June 1–7, 2009The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability activity for this period remained consistent with previous weeks and months, but the activity levels for 2009 are running substantially lower than in previous years. In May 2008, IntelliShield published 528 alerts, a decrease in comparison to previous months in 2008. For the annual total in May 2008, IntelliShield had published 3,151 alerts, which is well above the 2,336 alerts published for the same period in 2009. Thus far, 2009 is progressing to be the first year in over 5 years that the vulnerability totals for the year may show an annual decrease. In vulnerability activity for the coming week, Microsoft is scheduled to release a monthly security update tomorrow, Tuesday, June 9, 2009. The Microsoft Advance Notification reported ten bulletins will be released, with six of the bulletins rated critical by Microsoft. The June bulletin release is reported not to include a correction for the DirectShow vulnerability, reported in IntelliShield Alert 18366, which has low levels of exploit activity. Adobe has announced it will release its first quarterly security bulletin for Adobe Acrobat and Reader, versions 7.x, 8.x, and 9.x for Microsoft Windows and Apple Mac systems. Adobe has announced it will continue to follow a quarterly release schedule for future updates as part of its code-hardening practices. IntelliShield published 85 events last week: 49 new events and 36 updated events. Of the 85 events, 54 were Vulnerability Alerts, 19 were Security Activity Bulletins, four were Threat Outbreak Alerts, two were Security Issue Alerts, four were Malicious Code Alerts, and two were the Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Monthly Alert Totals
Significant Alerts for the Time PeriodMicrosoft Windows DirectShow QuickTime Media Processing Arbitrary Code Execution Vulnerability Microsoft Windows DirectShow contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Updates are not available, and Microsoft has indicated that limited, active attacks are occurring. Microsoft has released a tool that will disable QuickTime parsing without requiring registry editing. Previous Alerts That Still Represent Significant RiskMicrosoft Internet Information Services WebDav Unicode Processing Security Bypass Vulnerability Microsoft Internet Information Services (IIS) versions 5.0, 5.1, and 6.0 contain a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and access sensitive information. The vulnerability is due to improper processing of Unicode characters in HTTP requests. An exploit could allow the attacker to bypass security restrictions and download arbitrary files from the targeted system. Exploit code is available. Microsoft Office PowerPoint Arbitrary Code Execution Vulnerability Microsoft has released a security bulletin and software updates to address the arbitrary code execution vulnerability in Office PowerPoint. Reports indicate that targeted attempts to leverage this vulnerability continue to occur. A variant of the Trojan.PPDropper trojan, which is described in IntelliShield Alert 10845, is actively exploiting this vulnerability. Worm: W32/Conficker.worm W32/Conficker has changed its command-and-control communications methods and begun to download malicious files to infected systems. Conficker has now changed from malicious code that infects vulnerable systems to an operational botnet. Conficker is expected to continue to infect vulnerable systems, change command-and-control communication, and download additional malicious files to the infected systems. Adobe Reader getAnnots Function Buffer Overflow Vulnerability Adobe Reader and Acrobat versions 9.1, 8.1.4, and 7.1.1 and earlier contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. The vulnerability is due to insufficient boundary checking on annotation parameters in Adobe PDF documents. An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to view a malicious PDF file. If the user views the document, the attacker could execute arbitrary code with the privileges of the user. Proof-of-concept code is available. Adobe has confirmed this vulnerability and provided an official workaround. Adobe Acrobat Products PDF File Buffer Overflow Vulnerability Adobe Reader, Adobe Acrobat Professional, Acrobat Professional Extended, and Acrobat Standard contain a buffer overflow vulnerability that could allow a remote attacker to create a denial of service condition or execute arbitrary code with the privileges of the user. The level of user privileges and the code that is executed determine the degree to which the system is compromised. This vulnerability is actively being exploited in the wild by the Pidief family of trojans. Additional information about the trojan is available in IntelliShield Alert 14388. Adobe has confirmed the vulnerability and released updated software. Microsoft Office Excel Invalid Object Arbitrary Code Execution Vulnerability Microsoft Excel and related products contain a vulnerability that could allow a remote attacker to execute arbitrary code. Attackers are actively exploiting this vulnerability to conduct limited malicious code attacks that are designed to infect targeted systems with a variant of the Mdropper family of trojans. This family of trojans is detailed in IntelliShield Alert 12562. Microsoft has confirmed this vulnerability, but updated software is not available. Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability Microsoft Internet Explorer Version 7.0 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or crash the browser, resulting in a denial of service condition. On systems that grant users Administrator privileges, an attacker could execute code that may result in the complete compromise of the affected system. Reports have confirmed the existence of exploit code that is delivered using a Microsoft Office Word document saved in the XML format. Exploits have been observed wherein attackers build Word documents using XML constructs, save the documents as .doc files, and deliver the malicious documents via e-mail messages or host them on websites. Several antivirus vendors are reporting the activity. Worm: W32.Waledac W32.Waledac is a worm that attempts to open a back door on an infected system. The worm propagates by sending a copy of itself to e-mail addresses on the infected system. The e-mail messages are configured to take advantage of interest in current events or holidays to convince users to open the malicious e-mail attachments. W32.Waledac may download files on