Security Blog post to assist organizations with the transition. IntelliShield Analysis: Much of the world's focus was on Egypt during the period, where risks were highlighted across several categories. Activity included reports of spammers using Egyptian address space while that address space was temporarily unused by Egypt, the physical security concerns of employees and business assets in an area that suddenly turned to protests and destruction, and the legal and geopolitical debate over government policies. As the situation in Egypt, across North Africa, and the Middle East continues to develop, lessons learned are being identified, but many likely remain to be recognized. With the current situation still in flux, organizations are advised to monitor the activities and take incident response actions where required, but to wait until the activity has declined and credible information and data is available before considering lessons learned. IntelliShield published 58 events last week: 34 new events and 24 updated events. Of the 58 events, 34 were Vulnerability Alerts, seven were Security Activity Bulletins, four were Security Issue Alerts, 12 were Threat Outbreak Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows:
2011 Monthly Alert Totals
Significant Alerts for January 31–February 30, 2011 Microsoft Windows MHTML Protocol Handler Script Execution Vulnerability Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary script in a user's browser session. Microsoft has confirmed the vulnerability in a security advisory; however, software updates are not yet available. Proof-of-concept code that demonstrates an exploit of Microsoft Windows MHTML protocol handler script execution vulnerability is publicly available. Previous Alerts That Still Represent Significant Risk EXIM Mail Transfer Agent Arbitrary Configuration Loading Root Privilege Escalation Vulnerability EXIM Mail Transfer Agent contains a vulnerability that can allow an attacker with shell access to gain elevated privileges. Updates are available. Exploitation of this vulnerability has been observed, in conjunction with exploits for a vulnerability detailed in IntelliShield alert 22051 (CVE-2010-4344). CentOS has released updated packages to address the EXIM mail transfer agent arbitrary configuration loading root privilege escalation vulnerability. Adobe Acrobat, Reader, and Flash Player Arbitrary Code Execution Vulnerability Adobe has released an additional security bulletin and updated software to address the Adobe Acrobat, Reader, and Flash Player arbitrary code execution vulnerability. Sun has released a security notification and patches. Oracle Critical Patch Update January 2011 Oracle has released the January 2011 Critical Patch Update Advisory for multiple products. The update contains 67 new security fixes that address multiple Oracle product families. IntelliShield has released multiple significant individual vulnerability alerts from the January CPU. Mozilla Firefox, Thunderbird, and SeaMonkey DOM Object Processing Arbitrary Code Execution Vulnerability Mozilla has released updated software to address the Firefox, Thunderbird, and SeaMonkey DOM object processing arbitrary code execution vulnerability. Red Hat, CentOS, and FreeBSD have also released security updates to address the vulnerability. Proof-of-concept code that exploits this vulnerability is publicly available. Microsoft Windows shimgvw.dll Graphics Library Arbitrary Code Execution Vulnerability Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that exploits the Microsoft Windows shimgvw.dll graphics library arbitrary code execution vulnerability is publicly available. Microsoft has confirmed this vulnerability; however, software updates are not available. Linux Kernel video4linux and compat_mc_getsockopt() Privilege Escalation Vulnerability VMware has re-released a security advisory and updated software to address the Linux Kernel video4linux and compat_mc_getsockopt() privilege escalation vulnerability. Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability Multiple Transport Layer Security (TLS) implementations contain a vulnerability when renegotiating a TLS session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Proof-of-concept code that exploits this vulnerability is publicly available. Microsoft Internet Explorer Cascading Style Sheets Processing Arbitrary Code Execution Vulnerability Functional code that exploits the Microsoft Internet Explorer Cascading Style Sheets processing arbitrary code execution vulnerability is publicly available. Microsoft has confirmed the vulnerability in a security bulletin and released software updates. Microsoft Office Excel Ghost Record Parsing Arbitrary Code Execution Vulnerability IntelliShield has updated this alert to report an increase in intrusion prevention system activity that is related to the Microsoft Office Excel ghost record parsing arbitrary code execution vulnerability. PhysicalThere was no significant activity in this category during the time period. LegalThere was no significant activity in this category during the time period. TrustSourceForge AttackOn January 27, 2011, SourceForge announced that they had detected a targeted attack against their infrastructure. They then chronicled their response to the incident—beginning with service suspension through resetting all user passwords to restoration of service—in a series of public blog posts. IntelliShield Analysis: The openness demonstrated by SourceForge in response to this security incident continues a tradition of transparency in the open source software community and serves as a prime example of how open communication can foster trust in a community. At the same time, attacks against source code repositories highlight several risks that exist for enterprises. One risk is the malicious modification and subsequent distribution of software from trusted sources. While SourceForge does not believe that any packages were modified by the attackers and is working through a manual verification, recent history has shown, in some instances, that these attacks succeed and modified packages reach unsuspecting users. This risk is not specific to open source software and cannot be eliminated. Organizations should look to and continuously monitor reputable sources for information pertaining to the security of all externally developed software in use. IdentityThere was no significant activity in this category during the time period. HumanThere was no significant activity in this category during the time period. GeopoliticalEgypt Internet Crackdown Takes Its TollOn February 2, 2011, Internet traffic monitoring firms and RIPE, the Amsterdam-based consortium that oversees Internet address allocation, confirmed that Internet connectivity had been restored throughout Egypt. The country's Internet went dark abruptly on January 27, along with mobile phone services, amidst massive political protests demanding the ouster of President Hosni Mubarak. While the political situation in Egypt is far from resolved, experts are already measuring the impact of the outage on economic activity. According to the Organization for Economic Cooperation and Development (OECD), the outage cost Egypt around US$90 million, according to preliminary estimates. The cost to multinational companies doing business in Egypt remains untallied. Egypt relies on Internet and telecommunications for between three and four percent of its economy, according to OECD estimates, and is a growing destination for IT outsourcing services. IntelliShield Analysis: While Internet outages in the midst of political unrest are by no means unheard of, the abrupt and apparently deliberate Internet blackout of an entire major economy may be unprecedented. Indeed, the ripple effects go beyond direct business losses due to interrupted connectivity to a wider question of investor confidence and rising risk-to-benefit calculations across emerging markets. Even as Egypt's economy ground to a halt, Egypt's netizens circumvented electronic roadblocks with ingenuity. From the Mubarak regime's point of view, the blackout was costly in economic and reputational terms while doing little to muzzle protests, and probably even fanned the flames of public anger. Upcoming Security Activity RSA Security Conference: February 14–18, 2011 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
