July 6–12, 2009The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability and threat activity for this period remained at the low levels of previous periods. Activity highlights during this period included the distributed denial of service attacks against multiple government and financial websites throughout the United States (U.S.) Independence Day (July 4) weekend that impacted the availability of some of those sites. The attacks have been linked to a botnet of systems infected with variations of the MyDoom malicious code. Also during the period, the Michael Jackson memorial services caused heavy network traffic levels on some networks, caused some news websites to become temporarily unreachable, and is being exploited with malicious spam messages as reported in the IntelliShield Threat Outbreak Alert 18587. In the coming week, Microsoft has announced the Security Bulletin Advance Notification for July 2009, which includes six vulnerabilities, including three rated critical by Microsoft. Oracle is also scheduled to release a quarterly Critical Patch Update. Both Microsoft and Oracle are scheduled to release these updates on Tuesday, July 14, 2009. Also in the coming week, Cisco will release the Midyear Security Report on July 14, 2009. The Cisco 2009 Midyear Security Report outlines the most recent threat landscape and offers recommendations for protecting against some of the newer attack types. Download the report on or after July 14 IntelliShield published 56 events last week: 28 new events and 28 updated events. Of the 56 events, 42 were Vulnerability Alerts, two were Security Activity Bulletins, five were Threat Outbreak Alerts, one was a Security Issue Alert, one was a Malicious Code Alert, four were Applied Mitigation Bulletins and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for the Time PeriodMicrosoft Windows Video msvidctl ActiveX Control Code Execution Vulnerability Microsoft Windows XP SP3 and prior and Windows Server 2003 SP2 and prior contain a vulnerability in the msvidctl ActiveX control that could allow an unauthenticated, remote attacker to execute arbitrary code. Previous Alerts That Still Represent Significant RiskMicrosoft Windows DirectShow QuickTime Media Processing Arbitrary Code Execution Vulnerability Microsoft Windows DirectShow contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Updates are not available, and Microsoft has indicated that limited, active attacks are occurring. Microsoft has released a tool that will disable QuickTime parsing without requiring manual registry editing. Microsoft Internet Information Services WebDav Unicode Processing Security Bypass Vulnerability Microsoft Internet Information Services (IIS) versions 5.0, 5.1, and 6.0 contain a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and access sensitive information. The vulnerability is due to improper processing of Unicode characters in HTTP requests. An exploit could allow the attacker to bypass security restrictions and download arbitrary files from the targeted system. Exploit code is available. Microsoft has confirmed this vulnerability in a security bulletin and released software updates. Microsoft Office PowerPoint Arbitrary Code Execution Vulnerability Microsoft has released a security bulletin and software updates to address the arbitrary code execution vulnerability in Office PowerPoint. Reports indicate that targeted attempts to leverage this vulnerability continue to occur. A variant of the Trojan.PPDropper trojan, which is described in IntelliShield Alert 10845, is actively exploiting this vulnerability. Worm: W32/Conficker.worm W32/Conficker has changed its command-and-control communications methods and begun to download malicious files to infected systems. Conficker has now changed from malicious code that infects vulnerable systems to an operational botnet. Conficker is expected to continue to infect vulnerable systems, change command-and-control communication, and download additional malicious files to the infected systems. Adobe Reader getAnnots Function Buffer Overflow Vulnerability Adobe Reader and Acrobat versions 9.1, 8.1.4, and 7.1.1 and earlier contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. The vulnerability is due to insufficient boundary checking on annotation parameters in Adobe PDF documents. An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to view a malicious PDF file. If the user views the document, the attacker could execute arbitrary code with the privileges of the user. Proof-of-concept code is available. Adobe has confirmed this vulnerability and provided an official workaround. Adobe Acrobat Products PDF File Buffer Overflow Vulnerability Adobe Reader, Acrobat Professional, Acrobat Professional Extended, and Acrobat Standard contain a buffer overflow vulnerability that could allow a remote attacker to create a denial of service condition or execute arbitrary code with the privileges of the user. The level of user privileges and the code that is executed determine the degree to which the system is compromised. This vulnerability is actively being exploited in the wild by the Pidief family of trojans. Additional information about the trojan is available in IntelliShield Alert 14388. Adobe has confirmed the vulnerability and released updated software. Microsoft Office Excel Invalid Object Arbitrary Code Execution Vulnerability Microsoft Excel and related products contain a vulnerability that could allow a remote attacker to execute arbitrary code. Attackers are actively exploiting this vulnerability to conduct limited malicious code attacks that are designed to infect targeted systems with a variant of the Mdropper family of trojans. This family of trojans is detailed in IntelliShield Alert 12562. Microsoft has confirmed this vulnerability, but updated software is not available. Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability Microsoft Internet Explorer Version 7.0 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or crash the browser, resulting in a denial of service condition. On systems that grant users Administrator privileges, an attacker could execute code that may result in the complete compromise of the affected system. Reports have confirmed the existence of exploit code that is delivered using a Microsoft Office Word document saved in the XML format. Exploits have been observed wherein attackers build Word documents using XML constructs, save the documents as .doc files, and deliver the malicious documents via e-mail messages or host them on websites. Several antivirus vendors are reporting the activity. Worm: W32.Waledac W32.Waledac is a worm that attempts to open a back door on an infected system. The worm propagates by sending a copy of itself to e-mail addresses on the infected system. The e-mail messages are configured to take advantage of interest in current events or holidays to convince users to open the malicious e-mail attachments. W32.Waledac may download files on an infected system and provide an attacker with backdoor access. The worm also attempts to steal confidential information that is related to numerous online banking entities. PhysicalU.S. Federal Protective Service Physical "Penetration Test" ResultsU.S. federal investigators were able to bring materials for bomb making into federal buildings without being stopped by Federal Protective Service (FPS) guards. The materials were carried through checkpoints by Government Accountability Office (GAO) investigators, who posed as employees and visitors. The guards failed to detect the components in ten separate incidents. The investigators assembled these IEDs and walked around the facilities with them without being questioned. There have been additional incidents involving FPS guards, such as one who did not detect handguns in a box at a loading dock. Read More Legal
