The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat activity this week was highlighted by the Cisco IOS Security Advisory Bundle release. The Cisco Product Security Incident Response Team (PSIRT) released the first of its regularly scheduled IOS Security Advisory bundles on March 26, 2008. Future bundles are scheduled for release on the fourth Wednesday of March and September each calendar year. This bundle included five Security Advisories and was accompanied by three Cisco Applied Mitigation Bulletins. IntelliShield analysts identified six individual vulnerabilities from these advisories. Of particular interest is the Multicast Virtual Private Networking architecture information disclosure vulnerability detailed in IntelliShield alert 15446. A remote attacker could exploit this vulnerability to create a denial of service (DoS) condition or disclose potentially sensitive data transmitted via multicast. Because the affected devices will likely reside at the service provider edge, attackers would not likely require special access to submit malicious messages to an affected device. However, attackers would likely require access to a valid MVPN network to gain access to the disclosed data.

Mozilla released seven security advisories and updated versions to address vulnerabilities in its Firebox, SeaMonkey and Thunderbird products. IntelliShield analysts identified one previously disclosed vulnerability and nine new vulnerabilities from these advisories. Additionally, numerous third-party operating system vendors have begun releasing updates for these products. Web browsers such as Firefox and e-mail clients such as Thunderbird often represent the first types of applications on a target system that could be exposed to a remote attacker. Attackers are increasingly exploiting these types of common user applications. Maintaining patch levels of such applications is critical to prevent compromised systems in the environment.

Multiple third-party operating system vendors released patches to address two previously undisclosed vulnerabilities in MIT Kerberos. These vulnerabilities could allow a remote attacker to cause a DoS condition if certain conditions are present. Because Kerberos implementations are used to provide authentication services for a wide variety of applications, such a DoS condition could have widespread impact.

In malicious code activity, Backdoor:W32/PoisonIvy, as documented in IntelliShield Alert 15485, is being marketed as a highly configurable and legitimate remote administration tool. However, the tool is often used in a malicious manner and the author states that users can purchase a customized version that is undetectable to all antivirus products. The author also offers free updates to users who pay for the customized version. The updates give the users the most recent version of the tool that is supposedly undetectable if the older version has become detected by antivirus software. The trojan can easily be configured using its built-in graphical user interface. Additional functionality can also be added to the trojan via third-party plugins. Several variants are known to exist; however, few details are available.

IntelliShield published 173 events last week: 67 new events and 106 updated events. Of the 173 events, 153 were Vulnerability Alerts, 14 were Security Issue Alerts, three were Daily Malicious Code Summaries, one was a Malicious Code Alert, one was an Applied Mitigation Bulletin, and one was the Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Significant Alerts for March 24-30, 2008
Microsoft Jet Database Engine Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 15469, Version 3, March 31, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-1092

Microsoft Jet Database Engine contains a vulnerability that could allow a remote attacker to execute arbitrary code on the affected system. This vulnerability is currently being exploited by malicious software. The vulnerability has been identified as being used by TROJ_MSJET.C, which is documented in IntelliShield Alert 15486, and Trojan.Acdropper.C, as described in IntelliShield Alert 10679. Microsoft has confirmed the vulnerability but software updates are unavailable.

Previous Alerts That Still Represent Significant Risk
Microsoft Office Excel Malformed Header Handling Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 14951, Version 7, March 22, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-0081

Microsoft Office Excel and Office Excel Viewer contain a vulnerability that could allow an attacker to execute arbitrary code. Exploit code demonstrating code execution is publicly available. Reports indicate that attackers are leveraging this vulnerability in ongoing, targeted attacks. The exploit code could be leveraged to conduct larger scale attacks. Microsoft has confirmed the vulnerability in a security bulletin and released software updates.

Apple Security Update 2008-002 Multiple Mac OS X and OS X Server Vulnerabilities
IntelliShield Security Activity Bulletin 15419, Version 1, March 18, 2008
Urgency/Credibility/Severity Rating: 2/5/4

Apple has released Security Update 2008-002 to address multiple vulnerabilities in Mac OS X and Mac OS X Server. This update addresses vulnerabilities that could allow an attacker to cause a DoS condition or execute arbitrary code with elevated privileges. The update corrects flaws within core operating system components as well as third-party packages that are bundled with the operating system.

