Cyber Risk Report

June 7–13, 2010

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat activity during this period was elevated, primarily because of large security updates from multiple vendors.  This period's vulnerability and threat activities highlight the continued focus on browsers and on Microsoft Office and Adobe applications.  Users are reminded to use the auto-update features, vendor security recommendations, and safe practices to avoid the continued targeting of these products.

Microsoft released ten scheduled security bulletins, composed of 33 individual vulnerabilities, for the June 2010 monthly update.  Three of the bulletins are rated Critical, and seven are rated Important.  The most significant of these updates are likely the cumulative update for Internet Explorer and Excel updates.  The monthly update did not include an update for a publicly reported vulnerability in Microsoft Help and Support Center, but Microsoft did release an advisory on June 10 addressing this vulnerability.  The details of the Microsoft Help and Support Center vulnerability were reported in IntelliShield Alert 20691.

On June 7, Apple released a large security update to correct 48 vulnerabilities, including an updated version of Safari.  Google Chrome also released an updated version of the Chrome browser to address 11 vulnerabilities, including nine vulnerabilities rated High by Google.

Cisco released three security advisories to address multiple vulnerabilities in the Linksys WAP54Gv3 Default Credentials, Cisco Application Extension Platform, and Cisco Unified Contact Center Express.  These vulnerabilities could allow remote access, a denial of service (DoS) vulnerability, or directory traversal.  These vulnerabilities were reported in PSIRT advisories (http://www.cisco.com/en/US/products/products_security_advisories_listing.html) and multiple IntelliShield alerts, all of which are available on the Cisco Security Intelligence Operations website (http://tools.cisco.com/security/center/home.x).

Adobe released an updated version of Flash Player to address 32 vulnerabilities, including a publicly disclosed vulnerability in Flash Player.  The vulnerability also affects Acrobat and Reader, but Adobe announced that updates for these products will not be available until June 29, 2010.  The vulnerability in Flash Player is being actively exploited.

Cisco ScanSafe identified the compromise of multiple web pages that occurred through a SQL injection iframe attack that affected approximately 7,000 web pages.  ScanSafe research indicates the web page compromises were a result of the compromise of a third party that provided real estate advertising to the affected websites.  Additional information about these attacks is on the Cisco ScanSafe blog.

Cisco IronPort Threat Operations Center identified a spam threat reported in Threat Outbreak Alert 20699.  This threat includes an attached malicious Microsoft Excel file that attempts to exploit a vulnerability originally reported in November 2009 in IntelliShield Alert 19322.  This vulnerability has now progressed through an 8-month threat development cycle, with proof-of-concept code released in May, 2010. The vulnerability is now being actively targeted using malicious attachments to the spam message.

On June 11, the World Cup FIFA Games began in South Africa.  Multiple websites, applications, and service providers are distributing streaming video, scoring updates, news reports, and interactive fan sites.  A major world event like these games is an obvious target for criminals exploiting the popularity of the games.  Users should exercise caution during this time by visiting only known and trusted sites, avoiding search engine and e-mail links, and ensuring all their security products are updated and enabled.  Multiple sources have already identified criminal online activity around the games, which will likely continue to increase as the games proceed.

IntelliShield published 140 events last week: 111 new events and 29 updated events.  Of the 140 events, 117 were Vulnerability Alerts, seven were Security Activity Bulletins, five were Security Issue Alerts, eight were Threat Outbreak Alerts, two were Applied Mitigation Bulletins, and one was a Cyber Risk Report.  The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 06/11/2010 13 8 21
Thursday 06/10/2010 8 3 11
Wednesday 06/09/2010 32 6 38
Tuesday 06/08/2010 50 8 58
Monday 06/07/2010 8 4 12
Weekly Total 111 29 140

 

Previous Alerts That Still Represent Significant Risk

Oracle Java Web Start Java Development Kit ActiveX Control Command-Line Injection Vulnerability
IntelliShield Vulnerability Alert 20314, Version 4, May 19, 2010
Urgency/Credibility/Severity Rating: 3/5/4

Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on the system with the privileges of the user.  Systems with Oracle Java JRE and JDK 6 Update 10 and later contain the affected ActiveX control and are vulnerable.  Apple has released security updates for Java for Mac OS X 10.6 Update 2 and Java for Mac OS X 10.5.  Multiple vendor updates are available.

Kernel Hook Bypassing Engine Affects Multiple Security Applications
IntelliShield Vulnerability Alert 20433, Version 2, May 13, 2010
Urgency/Credibility/Severity Rating: 2/4/4

A security research team has created a tool that is able to bypass security software protections provided by host-based security software on Windows systems and execute arbitrary code with kernel privileges.

DNSSEC-Enabled Queries to the DURZ Serving Root May Affect DNS Services
IntelliShield Vulnerability Alert 20418, Version 1, May 3, 2010
Urgency/Credibility/Severity Rating: 2/5/3

DNSSEC-enabled queries to the root servers may be affected because the last (J-root) of the 13 root servers will begin serving the DURZ on May 5, 2010.

Microsoft Windows SharePoint Services Help.aspx Cross-Site Scripting Vulnerability
IntelliShield Vulnerability Alert 20415, Version 3, June 8, 2010
Urgency/Credibility/Severity Rating: 2/5/3

Microsoft Windows SharePoint Services 3.0 SP2 and prior contain a cross-site scripting vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary HTML or script code in a user's browser.  Proof-of-concept code that exploits this vulnerability is publicly available.  Microsoft has confirmed this vulnerability and released software updates.

