Cyber Risk Report

June 28–July 4, 2010

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity returned to previous normal levels during this time period. The release of vulnerability alerts and security advisories for Adobe, Microsoft, Opera, and Google Chrome highlighted the past week. From a monthly and midyear perspective, activity was elevated during June 2010, but totals for the first six months continue to fall below previous midyear levels for the past three years. The first six months of 2010 were significant, however, due to the number of unscheduled or zero-day announcements from Microsoft, Adobe, and other widely used business applications.

Adobe released a preannounced advisory for Reader and Acrobat that addressed 17 vulnerabilities. Threat activity related to these vulnerabilities has been reported, including proof-of-concept and active exploits. As previously reported, attacks continue to leverage Adobe vulnerabilities and PDF file exploits. For these reasons, users are advised to manually update Adobe Reader to the latest version and install all available updates.

Two Microsoft vulnerabilities were reported during the time period, the first of which is an information disclosure vulnerability in Internet Explorer that could allow an unauthenticated, remote attacker to view sensitive, browser-based information. Updates are not available, but additional details are in IntelliShield Alert 20815. A second Microsoft vulnerability was reported in Microsoft Internet Information Services (IIS) and detailed in IntelliShield Alert 20826. This vulnerability is limited to the older 5.1 IIS version that runs on Windows XP systems.

During the time period, Cisco also released details about two vulnerabilities that affect Cisco CSS Content Services Switch Software and the ACE Application Control Engine Module. These vulnerabilities were corrected in previous version updates of the products; additional information is available in IntelliShield Alerts 20807 and 20808.

Cisco Security Intelligence Operations continues to observe the trend of updated malicious code, spam, and e-mail message attachments that are designed to bypass antivirus products. IntelliShield Threat Outbreak Alert 19743 describes how widely distributed fake UPS delivery messages have changed over the first six months of 2010. Attackers continue to exploit users and bypass security measures by modifying existing messages and malicious code with the aid of modular code, malicious code tool kits, and online testing of current antivirus products to quickly launch updates of successful spam messages and capitalize on popular events.

IntelliShield published 80 events last week: 46 new events and 34 updated events. Of the 80 events, 61 were Vulnerability Alerts, eight were Security Activity Bulletins, two were Security Issue Alerts, seven were Threat Outbreak Alerts, and two were Cyber Risk Reports. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 07/02/2010 13 11 24
Thursday 07/02/2010 5 11 16
Wednesday 06/30/2010 3 2 5
Tuesday 06/29/2010 15 3 18
Monday 06/28/2010 10 7 17
Weekly Total 46 34 80

 

2009 Monthly Alert Totals

Month New Updated Monthly Total
January 158 259 417
February 177 253 430
March 194 324 518
April 208 167 375
May 148 174 322
June 240 294 534
Annual Total 1125 1471 2596


Significant Alerts for June 28-July 4, 2010

Multiple Adobe Products Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20625, Version 7, July 1, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-1297

Multiple Adobe products contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system or cause a denial of service (DoS) condition. Functional code that exploits this vulnerability is available. Adobe has confirmed this vulnerability and released updated software.

Previous Alerts That Still Represent Significant Risk

Microsoft Windows Help and Support Center Whitelist Bypass Vulnerability
IntelliShield Vulnerability Alert 20691, Version 4, June 16, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-1885

Exploits of the Microsoft Windows Help and Support Center whitelist bypass vulnerability are being observed in the wild. Microsoft has confirmed this vulnerability in a security advisory; however, updates are not available.

Oracle Java Web Start Java Development Kit ActiveX Control Command-Line Injection Vulnerability
IntelliShield Vulnerability Alert 20314, Version 4, May 19, 2010
Urgency/Credibility/Severity Rating: 3/5/4

Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on the system with the privileges of the user. Systems with Oracle Java JRE and JDK 6 Update 10 and later contain the affected ActiveX control and are vulnerable. Apple has released security updates for Java for Mac OS X 10.6 Update 2 and Java for Mac OS X 10.5. Multiple vendor updates are available.

Kernel Hook Bypassing Engine Affects Multiple Security Applications
IntelliShield Vulnerability Alert 20433, Version 2, May 13, 2010
Urgency/Credibility/Severity Rating: 2/4/4

A security research team has created a tool that is able to bypass security software protections provided by host-based security software on Microsoft Windows systems and execute arbitrary code with kernel privileges.

DNSSEC-Enabled Queries to the DURZ Serving Root May Affect DNS Services
IntelliShield Vulnerability Alert 20418, Version 1, May 3, 2010
Urgency/Credibility/Severity Rating: 2/5/3

DNSSEC-enabled queries to the root servers may be affected because the last (J-root) of the 13 root servers will begin serving the DURZ on May 5, 2010.

Microsoft SharePoint Server 2007 Cross-Site Scripting Vulnerability
IntelliShield Vulnerability Alert 20415, Version 3, June 8, 2010
Urgency/Credibility/Severity Rating: 2/5/3

Microsoft SharePoint Server 2007 versions SP2 and prior contain a cross-site scripting vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary HTML or script code in a user's browser. Proof-of-concept code that exploits this vulnerability is publicly available. Microsoft has confirmed this vulnerability and released software updates.