Microsoft Windows Vista DHCP Request Processing Denial of Service Vulnerability
IntelliShield Vulnerability Alert 15092, Version 3, March 13, 2008
Urgency/Credibility/Severity Rating: 1/5/3
CVE-2008-0084

Microsoft Windows Vista and Microsoft Windows Vista x64 Edition contain a vulnerability that could allow a remote attacker to cause a DoS condition. Event data from Cisco Remote Management Services has detected intrusion prevention system signature activity related to this vulnerability. The data, which was captured on March 13, 2008, could indicate exploit attempts. Microsoft confirmed this vulnerability in a security bulletin and released software updates.

Microsoft Works File Converter Section Length Header Code Execution Vulnerability
IntelliShield Vulnerability Alert 15063, Version 3, February 14, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2007-0216

Microsoft Works File Converter contains a vulnerability when handling legacy-formatted Microsoft Works files that could allow a remote attacker to execute arbitrary code. To exploit this vulnerability, the attacker must convince a user to open a malicious .wps document with a vulnerable product. Exploit code that demonstrates the remote execution of arbitrary code is available. Microsoft has confirmed the vulnerability in a security bulletin and released software updates.

F5 Networks BIG-IP Web Management Interface Cross-Site Request Forgery Vulnerability
IntelliShield Vulnerability Alert 15150, Version 1, February 13, 2008
Urgency/Credibility/Severity Rating: 3/5/4

F5 Networks BIG-IP contains a vulnerability in the management interface that could allow a remote attacker to conduct cross-site request forgery attacks and make configuration changes to affected devices. Proof-of-concept exploit code is available that demonstrates the creation of additional administrative accounts. Sources indicate that this vulnerability is being actively exploited. F5 Networks has not confirmed this vulnerability and updates are unavailable.

Linux Kernel vmsplice Invalid Memory Pointer Dereference Vulnerability
IntelliShield Vulnerability Alert 15127, Version 3, February 13, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-0009, CVE-2008-0010

The Linux Kernel contains a vulnerability that could allow a local attacker to gain superuser privileges. The attacker could leverage these privileges to take complete control of the vulnerable system. Exploit code demonstrating the privilege escalation vulnerability is publicly available. Reports indicate that this vulnerability is being actively exploited.

Linux Kernel get_iovec_page_array() Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 15128, Version 4, March 10, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-0600

The Linux Kernel contains a vulnerability that could allow a local attacker to gain privileges equal to the superuser account. The attacker could leverage these privileges to take complete control of the vulnerable system. Exploit code is available. Reports indicate that attackers are actively exploiting this vulnerability to compromise affected systems.

Adobe Acrobat and Reader Multiple JavaScript Methods Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 15118, Version 4, March 3, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2007-5659

Adobe Acrobat and Reader contain a vulnerability that could allow a remote attacker to cause the application to crash or execute arbitrary code. The attacker may be able to gain elevated privileges depending on the configuration of the affected system. This vulnerability is currently being exploited in the wild. The vulnerability has been identified as being used by Trojan.Pidief.C, which is documented in IntelliShield Alert 14388. Adobe confirmed the vulnerability in a security bulletin and released updated software.

Adobe Reader and Acrobat Security Update 8.1.2
IntelliShield Security Activity Bulletin 15115, Version 4, March 3, 2008
Urgency/Credibility/Severity Rating: 3/5/4

Adobe has released updates for Adobe Reader and Acrobat on the Mac OS X, Linux, Solaris, UNIX, and Windows platforms. The update corrects several unspecified vulnerabilities in versions of the affected applications prior to 8.1.2. Independent security researchers have released the technical details of several vulnerabilities corrected by this update. At least one has been used to distribute malicious code.

Oracle Critical Patch Update January 2008
IntelliShield Security Activity Bulletin 14949, Version 3, January 23, 2008
Urgency/Credibility/Severity Rating: 2/5/3

Oracle has released the Critical Patch Update Advisory for January 2008. The update provides patches for a total of 26 vulnerabilities affecting Oracle Database products, the Oracle Application Server, the Oracle Collaboration Suite, the Oracle E-Business Suite, and Oracle PeopleSoft Enterprise. Additional IntelliShield alerts that detail individual vulnerabilities will be released in the near future as technical details become available.