U.S. Ruling on IP Addresses as Personal InformationIn a ruling on a case against Microsoft regarding collection of IP addresses of users, a U.S. district court judge has ruled that IP addresses are not personally identifiable information (PII). The judge indicated that IP addresses identify a computer and not a person. Read More TrustRisks in Trusting Shortened URLsURL redirection services allow users to substitute a short URL in place of a long one. Users of services that limit message size, such as Twitter, rely on these shortened URLs to be able to send links in messages. Purveyors of spam are using shortened URLs to hide the actual link destination, which is stored by the URL redirection service. The shortened URL refers to the redirection service and not to the final destination. Spammers can easily create the shortened URLs because redirection services allow anyone to create shortened URLs without authenticating to the service. Read More IntelliShield Analysis: Spam is often easily recognized, and clicking any link received in unsolicited commercial e-mail is asking for trouble. An additional verification of a link that can be performed with normal HTML is not possible with shortened links. Anti-spam and privacy features are available for most e-mail transfer agents, browsers, and social networking services. These are highly recommended to limit and avoid the majority of this spam and malicious URL shortening. As a last resort, trust e-mail from known sources only; the computer, time, and identity you save may be your own. IdentityPredictability of U.S. Social Security NumbersResearchers at Carnegie Mellon University were recently able to predict U.S. Social Security numbers when given only a birth date and location. The researchers created an algorithm based on publicly available Social Security numbers of deceased individuals. The results are published in the Proceedings of the National Academy of Sciences. IntelliShield Analysis: Any predictability in number assignment reduces the work required to guess that assigned number. The parameters for assigning Social Security numbers have been known and used for verification of Social Security numbers for some time. Generally a person's date of birth and place of birth are public record. The U.S. Social Security Administration will change the way it assigns Social Security numbers next year, but this leaves all previously assigned numbers vulnerable to the same predictability. Given two parameters to what is essentially a three-parameter problem, a computer can predictably reduce the probability of incorrect guesses to a frighteningly low number. This points out the extreme weakness of using any part of a Social Security number for any type of password or key material. Financial or other transactions should be verified with additional identification and authentication other than a simple Social Security number. HumanThere was no significant activity in this category during the time period. GeopoliticalUBS Lawsuit Highlights Privacy Law DebateThe U.S. Internal Revenue Service is demanding that Swiss bank UBS AG hand over the identities of around 52,000 U.S. clients who are suspected of tax evasion through the use of numbered offshore bank accounts. In response, the Swiss government is calling the issue a threat to its sovereignty, and is threatening to seize the data rather than allow the U.S. Department of Justice to pursue the court order. UBS is saying that compliance with the United States demand would mean violating Swiss privacy laws. The spat follows just weeks after the Organization for Economic Cooperation and Development (OECD) amended its tax treaty to strengthen rules against the use of offshore tax havens and to force so-called "grey list" countries like Switzerland and Liechtenstein to cooperate more fully on tax issues. IntelliShield Analysis: The court case highlights an intensifying battle over privacy laws as financial regulators run afoul of conflicting international legal systems. The battle has gained steam this year as U.S. tax authorities, faced with huge budget deficits, step up efforts to chase down tax revenues. The timing has been painful for UBS, which is faced with massive legal fines in the depths of a financial crisis, and for the Swiss government, which has had to provide financial support for the bank and finds its reputation as the world's most private banker could be at stake. Of note for information security specialists are two points that will be debated in court: first, whether the request for a large group of names, without specific grounds for suspicion, amounts to a fishing expedition on the part of United States or other tax authorities and can be dismissed, and second, whether one country can use its laws to compel action from a company headquartered in a different country. MiscellaneousNewly Reported OpenSSH Vulnerability May Be HoaxFollowing reports of an exploit performed against a New Zealand hosting provider, security researchers surmised that a previously undisclosed vulnerability may exist in OpenSSH. The attacker seemed to use the vulnerability to access a website host to harass a rival security researcher. However, little information regarding the vulnerability has surfaced, and the initial reporter may have simply used an obfuscated brute-force attack, as was used in previous exploits by the same group against different targets. Further evidence to support the theory that the vulnerability was a hoax arose as OpenSSH developers released statements that any known vulnerabilities could not have granted remote access. Read More IntelliShield Analysis: When initially announced, the mere threat of a new OpenSSH exploit was enough to cause various hosting providers and other IT operations to turn off remote access via SSH. Although it risks over exposure that can reduce the impact, announcing fake vulnerabilities in critical applications may accomplish the same goal as exploitation itself. By causing a panic, attackers may be able to cause administrators to disable exposed but necessary services, effectively causing a denial of service. Although the threat of exploits must be taken seriously, the response must consider the credibility of the reports and be proportionate to the risk. Upcoming Security ActivityInternational ISACA Conference: July 19–22, 2009 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
