The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.
Vulnerability and threat activity during the period was elevated owing to continued vendor responses to vulnerability announcements released in recent weeks by Apple, Mozilla, and Adobe. Administrators and users are advised to update their systems to ensure the latest updates are installed.
Cisco Security Intelligence Operations continued to identify an increased volume of new spam messages during the time period that employ various social engineering topics. The fake update for Microsoft Outlook and Outlook Express that has been circulating for approximately two weeks is suspected of fooling many users and is gaining increased attention. The false e-mail message is sophisticated and appears nearly identical to official Microsoft messages.
IntelliShield published 151 events last week: 42 new events and 109 updated events. Of the 151 events, 129 were Vulnerability Alerts, one was a Security Activity Bulletin, 14 were Threat Outbreak Alerts, four were Security Issue Alerts, one was an Applied Mitigation Bulletin, and two were Cyber Risk Reports. The alert publication totals are as follows:
Weekly Alert Totals
Previous Alerts That Still Represent Significant Risk
Microsoft Windows DirectShow QuickTime Media Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 18366, Version 2, June 3, 2009
Urgency/Credibility/Severity Rating: 3/5/4
Microsoft Windows DirectShow contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Updates are not available, and Microsoft has indicated that limited, active attacks are occurring. Microsoft has released a tool that will disable QuickTime parsing without requiring manual registry editing
Microsoft Internet Information Services WebDav Unicode Processing Security Bypass Vulnerability
IntelliShield Vulnerability Alert 18261, Version 3, June 9, 2009
Urgency/Credibility/Severity Rating: 2/5/3
Microsoft Internet Information Services (IIS) versions 5.0, 5.1, and 6.0 contain a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and access sensitive information. The vulnerability is due to improper processing of Unicode characters in HTTP requests. An exploit could allow the attacker to bypass security restrictions and download arbitrary files from the targeted system. Exploit code is available. Microsoft has confirmed this vulnerability in a security bulletin and released software updates.
Microsoft Office PowerPoint Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 17966, Version 3, May 12, 2009
Urgency/Credibility/Severity Rating: 3/5/4
Microsoft has released a security bulletin and software updates to address the arbitrary code execution vulnerability in Office PowerPoint. Reports indicate that targeted attempts to leverage this vulnerability continue to occur. A variant of the Trojan.PPDropper trojan, which is described in IntelliShield Alert 10845, is actively exploiting this vulnerability.
IntelliShield Malicious Code Alert 17121, Version 18, April 9, 2009
Urgency/Credibility/Severity Rating: 4/5/3
W32/Conficker has changed its command-and-control communications methods and begun to download malicious files to infected systems. Conficker has now changed from malicious code that infects vulnerable systems to an operational botnet. Conficker is expected to continue to infect vulnerable systems, change command-and-control communication, and download additional malicious files to the infected systems.
Adobe Reader getAnnots Function Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 18088, Version 5, May 19, 2009
Urgency/Credibility/Severity Rating: 2/5/4
Adobe Reader and Acrobat versions 9.1, 8.1.4, and 7.1.1 and earlier contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. The vulnerability is due to insufficient boundary checking on annotation parameters in Adobe PDF documents. An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to view a malicious PDF file. If the user views the document, the attacker could execute arbitrary code with the privileges of the user. Proof-of-concept code is available. Adobe has confirmed this vulnerability and provided an official workaround.
Adobe Acrobat Products PDF File Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 17665, Version 11, April 24, 2009
Urgency/Credibility/Severity Rating: 3/5/4
Adobe Reader, Adobe Acrobat Professional, Acrobat Professional Extended, and Acrobat Standard contain a buffer overflow vulnerability that could allow a remote attacker to create a denial of service condition or execute arbitrary code with the privileges of the user. The level of user privileges and the code that is executed determine the degree to which the system is compromised. This vulnerability is actively being exploited in the wild by the Pidief family of trojans. Additional information about the trojan is available in IntelliShield Alert 14388. Adobe has confirmed the vulnerability and released updated software.
