July 27–August 2, 2009The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability and threat activity for this period was elevated, primarily linked to disclosures at the Black Hat Security Conference and the vendor responses to those vulnerabilities. Microsoft released advisory MS09-035 on the Visual Studio Active Template Library (ATL) addressing three vulnerabilities, reported in IntelliShield alerts 18725, 18726 and 18727. Microsoft also released advisory MS09-034 addressing three related vulnerabilities in Internet Explorer, reported in IntelliShield alerts 18721, 18723 and 18724. Cisco Security Intelligence Operations has also provided a blog post with additional details on these vulnerabilities. Adobe and Cisco have released advisories related to these vulnerabilities, and additional vendors are likely to release advisories. ISC BIND released an advisory detailing a vulnerability that could allow a remote attacker to cause a denial of service condition on an affected system, as reported in IntelliShield alert 18730. US-CERT and multiple vendors have released additional advisories regarding this vulnerability. IntelliShield published 86 events last week: 47 new events and 39 updated events. Of the 86 events, 77 were Vulnerability Alerts, six were Security Activity Bulletins, two were Security Issue Reports, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Monthly Alert Totals
Significant Alerts for the Time PeriodMicrosoft Visual Studio Active Template Library Uninitialized Object Vulnerability Previous Alerts That Still Represent Significant RiskMicrosoft Office Web Components ActiveX Control Arbitrary Code Execution Vulnerability Microsoft Office Web Components contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. This vulnerability exists due to an unspecified error in the Office Web Components ActiveX Control. Reports indicate that exploits of this vulnerability are ongoing. Microsoft Windows Video msvidctl ActiveX Control Code Execution Vulnerability Microsoft Windows XP SP3 and prior and Windows Server 2003 SP2 and prior contain a vulnerability in the msvidctl ActiveX Control that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft Windows DirectShow QuickTime Media Processing Arbitrary Code Execution Vulnerability Microsoft Windows DirectShow contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has indicated that limited, active attacks are occurring. Microsoft has released an update that corrects this vulnerability. Microsoft Internet Information Services WebDav Unicode Processing Security Bypass Vulnerability Microsoft Internet Information Services (IIS) versions 5.0, 5.1, and 6.0 contain a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and access sensitive information. The vulnerability is due to improper processing of Unicode characters in HTTP requests. An exploit could allow the attacker to bypass security restrictions and download arbitrary files from the targeted system. Exploit code is available. Microsoft has confirmed this vulnerability in a security bulletin and released software updates. Microsoft Office PowerPoint Arbitrary Code Execution Vulnerability Microsoft has released a security bulletin and software updates to address the arbitrary code execution vulnerability in Office PowerPoint. Reports indicate that targeted attempts to leverage this vulnerability continue to occur. A variant of the Trojan.PPDropper trojan, which is described in IntelliShield alert 10845, is actively exploiting this vulnerability. Worm: W32/Conficker.worm W32/Conficker has changed its command-and-control communications methods and begun to download malicious files to infected systems. Conficker has now changed from malicious code that infects vulnerable systems to an operational botnet. Conficker is expected to continue to infect vulnerable systems, change command-and-control communication, and download additional malicious files to the infected systems. Adobe Reader getAnnots Function Buffer Overflow Vulnerability Adobe Reader and Acrobat versions 9.1, 8.1.4, and 7.1.1 and earlier contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. The vulnerability is due to insufficient boundary checking on annotation parameters in Adobe PDF documents. An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to view a malicious PDF file. If the user views the document, the attacker could execute arbitrary code with the privileges of the user. Proof-of-concept code is available. Adobe has confirmed this vulnerability and provided software updates. Adobe Acrobat Products PDF File Buffer Overflow Vulnerability Adobe Reader, Acrobat Professional, Acrobat Professional Extended, and Acrobat Standard contain a buffer overflow vulnerability that could allow a remote attacker to create a denial of service condition or execute arbitrary code with the privileges of the user. The level of user privileges and the code that is executed determine the degree to which the system is compromised. This vulnerability is actively being exploited in the wild by the Pidief family of trojans. Additional information about the trojan is available in IntelliShield alert 14388. Adobe has confirmed the vulnerability and released updated software. PhysicalWest Africa Internet Cable DamageDamage to the sole fiber optic cable providing high speed Internet connectivity to multiple West African countries continues to have a significant impact on commerce and individuals. Nigeria, the most populous nation affected, estimates that up to 70% of its bandwidth was lost as a result. Officials responsible for the cable have stated that repairs will not commence for up to two weeks owing to administrative procedures and the time required for a ship that can make the repairs to arrive from South Africa. Sectors such as mobile telephony, banking, and governmental offices, all of which are often considered to be critical infrastructures, are being forced to reroute through slower links until the issue is resolved. IntelliShield Analysis: Despite a physical presence of the South Atlantic 3/West Africa Submarine Cable (SAT-3) cable in Nigeria itself, a decision was taken to not utilize the provider that services it (Nitel). Instead, a different provider (Suburban Telecoms), which connects to the cable in the neighboring nation of Benin, was selected. The actual fiber disruption is within the Benin branch of the cable. There are multiple and seemingly conflicting reasons as to why and when problems occurred; one of the main reasons stated was the expiration of a maintenance contract. Regardless of the cause, the impact to the affected economies will be felt for weeks and underscores the need for multiple, independent routes and services where possible to minimize disruption to critical infrastructures and business. Legal
