Cyber Risk Report

January 31–February 6, 2011

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity declined from the previous period and January 2011 activity levels declined from January 2010.  Highlights for the period include security advisories from Cisco, Microsoft, HP, Symantec, and Chrome.

Microsoft released the Security Bulletin Advance Notification for February 2011. The security bulletins will be released on Tuesday, February 8, 2011, and will include 12 security bulletins correcting 22 vulnerabilities in Internet Explorer, Windows and Visio.
Cisco released security advisories for vulnerabilities in Multiple WebEx Player vulnerabilities and the Tandberg C Series Endpoints and E/EX Personal Video.

Cisco also released the Cisco 4Q10 Global Threat Report, based on the data collected by Cisco Security Intelligence Operations. The report details the threat activity for October–December 2010, and contains analysis of the trends and perspectives on the threat for the period.

On February 3, 2011, ICANN announced in a ceremony the assignment of the remaining IPv4 address blocks. While this event has been long anticipated and many organizations have begun the transition to supporting IPv6 addresses, it remains an Internet benchmark event. Cisco has initiated a series of IPv6 Security Blog post to assist organizations with the transition.

IntelliShield Analysis: Much of the world's focus was on Egypt during the period, where risks were highlighted across several categories. Activity included reports of spammers using Egyptian address space while that address space was temporarily unused by Egypt, the physical security concerns of employees and business assets in an area that suddenly turned to protests and destruction, and the legal and geopolitical debate over government policies. As the situation in Egypt, across North Africa, and the Middle East continues to develop, lessons learned are being identified, but many likely remain to be recognized. With the current situation still in flux, organizations are advised to monitor the activities and take incident response actions where required, but to wait until the activity has declined and credible information and data is available before considering lessons learned.

IntelliShield published 58 events last week: 34 new events and 24 updated events. Of the 58 events, 34 were Vulnerability Alerts, seven were Security Activity Bulletins, four were Security Issue Alerts, 12 were Threat Outbreak Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows:
Weekly Alert Totals

Day Date New Updated Total
Saturday 02/05/2011   1   1   2
Friday 02/04/2011   3   8  11
Thursday 02/03/2011   6   3   9
Wednesday 02/02/2011   6   2   8
Tuesday 02/01/2011   10   3  13
Monday 01/31/2011   8   7  15
Weekly Total   —  34  24  58

 

2011 Monthly Alert Totals

Month New Updated Monthly Total
January 178 452 630
Annual Total 178 452 630


Significant Alerts for January 31–February 30, 2011

Microsoft Windows MHTML Protocol Handler Script Execution Vulnerability
IntelliShield Vulnerability Alert 22310, Version 2, January 31, 2011
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2011-0096

Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary script in a user's browser session. Microsoft has confirmed the vulnerability in a security advisory; however, software updates are not yet available. Proof-of-concept code that demonstrates an exploit of Microsoft Windows MHTML protocol handler script execution vulnerability is publicly available.

Previous Alerts That Still Represent Significant Risk

EXIM Mail Transfer Agent Arbitrary Configuration Loading Root Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 22053, Version 4, January 28, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-4345

EXIM Mail Transfer Agent contains a vulnerability that can allow an attacker with shell access to gain elevated privileges. Updates are available. Exploitation of this vulnerability has been observed, in conjunction with exploits for a vulnerability detailed in IntelliShield alert 22051 (CVE-2010-4344). CentOS has released updated packages to address the EXIM mail transfer agent arbitrary configuration loading root privilege escalation vulnerability.

Adobe Acrobat, Reader, and Flash Player Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21686, Version 10, January 19, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3654

Adobe has released an additional security bulletin and updated software to address the Adobe Acrobat, Reader, and Flash Player arbitrary code execution vulnerability. Sun has released a security notification and patches.

Oracle Critical Patch Update January 2011
IntelliShield Security Activity Bulletin 22251, Version 1, January 18, 2011
Urgency/Credibility/Severity Rating: 2/5/4

Oracle has released the January 2011 Critical Patch Update Advisory for multiple products. The update contains 67 new security fixes that address multiple Oracle product families. IntelliShield has released multiple significant individual vulnerability alerts from the January CPU.