Microsoft Office Excel Invalid Object Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 17689, Version 6, April 14, 2009
Urgency/Credibility/Severity Rating: 3/5/4
Microsoft Excel and related products contain a vulnerability that could allow a remote attacker to execute arbitrary code. Attackers are actively exploiting this vulnerability to conduct limited malicious code attacks that are designed to infect targeted systems with a variant of the Mdropper family of trojans. This family of trojans is detailed in IntelliShield Alert 12562. Microsoft has confirmed this vulnerability, but updated software is not available.
Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability
IntelliShield Vulnerability Alert 17519, Version 6, March 13, 2009
Urgency/Credibility/Severity Rating: 2/5/4
Microsoft Internet Explorer Version 7.0 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or crash the browser, resulting in a denial of service condition. On systems that grant users Administrator privileges, an attacker could execute code that may result in the complete compromise of the affected system. Reports have confirmed the existence of exploit code that is delivered using a Microsoft Office Word document saved in the XML format. Exploits have been observed wherein attackers build Word documents using XML constructs, save the documents as .doc files, and deliver the malicious documents via e-mail messages or host them on websites. Several antivirus vendors are reporting the activity.
IntelliShield Malicious Code Alert 17327, Version 10, March 23, 2009
Urgency/Credibility/Severity Rating: 4/5/4
W32.Waledac is a worm that attempts to open a back door on an infected system. The worm propagates by sending a copy of itself to e-mail addresses on the infected system. The e-mail messages are configured to take advantage of interest in current events or holidays to convince users to open the malicious e-mail attachments. W32.Waledac may download files on an infected system and provide an attacker with backdoor access. The worm also attempts to steal confidential information that is related to numerous online banking entities.
Automated Control Systems Risks
The recent crashes of Air France flight AF447 and the Washington, D.C, Metro Red Line commuter train have focused concerns on automated control systems and computer controls. Preliminary findings in the ongoing investigations indicate that sensor systems malfunctioned or failed, and the human interfaces of the systems were unable to issues warnings to the air crew and train operator in time for intervention to aid recovery from the dire situations.
IntelliShield Analysis: While automated control systems are widely deployed and normally highly reliable, they are vulnerable to failures and a range of risks. The critical fail-safe in nearly all the systems is the human interface or management console where information is presented to a human who can interact, correct, or take control of a situation. In both of these cases, it appears that sensors failed; possibly more importantly, the interfaces alerted the operators too late to recover from their respective situations. Two critical considerations in the use of these complex control systems are the high level of training required for operators and the response time limitations that reflect the amount of time an operator has to recognize a warning, alert, or situation and make a required decision.
There was no significant activity in this category during the time period.
Police Believe Vanished Clerk Tied to Russian or Armenian Mafia
In April 2009, an employee known as Erick disappeared from his job at an Arco gas station near Los Angeles, CA, where he had been employed for eight months. It is believed that he stole a laptop, surveillance equipment, his job application form, cash, and cigarettes on the day of his departure. In May, police began to receive complaints from customers who had shopped at the gas station and were victims of credit card fraud. Police now suspect that Erick was part of a sophisticated organized crime system. He worked his way into a position of trust, planted a card skimmer at the register, and later made his getaway with cash, valuables, and whatever evidence he could take to cover his tracks. Read more
IntelliShield Analysis: Organizations are not always able to defend themselves against determined, skilled, and professional attackers. It may be very difficult to defend against the attacker who is a trusted insider and where the combination of privilege and skill are likely to be overwhelm defenses. In this case, the attacker was able to compromise a number of controls, technical and social, to achieve his goal. It may not have been possible for the Arco gas station to affordably prevent the primary loss incurred by the credit card fraud. However, some security procedures could make it more difficult for attackers to position themselves within an organization, exploit the company to the same extent, or to cover their tracks as completely upon escape. With increasingly sophisticated attacks, the more appropriate security focus may be reducing risk impact, rather than avoiding risk altogether.
