June 8–14, 2009The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityMicrosoft published its monthly security bulletin release on June 9, 2009. Ten bulletins were released to address a total of 31 individual vulnerabilities. Microsoft rated six of the ten bulletins as Critical, four as Important, and one as Moderate. Five of the Critical bulletins address vulnerabilities in Microsoft Windows and Office applications, including Word, Excel, and Internet Explorer. Exploits of these vulnerabilities could allow an attacker to execute arbitrary code, but an attacker must rely upon user participation to accomplish an exploit. The final Critical bulletin addresses vulnerabilities in Active Directory that could allow a remote attacker to execute arbitrary code on a targeted system. One previously reported vulnerability in Microsoft Internet Information Services was corrected as part of this month's Microsoft release. Although exploit code exists publicly for this vulnerability, no incidents have been reported. Also on June 9, 2009, Adobe released its first scheduled quarterly security bulletin release. The bulletin announced fixes for thirteen previously reported vulnerabilities, many of which allow for an unauthenticated, remote attacker to execute arbitrary code on a user's system. The updates covered flaws found in Adobe Reader and Acrobat. Apple released Safari 4, the latest update of its web browser, on June 8, 2009. The new version of Safari contains fixes for 51 individual vulnerabilities, including several that allow for the execution of arbitrary code. The update also contains numerous other enhancements not related to security. IntelliShield published 81 events last week: 56 new events and 25 updated events. Of the 81 events, 64 were Vulnerability Alerts, two were Security Activity Bulletins, five were Threat Outbreak Alerts, six were Security Issue Alerts, three were Applied Mitigation Bulletins, and one Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Previous Alerts That Still Represent Significant Risk Microsoft Windows DirectShow QuickTime Media Processing Arbitrary Code Execution Vulnerability Microsoft Windows DirectShow contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Updates are not available, and Microsoft has indicated that limited, active attacks are occurring. Microsoft has released a tool that will disable QuickTime parsing without requiring registry editing. Microsoft Internet Information Services WebDav Unicode Processing Security Bypass Vulnerability Microsoft Internet Information Services (IIS) versions 5.0, 5.1, and 6.0 contain a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and access sensitive information. The vulnerability is due to improper processing of Unicode characters in HTTP requests. An exploit could allow the attacker to bypass security restrictions and download arbitrary files from the targeted system. Exploit code is available. Microsoft Office PowerPoint Arbitrary Code Execution Vulnerability Microsoft has released a security bulletin and software updates to address the arbitrary code execution vulnerability in Office PowerPoint. Reports indicate that targeted attempts to leverage this vulnerability continue to occur. A variant of the Trojan.PPDropper trojan, which is described in IntelliShield Alert 10845, is actively exploiting this vulnerability. Worm: W32/Conficker.worm W32/Conficker has changed its command-and-control communications methods and begun to download malicious files to infected systems. Conficker has now changed from malicious code that infects vulnerable systems to an operational botnet. Conficker is expected to continue to infect vulnerable systems, change command-and-control communication, and download additional malicious files to the infected systems. Adobe Reader getAnnots Function Buffer Overflow Vulnerability Adobe Reader and Acrobat versions 9.1, 8.1.4, and 7.1.1 and earlier contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. The vulnerability is due to insufficient boundary checking on annotation parameters in Adobe PDF documents. An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to view a malicious PDF file. If the user views the document, the attacker could execute arbitrary code with the privileges of the user. Proof-of-concept code is available. Adobe has confirmed this vulnerability and provided an official workaround. Adobe Acrobat Products PDF File Buffer Overflow Vulnerability Adobe Reader, Adobe Acrobat Professional, Acrobat Professional Extended, and Acrobat Standard contain a buffer overflow vulnerability that could allow a remote attacker to create a denial of service condition or execute arbitrary code with the privileges of the user. The level of user privileges and the code that is executed determine the degree to which the system is compromised. This vulnerability is actively being exploited in the wild by the Pidief family of trojans. Additional information about the trojan is available in IntelliShield Alert 14388. Adobe has confirmed the vulnerability and released updated software. Microsoft Office Excel Invalid Object Arbitrary Code Execution Vulnerability Microsoft Excel and related products contain a vulnerability that could allow a remote attacker to execute arbitrary code. Attackers are actively exploiting this vulnerability to conduct limited malicious code attacks that are designed to infect targeted systems with a variant of the Mdropper family of trojans. This family of trojans is detailed in IntelliShield Alert 12562. Microsoft has confirmed this vulnerability, but updated software is not available. Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability Microsoft Internet Explorer Version 7.0 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or crash the browser, resulting in a denial of service condition. On systems that grant users Administrator privileges, an attacker could execute code that may result in the complete compromise of the affected system. Reports have confirmed the existence of exploit code that is delivered using a Microsoft Office Word document saved in the XML format. Exploits have been observed wherein attackers build Word documents using XML constructs, save the documents as .doc files, and deliver the malicious documents via e-mail messages or host them on websites. Several antivirus vendors are reporting the activity. Worm: W32.Waledac W32.Waledac is a worm that attempts to open a back door on an infected system. The worm propagates by sending a copy of itself to e-mail addresses on the infected system. The e-mail messages are configured to take advantage of interest in current events or holidays to convince users to open the malicious e-mail attachments. W32.Waledac may download files on an infected system and provide an attacker with backdoor access. The worm also attempts to steal confidential information that is related to numerous