Physical

Mitsubishi Electric HVAC Access Control Vulnerability

Mitsubishi Electric GB-50 and GB-50A Centralized Controllers contain a vulnerability that could allow an unauthenticated, remote attacker to gain control over associated heating, ventilating, and air conditioning (HVAC) systems units. The vulnerability exists because of a lack of proper access controls on network-accessible resources supplied by the affected controller units. An attacker could exploit this vulnerability by establishing an unauthenticated connection to the target device's web server via port TCP port 80. Because the affected device does not require authentication, the attacker could issue arbitrary commands to control associated HVAC units. Read more
Additional information

IntelliShield Analysis: This vulnerability highlights an area of cyber security that continues to grow but is also often overlooked. Embedded control systems such as the GB-50 are commonly deployed within multi-office buildings to provide central management to building administrators and maintenance staff. These systems are often installed and new features such as the GB-50's remote access functions are enabled by technicians who are highly trained in HVAC and building control systems but who are not trained in the network and security domains. Significant opportunities exist for misconfigurations that may affect the operation of a network as a whole or open such systems to attack . This situation is a particular concern because these systems are often outfitted with firmware that is not easy to upgrade by end users or technicians, making it difficult to remedy bugs or security vulnerabilities. If a technician integrates the GB-50 into an office or building network without the proper considerations, the vulnerability could open affected buildings to attackers who are geographically distant from the target location. Most buildings' emergency management plans do not take this type of attack into consideration and administrators may be unable to respond in an appropriate manner.

Legal

Privacy Concerns Over Fusion Centers

The Electronic Privacy Information Center (EPIC) has filed a Freedom of Information Act (FOIA) request in Virginia regarding the federal government's involvement in the state's open government legislation. The suit is focused on a house bill in Virginia that would exempt the Virginia State Fusion Center's databases and records from FOIA requests, its employees from subpoena in civil actions, and immunity for tipsters to defamation and invasion of privacy claims. EPIC intends to determine from the FOIA request if the federal government is involved in lobbying for the passage of the Virginia house bill. EPIC and other opponents of domestic surveillance and privacy rights violations are concerned that the scope of the fusion centers will expand beyond the original intelligence reform act and 9/11 Commission Report recommendations. Read more

IntelliShield Analysis: The goal of the fusion centers or converged security centers in government or business is to share information more securely, effectively, and efficiently across the stakeholder groups. In both cases, much of the information is highly sensitive, and a policy of open access and transparency is not likely to be preferred. While the centers are still a developing practice for some government agencies and businesses, if operated within the required strict policies and practices the fusion centers will not only provide better information, intelligence and analysis for its customers, but also improved security, privacy and rights protections. The centralized, aggregated and shared information within a controlled group allows them to validate it across multiple government levels and agencies or business groups. Ultimately the centers should be based on a need-to-know policy, and also require strict access controls, thorough vetting of individuals, and monitoring of the systems, individuals and physical centers, with oversight organizations to ensure the policies and protections are observed. Businesses considering implementing a similar function should be aware of the potential sensitivity to the centers, and visit a local operating center to establish relationships between the business and government officials and discuss the policies and procedures to gain from their experiences.

Trust

Apple Safari Installation on Windows Brings Criticism

Apple has endured criticism in the past week for its release of Safari 3.1, the first stable version of the Safari browser for Windows. The release can be downloaded from Apple's web site, but is also being distributed to Windows users through Apple's software update component. The software update component prompts users to download version 3.1, even if previous versions of the browser have not been installed on the user's computer. Critics have complained that Apple is pushing unwanted software on users and that by using the software update mechanism the vendor is implying that the updates are necessary instead of optional. Steve Jobs announced that Apple would use iTunes to distribute Safari when plans to distribute the software on Windows were announced in 2007. Read more

IntelliShield Analysis: Apple is facing increased scrutiny as their products continue to grow in popularity. It may not have helped public perception that the Safari release, together with a security update for OS X issued the same day, corrected nearly 100 security vulnerabilities. It also bears mention that some of the most vocal criticism has come from competitors in the highly-competitive browser market, and who may see Apple's entry into a multi-platform market to be threatening, especially if they perceive that entry to be forced upon users. Addressing security vulnerabilities through advisories and automatic update utilities is sometimes equal parts technical solution and presentation. Delivering new products or any other material through the update utility is likely to cause user confusion and potentially dilute the importance and trust in the update utilities. Changing Safari's installation checkbox to an opt-in from an opt-out might have been sufficient to deflect criticism and maintain the trust relationship users have with the update utility. 