City of Bozeman Demands Passwords from Job Applicants
Raising privacy and civil liberties issues, applicants for jobs with the Cty of Bozeman, Montana, are not only required to list all their social media accounts but their passwords as well. "In order for us to get access to the chosen candidates' information, we need to be able to view their page," said City Attorney Greg Sullivan, according to a local television station's news report. Sullivan added, "As far as we know, there's no other way to get into their specific Facebook page." In addition to the privacy aspects that would enable city employees to post items under an applicant's name and make or delete friends, some social networking sites consider passing on passwords to be a violation of their terms of service, which some judges have ruled is a criminal act.
IntelliShield Analysis: Public outcry from privacy lawyers has caused the City Council of Bozeman to rescind the policy, which had been in place for well over a year. Sullivan's assertion that "there's no other way to get into their specific Face book page" is incorrect. As the television station's reporter pointed out, the City of Bozeman could create its own page and ask applicants to link to it, which would give city officials access to the applicants' pages. Ignorance about using social networking creates troubling questions of what other mistakes could be made by handing over the passwords. However, there are many other examples where individuals are compelled to provide private information for some legitimate purpose or service and no adequate body of alarm exists to limit or stop those efforts. Users are advised to know what is to be done with information collected about them and refuse to provide personal information, including passwords, when possible.
Car Allowance Rebate Spoofing
Last week, United States (U.S.) President Obama signed into law a program to provide financial incentives to encourage the purchase of new, fuel-efficient vehicles to replace older and less fuel -efficient vehicles. Officially called the "Car Allowance Rebate System," or CARS, the program has become known as "cash for clunkers." The bill contains complex criteria for determining whether an old vehicle is eligibility for the program and the amount of a rebate toward the cost of a replacement vehicle. Rebates range from US$3500 to US$4500.
IntelliShield Analysis: Before the bill was even signed into law, multiple social engineering phishing sites appeared, attempting to gather personal information from individuals seeking to determine if they are eligible for the program by purporting to "pre-qualify" vehicles or "confirm eligibility." The U.S. National Highway Traffic Safety Agency published warnings about these malicious websites early last week, and is referring information about several of the sites to the U.S. Justice Department Internet Fraud Division for investigation.
Russia's WTO Delay Imperils IP Protection
Russia has pulled its longstanding application to join the World Trade Organization (WTO), opting instead to reapply as part of a customs bloc with neighbors Kazakhstan and Belarus. The move surprised international observers, who said that the application was in its final stages after 16 years of negotiations. Key accession-contingent deliverables that may be delayed as a result of the move include Russian commitments to improve the legal framework for an array of trade items, including import licensing of information technology products with encryption capability and stricter intellectual property protection laws.
IntelliShield Analysis: Moscow's unconventional proposal may be a negotiating tactic, in which case Russia's WTO application could be on track again soon. It may also be that Russia is reconsidering international trade strategy in favor of bilateral agreements and smaller unions closer to home. Russian exports heavy emphasis on oil and gas, which are not covered by the WTO, may also weaken the economic justification from Russia's perspective. It is unclear whether the proposed three-country customs union will be accepted by the WTO, as it is unprecedented and presents ambiguities in how disputes would be settled. Information security specialists with international interests may want to consider possible delays of pending IPR legislation, and the implications of Moscow's apparent reconsideration of membership in this important trade adjudication body.
Upcoming Security Activity
Cisco Live: June 27–July 2, 2009
21st Annual FIRST Conference: June 28–July 3, 2009
International ISACA Conference: July 19–22, 2009
Black Hat Training and Briefings: July 25–31, 2009
DEFCON: July 31–August 3, 2009
18th USENIX Security Symposium: August 12–15, 2009
For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
Cisco Security IntelliShield Alert Manager Service
For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
Back to Top