an infected system and provide an attacker with backdoor access. The worm also attempts to steal confidential information that is related to numerous online banking entities. PhysicalThere was no significant activity in this category during the time period. LegalSoftware Bans Under United States Office of Foreign Assets ControlTo comply with the restrictions from the United States (U.S.) Office of Foreign Assets Control (OFAC) on the export of software to certain countries, several major vendors are restricting access to and downloads of their instant messaging software. The restricted countries currently include Iran, Cuba, Sudan, Syria, and North Korea, countries that are considered hostile to the United States or that are currently under sanctions. The software ban primarily affects software that includes the download and installation of some applications, but the scope of the ban is less clear for web-based applications. Read More TrustMicrosoft Introduces Bing Search Engine, Offers WorkaroundOn Wednesday, Microsoft introduced its expensively marketed Bing search engine (http://bing.com) as competition for Google and almost immediately issued a workaround amid reports that Bing's Smart Motion Preview feature allows free access to pornographic websites. By disabling SafeSearch controls in browsers, students and cubicle dwellers can conduct searches on words such as sex or porn and watch 30-second previews of videos by mousing over the links that are returned in the search results. On Thursday, the general manager for Bing announced a workaround in a blog. This workaround requires users to add &adlt=strict to search request strings to confine search results to strict SafeSearch levels. IntelliShield Analysis: Network administrators, parents, and schools are currently clamoring for a way to enforce SafeSearch controls on browsers. Until a solution is developed and deployed, administrators (and parents) may wish to warn users or block access to the Bing website to prevent unintended viewing of pornographic or malicious video material. Video has become a primary attack vector for distributing malicious code through search engines and social networking links. In its initial release, Bing may be considered a serious risk for workplaces and educational institutions. IdentityThere was no significant activity in this category during the time period. HumanSocial Networking Facilitating Freedom of SpeechIn the weeks prior to Iran's upcoming presidential election on June 12, the Iranian Labor News Agency has reported that popular social networking site Facebook has been blocked by the government. The news agency said this block was ordered by the Masadiq Committee, which is composed in part by intelligence and judiciary officials. The reported ban is said to have lasted for just a few hours, and incumbent President Mahmoud Ahmadinejad stated that he would investigate these claims. Read more IntelliShield Analysis: The highly public profile and instant delivery capabilities of popular social networking websites have made them a powerful force in the pursuit of free expression. In preventing access to these sites on a temporary basis, those seeking to restrict popular opposition or expression may find that they have conversely raised awareness not only in the ad hoc online communities, but also in the press and elsewhere on the Internet. Use of social media is clearly seen as a threat to the control of information by some governments, but its usage will likely continue to rise as users seek ways to voice and share their opinions to wider audiences. Organizations that feel they have legitimate concerns with the content of social networks must tread lightly because broad censorship can generate significant backlash. For businesses and service providers, there is the additional risk that users will create covert channels on the network to reach these sites, raising the risks of hidden access points for malicious code and attacks. GeopoliticalNew United States Cyber Security Office Signals Importance of Protecting Electronic NetworksOn May 29, United States (U.S.) President Barack Obama announced the findings of a cyber security review ordered by his administration shortly after he took office. According to the president, America's electronic infrastructure is a strategic national asset that has reached a critical level of vulnerability to attacks. The president made clear that protecting these networks is vital to economic competitiveness and national security. Although the new cyber security coordinator was not named, and details of the report have not yet been published, the mission of the new office was outlined in broad terms. It will be tasked with coordinating, improving, and unifying government cyber security policies that are currently carried out by a variety of federal agencies with varying priorities and influence. The new cyber security coordinator will be a member of the National Security Staff and of the National Economic Council, and—at least on paper—will have direct access to the president. IntelliShield Analysis: Perhaps the most important conclusion of the cyber-security review is that protecting the national electronic infrastructure is a matter of critical importance, and that current capabilities—in the United States and by inference other nations as well—are lacking. Also of note to information security specialists was the assertion that the new office would not dictate security policy to the private sector, but would work with private interests to create a strategy to encourage innovation while protecting ideas and information. The U.S. president reiterated his commitment to net neutrality and made it clear that his administration's policy was not to monitor private-sector networks or Internet traffic. There is some concern in Washington that the new office will weaken the role of the Department of Homeland Security by giving the primary cyber security role to a White House appointee. There are also concerns that a presidential adviser may be protected from Congressional testimony, weakening oversight. That said, the emphasis given to cyber security at the highest levels of the U.S. government is good news for information security specialists around the world, affording long-overdue prominence to this critical issue. Upcoming Security ActivityNANOG46: June 14–17, 2009 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following date: Iranian Presidential Elections: June 12, 2009 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