online banking entities. PhysicalH1N1 Declared Phase 6 Influenza PandemicThe World Health Organization (WHO), in an announcement anticipated for weeks, named the H1N1 virus a pandemic and assigned it a Phase 6 classification, the highest alert level WHO gives to pandemic events. H1N1, originally known as swine flu, is the first influenza pandemic of the 21st century. According to WHO, the virus is in unrestrained circulation in at least two regions of the world with over 30,000 reported cases of infection. The general director of WHO said Friday that the Phase 6 classification was a warning to the manufacturers of flu vaccines to quickly begin preparation of a commercial-scale pandemic vaccine. Read More IntelliShield Analysis: WHO calls the H1N1 pandemic moderate but anticipates the initial strain of the flu could affect a third of the world's population. Businesses are strongly encouraged to ensure that continuity plans are in place to avoid interruption of critical functions through employee illness and the resulting inevitable breaks in supply chain. Remote workers may be least at risk because of their lack of exposure to other employees in office buildings and commuters on public transportation. Organizations may consider supplying staff with equipment needed to work from home as a preventative measure; subsequent mutations of the first H1N1 strain are expected to raise the infection rate significantly from its initial form. The reported H1N1 cases are currently limited to regional areas, but businesses are advised to monitor infection rates in their local areas to accurately implement precautions and responses. LegalSupreme Court Won't Hear Case Against Circuit City TechnicianIn the United States, the Supreme Court declined to hear Sodomsky v. Pennsylvania case 08-1274, a decision that gives Pennsylvania officials the green light to prosecute Kenneth Sodomsky for possession of child pornography that he had stored on his computer. Sodomsky had taken the computer to one of the stores in the now-defunct Circuit City chain to have a DVD burner installed. While testing the software for the device, a technician observed files on Sodomsky's computer containing questionable content and then showed local police. Police officers obtained a warrant and promptly arrested Sodomsky. A trial judge initially agreed with Sodomsky's assertion that the technician at Circuit City had no right to examine files on the computer and initiate police action. A state appellate court subsequently overturned the trial judge's decision, observing that Sodomsky had forfeited his right to privacy by removing the computer from his home and handing it over to Circuit City technicians. IntelliShield Analysis: In declining to hear this case, the court chooses not to examine the rights of technicians to browse drives on computers that are brought to them for repair. Depending on jurisdiction or local laws, users may be considered to have given up privacy rights by abandoning or turning over possession of their computers for repair. Assuming the computer is functional, users who want to keep known sensitive data or files secure should encrypt those files or remove them from the system prior to turning it over to third-party technicians or repair services. Users should also perform full system backups and full scans of their computers both before handing over their computers and upon return to avoid distributing malware or identifying an infection that occurs during repair. TrustThere was no significant activity in this category during the time period. IdentityT-Mobile Data Extortion AttackAttackers reportedly broke in to T-Mobile systems and compromised business, system, and personal identification information of its customers. Reportedly, after failing to attempt to sell the data to T-Mobile competitors, the attackers delivered extortion requests to T-Mobile, and publicly posted samples of the compromised data. T-Mobile initially responded that they were investigating the reports, and has now announced that it does not believe any customer account or personal identification information was compromised. IntelliShield Analysis: This case has played out very publicly for the past couple weeks on the web, which in itself is a challenging situation for any business and incident response team. After performing an internal investigation, T-Mobile was confident enough to make a public announcement of the data it determined had been compromised, and what had not. It is fortunate and commendable that T-Mobile has the controls and capabilities in place to be able to perform the investigation and make this announcement only a few days following the reported compromise. The investigation now involves law enforcement, and remains under investigation. All businesses on the Internet are vulnerable to these types of attacks, and should consider this case as an scenario for security exercises to determine their own capabilities to respond to similar reports or criminal activity. HumanThere was no significant activity in this category during the time period. GeopoliticalStormy Seas for Opponents of File SharingSweden's Pirate Party, which ran on a platform of legalizing file sharing for personal use, won enough votes to secure two seats in the European Union parliament in early June elections. Just days later, France's highest legal authority rejected a controversial three-strikes law, which would have paved the way for a government agency to cut off Internet access for peer-to-peer file sharing violators after two warnings. The grassroots movement against what is perceived as over-zealous enforcement of copyrights has received increased media attention following the April conviction of four heads of the Swedish file sharing company Pirate Bay (unaffiliated with the Pirate Party). IntelliShield Analysis: The EU Parliament seat win and the French ruling contribute to mounting evidence that copyright holders face a generational shift–much of the Pirate Party's support came from voters under 30–and must rethink their strategies, regardless of fairly strong state support for standing copyright frameworks. The wave of popular discontent over Internet copyright enforcement has implications not just for the entertainment and music industries, but for any entities with copyrighted property shared or sold on the Internet. Indeed, in addition to advocating freer file sharing, the party would also outlaw the patent system. The challenge for ISPs and copyright holders going forward may be to find a way to work with the movement rather than against it. Ultimately, a framework that protects intellectual property while recognizing the fundamental shift in information sharing brought on by the Internet revolution is in the interest of everyone. Upcoming Security ActivityNANOG46: June 14–17, 2009 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