McAfee VirusScan DAT Update May Cause Microsoft Windows System Failure
IntelliShield Vulnerability Alert 20375, Version 2, April 22, 2010
Urgency/Credibility/Severity Rating: 4/5/3

A McAfee DAT file that was distributed to VirusScan applications has caused errors on certain Microsoft Windows XP-based systems. As a result of installing the 5958 DAT file and rebooting, systems may be rendered unusable. McAfee has released a knowledgebase article with various workarounds.

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 58, June 14, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555

Multiple Transport Layer Security (TLS) implementations contain a vulnerability when renegotiating a TLS session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Proof-of-concept code that exploits this vulnerability is publicly available. Mozilla and Oracle, in addition to other vendors, have released updates for this vulnerability.

Microsoft VBScript Unsafe Help File Handling Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20014, Version 3, April 13, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-0483

Microsoft has released a security advisory with information about affected products to address the Microsoft Internet Explorer unsafe help file handling arbitrary code execution vulnerability. Proof-of-concept code that demonstrates code execution is available. Microsoft confirmed this vulnerability in a security bulletin and released software updates.

Physical

There was no significant activity in this category during the time period.

Legal

There was no significant activity in this category during the time period.

Trust

Google Uses Remote Delete Feature to Remove Applications from Android

Google recently commenced use of its Remote Application Removal feature to remove two suspect applications from smart phones that utilize the Android operating system. These applications were created as part of an effort to demonstrate the ease with which miscreants could install malicious applications into Android-based devices. The Remote Application Removal feature was originally designed by Google to combat the wide-scale spread of actual malware while simultaneously protecting Android-based device users. Read More

IntelliShield Analysis: Although a mechanism to remotely connect to customer devices in order to protect them certainly has merits, it also highlights the concern that individuals who leverage this electronic back door can do so to commit nefarious acts. Many best common practices in the end-to-end networking space do not recommend the use of remote connections or, in environments where these remote connections are necessary, recommend restricting access with features such as IP ACLs and authentication requirements that minimize the inherent risks of allowing others to remotely access mobile devices. This scenario is a perfect illustration of the balancing act that must be performed between enhanced functionality and increased security.

Identity

There was no significant activity in this category during the time period.

Human

Chicago Woman Sued for Online Business Review

A United State's woman searching for a contractor recently contacted a local company she found through Angie's List, an consumer review website. When the contractor refused to provide service based on her location, the woman left the lowest rating on Angie's List because she felt the company's statement was contrary to what was advertised on the website. Although the woman explained the situation in her review, the contractor responded with a US$10,000 lawsuit for defamation, claiming that the poor review damaged his business. Read More

IntelliShield Analysis: Besides the protections afforded to consumers by legislation that prevents Strategic Lawsuits Against Public Participation (anti-SLAPP laws), online defamation cases can be very difficult to prove. Still, businesses must contend with scrutiny that is applied by the always-on, always-connected nature of the social Internet. Organizations are advised to ensure that they have a policy for reasonable response when they encounter consumer backlash about perceived wrongs. For example, using social media and making public amends could prove more effective than the negative publicity that may accompany a lawsuit. Even if a lawsuit has merit and ends in the plaintiff's favor, businesses may still face losses in the court of public opinion.

Geopolitical

Google Facing China Withdrawal

In the latest event in a long-running dispute between United States search engine Google and the Chinese government, authorities are considering whether to renew Google's Internet Content Provider license that expired on June 30, 2010. Without the license, Google is essentially unable to operate legally in China. In what appeared to be a last-minute effort to salvage the situation, Google recently created a "landing page" that offered mainland users the option to be redirected to the company's site in Hong Kong, rather than automatically sending them there, as had been occurring since March 2010. However, it was unclear whether the concession would be enough to sway authorities.
Read More
Additional Information

IntelliShield Analysis: Google has much to lose if it is forced to withdraw from China--the world's largest Internet market and one which is growing rapidly--but China also faces the potential loss of foreign investment capital. Although search engines other than Google operate in China, and Google's market share never exceeded 30 percent, the outcome has the potential to impact long-term investment strategies and business investment sentiment. The controversy, which accelerated early this year when Google claimed that Gmail accounts belonging to political activists had been compromised without their knowledge, has become a test case for the globalization of communications. Multinational companies risk becoming involved in disputes when critics of Internet access policies in fast-growing new markets pressure them on issues such as freedom of speech and privacy. For the time being, it appears that the best strategy for information technology companies is ensuring that they can obey the laws of a given country before deciding to operate there, however tempting the opportunity.

Upcoming Security Activity

Black Hat USA (Las Vegas): July 24–29, 2010
DEFCON 18: July 29–August 1, 2010
BSides Las Vegas: July 28–29, 2010

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

World Expo (Shanghai, China): May 1–October 31, 2010
FIFA World Cup (South Africa): June 11–July 11, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top