McAfee VirusScan DAT Update May Cause Microsoft Windows System Failure
IntelliShield Vulnerability Alert 20375, Version 2, April 22, 2010
Urgency/Credibility/Severity Rating: 4/5/3

A McAfee DAT file that was distributed to VirusScan applications has caused errors on certain Microsoft Windows XP-based systems.  As a result of installing the 5958 DAT file and rebooting, systems may be rendered unusable.  McAfee has released a knowledgebase article with various workarounds.

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 58, June 14, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555

Multiple Transport Layer Security (TLS) implementations contain a vulnerability when renegotiating a TLS session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack.  Proof-of-concept code that exploits this vulnerability is publicly available.  Mozilla and Oracle, in addition to other vendors, have released updates for this vulnerability.

Microsoft Internet Explorer Invalid Pointer Reference Access Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20052, Version 4, March 30, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-0806

Microsoft has re-released a security advisory and updated software to address the Microsoft Internet Explorer invalid pointer reference access arbitrary code execution vulnerability.  Functional exploit code is being used in ongoing exploits, and Microsoft has released a security bulletin and updated software.

Mozilla Firefox WOFF Decoder Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19968, Version 2, March 23, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-1028

Mozilla Firefox contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code.  Mozilla has confirmed this vulnerability and has released updated software.

Microsoft VBScript Unsafe Help File Handling Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20014, Version 3, April 13, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-0483

Microsoft has released a security advisory with information about affected products to address the Microsoft Internet Explorer unsafe help file handling arbitrary code execution vulnerability.  Proof-of-concept code that demonstrates code execution is available.

Physical

There was no significant activity in this category during the time period.

Legal

There was no significant activity in this category during the time period.

Trust

United States Army Intelligence Analyst Suspected of Leaking Videos and Documents to Wikileaks

Several news reports have emerged alleging SPC Bradley Manning, a United States Army intelligence analyst, leaked a recent video of a helicopter engagement in Iraq and potentially almost a quarter million classified documents.  According to reports, SPC Manning provided the content to Wikileaks.org, a website that specializes in making sensitive documents publicly available.  The analyst was detained following a series of online conversations that he had with noted hacker personality Adrian Lamo.  Lamo contacted authorities after becoming concerned by the scope and nature of material Manning claimed to have delivered to Wikileaks.
Read More
Additional Information

IntelliShield Analysis: There is a level of uncertainty surrounding the facts of this case.  This may be due, in part, to the nature of the investigation and the sensitivity of what has allegedly been disclosed, as well as the interest of Wikileaks to not fully cooperate with efforts to halt publication of the material.  Organizations may note that Manning appears to have been contemptuous of the lack of physical security controls and low prioritization of protecting or monitoring the storage and movement of massive amounts of sensitive data.  Information assets must be properly secured physically and technically.  Furthermore. as businesses consider giving personnel clearance to view sensitive information, they should perhaps consider more subjective factors such as experience, maturity, and track record.

Identity

AT&T iPad Exposure

A gray-hat hacking group exploited a security vulnerability in AT&T's website to uncover integrated circuit card identifiers (ICC-IDs) and associated e-mail addresses for approximately 114,000 iPad users.  AT&T closed the hole in the website shortly after being notified of the breach by reporters, and this incident is now being investigated by the United States Federal Bureau of Investigation as a potential cyber threat.
Read More
Additional Information
Additional Information
Additional Information

IntelliShield Analysis: Although the type of information exposed was limited in scope and criticality, some of the e-mail addresses obtained belong to very high-level executives and prominent military leaders and could easily be used to launch spear phishing (targeted phishing) e-mail attacks.  It is also quite possible that there is additional data tied, either directly or indirectly, to the ICC-IDs and e-mail addresses that attackers could use to accomplish more nefarious or financially motivated acts in the future.

Human

There was no significant activity in this category during the time period

Geopolitical

FIFA Games Turn Focus on South Africa's Infosec Challenges

The World Cup football tournament is focusing global attention on South Africa, Africa's largest economy and the first to host the big event.  Fans around the world are enjoying unprecedented access to game broadcasts and streaming video, thanks largely to the newly completed SEACOM undersea fiber-optic cable linking Africa to Europe through the Red Sea.  The added connectivity will provide broadband access to millions of Africans who have had to rely on expensive satellite uplinks. Hopes are high that the added bandwidth and competition will help drive down costs and jump-start economic growth in underdeveloped southern Africa.
Read More
Additional Information

IntelliShield Analysis: SEACOM will bring online a new contingent of Internet users, not all of whom will play by the rules. Indeed, as costs go down, the traditional wellspring of hacking talent—teenagers with time on their hands—will provide a good supply of hard workers eager to find ways to make money, legally or otherwise, through connectivity to the global Internet community.  Beyond relatively higher costs, high rates of violent crime are another reason that South Africa has been comparatively slow to buy into the digital revolution.  Undertrained, poorly funded police forces have little choice but to focus primarily on violent crime before devoting resources to credit card fraud or hacking.  This need to get crime under control and begin building cyber-security programs in southern Africa is important not only for South Africa, but for people and companies around the world with data to protect.

Upcoming Security Activity

FIRST Conference (Miami, United States): June 13–18, 2010
Gartner Security & Risk Management Summit: June 21–23, 2010
Cisco Live 2010 (Las Vegas, United States): June 27–July 1, 2010
Black Hat USA (Las Vegas, United States): July 24–29, 2010
DEFCON 18: July 29–August 1, 2010
BSides Las Vegas: July 28–29, 2010

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

World Expo (Shanghai, China): May 1–October 31, 2010
FIFA World Cup (South Africa): June 11–July 11, 2010
Poland Elections:  June 20, 2010
G20 Summit (Toronto, Canada): June 26–27, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top