Privacy Concerns over Electronic Book RecordsA deadline for public comment on a settlement that is being reached between Google, book publishers and authors is scheduled for September 4, 2009. In response to this deadline, the privacy advocacy groups are voicing concern over how this settlement will take into account privacy issues. The chief concern of the privacy groups is that once users are able to digitally access many new books using Google Book Search, records of the book access events will be kept and could be used to invade users' privacy. The groups are concerned the records could be viewed by the government or by other third parties such as insurance companies who might take an interest in knowing who is researching what diseases. Read more IntelliShield Analysis: When a person goes to a library or to a book store and purchases a book there is the expectation that this information will not be made public. On the wider stage of the Internet, where all types of information is digitally recorded and stored, there are issues regarding the control and access of these records. The privacy groups argue that any book access information belongs to the person who accesses these books and it should be their right to erase such information should they choose to do so. The settlement terms are not yet public and Google has made a statement that they will respect user privacy rights, but until the agreement is reached and a product produced by Google to access new books, the actual privacy details will not be fully available. TrustU.S. Government Websites Tracking Policy ProposalRecently the U.S. Government has proposed changing its policy regarding the use of cookies on its websites. This is a change from the standing policy put in place in the year 2000 and revamped in 2003. The purported reason behind this is to enhance the users' experience with government websites. The proposal includes using both single-session and multi-session cookies to track users visiting these sites. Soon after the Obama administration came into office, the White House began using tracking cookies on YouTube videos embedded on the White House website. This change, as well as the policy change, has alarmed some privacy advocates. Read More IntelliShield Analysis: Like any other policy, website security policies can change and should be reviewed. It is up to individual users to decide if they feel that their privacy has been compromised by these changes. Many users enjoy the usage enhancements tracking cookies can provide, but do not want their previous visits to be tracked. This can be accomplished by disabling the acceptance of third-party cookies and by clearing cookies either manually after each session or by configuring the automatic clearing of cookies when the web browser application is closed. Most importantly is that users are advised of the cookie policy for a website, giving them the ability to adjust their system settings based on that policy. IdentityNetwork Solutions Breach Exposes 574,000 CustomersA recent audit of e-commerce servers deployed by Network Solutions to support online stores for small businesses uncovered that malicious code had been installed. Network Solutions brought in forensic investigators who determined that from March 12 through June 8, the software was eavesdropping on certain credit card transactions for around 4,000 of the more than 10,000 customers of this service. The investigators believe that the code divulged that sensitive transaction information to attackers. Network Solutions is assisting their small business customers by performing notification to the end-user customers who had been exposed by this attack. Read more IntelliShield Analysis: Criminals continue to target systems that provide them with a large return for their efforts. Recently, this has manifested as attacking payment card processing systems that aggregate payments from many merchants. The industry has recognized that this is a risk for its constituents and through efforts such as the PCI Data Security Standard, cardholder indemnity and credit monitoring has hoped to stem the impacts from such events, if not preventing them outright. The new Red Flag rules further these goals in attempting to put controls in place to alert system operators to potential identity compromise events. Though a breach was not prevented in this instance, the response by Network Solutions and the evidence suggesting that no credit accounts have yet been improperly accessed may indicate that a serious impact may have been averted. Human20th Century Fox Viral Marketing CampaignAttempting to generate interest for the movie "I Love You, Beth Cooper," 20th Century Fox hired trend research firm The Intelligence Group to conduct a viral marketing campaign. With the movie scheduled to be released on July 10, 2009, The Intelligence Group sought to hire a willing valedictorian to confess their secret love during their commencement speech. The confession was recorded and posted on YouTube, claiming to have been inspired by a similar scene from the movie's trailer. The video failed to attract much attention until news stories of the marketing campaign began to circulate. Read more GeopoliticalRussia Expresses Concern over Lag in SupercomputingIn a recent speech, Russian President Dmitry Medvedev called out his country's lag in supercomputing capability and challenged Russians to close the gap. Medvedev promised to spend more on supercomputing, pointing out the many commercial and public uses for the technology, which in some circles had been dismissed as old-fashioned. He cited the so-called Top500 List, a website that tracks supercomputers globally, saying that 476 out of the top 500 supercomputers in the world were manufactured in the United States. He may also have noted that late in 2008, a supercomputer made by a Shanghai-based company joined the ranks of the top ten fastest computers in the world. IntelliShield Analysis: A survey of the Top500 List reveals more than U.S. dominance in the sector. In terms of where the supercomputers reside, fewer than 300 of the fastest 500 are in the United States; 44 are housed in the United Kingdom, 30 in Germany, and 23 in France. Emerging market countries, including China, India, Russia, and Saudi Arabia, also own some of the world's most powerful computers. Supercomputer vendors include companies headquartered in Japan, Germany, France, Switzerland, the Netherlands, and China. As globalization and international joint ventures increasingly blur the national identities of companies, information security specialists may wish to be aware of the global nature of the industry. They may also wish to keep in mind the security risks stemming from the fact that many entities public and private view supercomputing capability as an important box to check for reasons of national pride and technical achievement, and are working to obtain the capability. Upcoming Security Activity18th USENIX Security Symposium: August 12–15, 2009 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