Identity

Security Concerns Over Passport Outsourcing

A three-part article posted on The Washington Times website has many concerned that the Government Printing Office (GPO) has elevated the risk to national security by outsourcing part of the electronic passport production to Europe and Thailand before passports are sent to the United States for assembly. GPO Inspector General J. Anthony Ogden, who was quoted in the article, claims that many of the security issues cited had been discovered in 2005 and were already being addressed. He added that vendors were inspected, background checks were conducted on employees, and passport components were transported using secure means. Read more
Additional information

IntelliShield Information: House Representatives John Dingell and Bart Stupak have informed GPO Inspector General J. Anthony Ogden and Public Printer Robert Tapella that they are investigating these allegations, and Ogden himself has stated that his office is reviewing their production process for any potential gaps. RFID chips were originally introduced into the passports to protect against counterfeiting, and a compromise of the chips would negate their purpose. Since the data is not encoded or the citizen's photograph affixed to the passport outside of the United States, it is unlikely that a person's identity would be stolen via foreign outsourcing. Smartrac Technology, the producer of the RFID antenna, has promised to move its production to Mississippi, which should alleviate some fears. It is currently assembled in Thailand, which has a history of social unrest as well as anti-government groups backed by known terrorist organizations. If components of passports were stolen, it may be possible to assemble a fairly accurate fake passport, or reverse engineer its technology for use in criminal activities. Businesses that rely on outsourcing should be sure to regularly audit their practices and ensure that strict controls exist to protect against stealing or counterfeiting of components. Badges and other forms of identification are only as trustworthy as the processes that produce them. Criminals are well aware of the difficulty in compromising a completed document, and have turned their efforts toward compromising the component used during the production process.

Human

Fraudulent Craigslist Ad Results in Loss of Property

Robert Salisbury of Jackson County, Oregon was the victim of a false advertisement that claimed that his house had been declared abandon by the sheriff's department and that his possessions were available for anyone who wanted them. As Salisbury returned home, he noticed vehicles carrying his property; as he tried to talk to the drivers, he was rebuffed. Several people produced a printout of the Craigslist advertisement and believed that it gave them the authority to take possession from his property. Salisbury gave the sheriff a list of license plate numbers, but much of his belongings is still missing. Read more

IntelliShield Analysis: With the adoption of certain online services into the mainstream culture, many may take for granted the fact that some services do not investigate the validity of user-posted offerings. The cost of creating an advertisement is inexpensive or even free, and using an online venue may reach a greater portion of a local population than traditional means. Shopping and auction websites are commonly used for fraudulent activities or for selling stolen goods, but this example demonstrates other destructive uses. Craigslist CEO Jim Buckmaster has commented that using the Internet to commit fraud is foolish because a thief's activities could be tracked. Unfortunately, in many cases it is too late to protect the victim. Businesses that opt to use these services should be wary of what they are purchasing and take secondary steps to confirm the legitimacy of their transactions. Organizations utilizing brand names, logos, or other identifying language should conduct regular searches online to identify any fraud being conducted against them or involving their trademarks or property.

Geopolitical

Taiwan Votes For Business

With a resounding 58 percent of the popular vote, conservative Kuomintang (KMT) party candidate Ma Ying-Jeou has been elected Taiwan's new president.  Ma has promised to pursue a non-confrontational approach toward Beijing, putting aside sovereignty issues and pledging to focus on relaxation of laws restricting bilateral business. Long-awaited direct flights and direct shipping between Taiwan and mainland China are among Ma's most eagerly-awaited initiatives. The election is being welcomed by world leaders, most notably the administration in Beijing, which has been antagonized by the previous President Chen Shui-Bian's talk of independence. Read more

IntelliShield Analysis: While improved ties between China and Taiwan could mean harsher competition for Western firms, Ma's win is probably good news overall. Together with legislative gains for the KMT in January, the election outcome is being seen as a boost for Taiwan's economy. Change is not likely to be quick, in part because cross-strait economic ties are already robust. Given geographical proximity and cultural ties, however, cross-strait economic cooperation could be poised for an rise. In addition to decreasing the chances of conflict in the Taiwan straits, the pro-business vote may provide Taiwan's economy a psychological boost when exposure to the sluggish U.S. economy might otherwise have done more damage.

Upcoming Security Activity

Sharkfest 2008: March 31–April 2, 2008
NOTACON 5: April 4–6, 2008
RSA 2008: April 7–11, 2008
HITBSecConf2008: April 14–27, 2008
SANS 2008: April 18–25, 2008
ToorCon Seattle 2008: April 18–20, 2008
RSA Conference Japan: April 23–25, 2008
CSI SX 2008: April 27–May 2, 2008

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following events:

April Fools' Day: April 1, 2008
Easter (Eastern): April 27, 2008

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top