Mozilla Firefox, Thunderbird, and SeaMonkey DOM Object Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21678, Version 6, January 10, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3765

Mozilla has released updated software to address the Firefox, Thunderbird, and SeaMonkey DOM object processing arbitrary code execution vulnerability. Red Hat, CentOS, and FreeBSD have also released security updates to address the vulnerability. Proof-of-concept code that exploits this vulnerability is publicly available.

Microsoft Windows shimgvw.dll Graphics Library Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 22180, Version 3, January 7, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3970

Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that exploits the Microsoft Windows shimgvw.dll graphics library arbitrary code execution vulnerability is publicly available. Microsoft has confirmed this vulnerability; however, software updates are not available.

Linux Kernel video4linux and compat_mc_getsockopt() Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 21389, Version 11, January 5, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3081

VMware has re-released a security advisory and updated software to address the Linux Kernel video4linux and compat_mc_getsockopt() privilege escalation vulnerability.

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 72, December 16, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555

Multiple Transport Layer Security (TLS) implementations contain a vulnerability when renegotiating a TLS session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Proof-of-concept code that exploits this vulnerability is publicly available.

Microsoft Internet Explorer Cascading Style Sheets Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21736, Version 4, December 15, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3962

Functional code that exploits the Microsoft Internet Explorer Cascading Style Sheets processing arbitrary code execution vulnerability is publicly available. Microsoft has confirmed the vulnerability in a security bulletin and released software updates.

Microsoft Office Excel Ghost Record Parsing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21499, Version 5, November 12, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-3242

IntelliShield has updated this alert to report an increase in intrusion prevention system activity that is related to the Microsoft Office Excel ghost record parsing arbitrary code execution vulnerability.

Physical

There was no significant activity in this category during the time period.

Legal

There was no significant activity in this category during the time period.

Trust

SourceForge Attack

On January 27, 2011, SourceForge announced that they had detected a targeted attack against their infrastructure. They then chronicled their response to the incident—beginning with service suspension through resetting all user passwords to restoration of service—in a series of public blog posts.
Read More
Additional Information

IntelliShield Analysis: The openness demonstrated by SourceForge in response to this security incident continues a tradition of transparency in the open source software community and serves as a prime example of how open communication can foster trust in a community. At the same time, attacks against source code repositories highlight several risks that exist for enterprises. One risk is the malicious modification and subsequent distribution of software from trusted sources. While SourceForge does not believe that any packages were modified by the attackers and is working through a manual verification, recent history has shown, in some instances, that these attacks succeed and modified packages reach unsuspecting users. This risk is not specific to open source software and cannot be eliminated. Organizations should look to and continuously monitor reputable sources for information pertaining to the security of all externally developed software in use.

Identity

There was no significant activity in this category during the time period.

Human

There was no significant activity in this category during the time period.

Geopolitical

Egypt Internet Crackdown Takes Its Toll

On February 2, 2011, Internet traffic monitoring firms and RIPE, the Amsterdam-based consortium that oversees Internet address allocation, confirmed that Internet connectivity had been restored throughout Egypt. The country's Internet went dark abruptly on January 27, along with mobile phone services, amidst massive political protests demanding the ouster of President Hosni Mubarak. While the political situation in Egypt is far from resolved, experts are already measuring the impact of the outage on economic activity. According to the Organization for Economic Cooperation and Development (OECD), the outage cost Egypt around US$90 million, according to preliminary estimates. The cost to multinational companies doing business in Egypt remains untallied. Egypt relies on Internet and telecommunications for between three and four percent of its economy, according to OECD estimates, and is a growing destination for IT outsourcing services.
Read More
Additional Information

IntelliShield Analysis: While Internet outages in the midst of political unrest are by no means unheard of, the abrupt and apparently deliberate Internet blackout of an entire major economy may be unprecedented. Indeed, the ripple effects go beyond direct business losses due to interrupted connectivity to a wider question of investor confidence and rising risk-to-benefit calculations across emerging markets. Even as Egypt's economy ground to a halt, Egypt's netizens circumvented electronic roadblocks with ingenuity. From the Mubarak regime's point of view, the blackout was costly in economic and reputational terms while doing little to muzzle protests, and probably even fanned the flames of public anger.

Upcoming Security Activity

RSA Security Conference: February 14–18, 2011
Black Hat Europe 2011: March 15–18, 2011

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top