March 31–April 6, 2008The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityThe VoIPshield Systems security research group released details of 44 vulnerabilities that affect Voice over IP (VOIP) products from Avaya, Cisco, and Nortel. VoIPshield lists the majority of these vulnerabilities as previously undisclosed to the general public and unpatched. These vulnerabilities include the existence of hard-coded account credentials, denial of service, information disclosure, and arbitrary code execution vulnerabilities. An attacker could exploit some of these vulnerabilities to take complete control of an affected device. IntelliShield released Security Activity Bulletin 15565 to address the VoIPshield release. IntelliShield also released Vulnerability Alert 15568 to address one of the vulnerabilities, a security bypass and command execution vulnerability in Cisco Unified Communications Disaster Recovery Framework. Apple released version 7.4.5 of its QuickTime media player for the Mac OS X and Windows platforms. This new release addresses 11 previously undisclosed vulnerabilities that exist due to errors when processing media files. A remote attacker could exploit these vulnerabilities to cause a denial of service condition or to execute arbitrary code. Depending on the platform and configuration of the affected system, the attacker may be able to take complete control of the affected system. Because QuickTime is a widely distributed application, its vulnerabilities make attractive targets for malicious code distribution. Independent security researchers released proof-of-concept code for the memory corruption vulnerability in Microsoft PowerPoint as described in IntelliShield Alert 15306. The proof-of-concept code demonstrates the possibility of achieving command execution by opening up the calc.exe application. Skilled attackers may find it trivial to modify the code to conduct more damaging attacks, such as opening a command shell. Computer Associates released a security response to address a buffer overflow vulnerability in the AddColumn() method of the ListCtrl ActiveX control of Brightstor and Unicenter products as described in IntelliShield Alert 15402. Functional exploit code for this vulnerability is publicly available, and attackers are actively exploiting this vulnerability. The Cisco Applied Intelligence group released an Applied Mitigation Bulletin outlining a mitigation strategy to protect against attacks using this vulnerability. These strategies are outlined in IntelliShield Alert 15586. During the time period, April Fool's Day (April 1) prompted another variation of the Storm worm to be widely distributed. The Storm worm, as documented in IntelliShield Alert 14009, is currently circulating as April Fool's Day-themed e-mails that contain a link to a website that contains an ecard. If users remain at this site for several seconds or follow the click here hyperlink, a copy of the worm is installed on the user's system. Users should always verify the authenticity of unexpected links within e-mail and use caution when viewing holiday-related e-mails. Additional malicious code activity includes the reappearance of Trojan.Acdropper.C, as documented in IntelliShield Alert 10679. This trojan is exploiting the Microsoft Jet Database Engine buffer overflow vulnerability. This zero day vulnerability is reported in Microsoft Security Advisory 950627 and IntelliShield Alert 15469. The trojan arrives on the system in a ZIP e-mail attachment as a Microsoft Word document file. Once the trojan is installed on the system, it opens a backdoor to allow a remote attacker to communicate with the machine and issue arbitrary commands. Administrators are advised to block all file attachments except those specifically required for business purposes and are advised to apply updates as they become available. IntelliShield published 124 events last week: 58 new events and 66 updated events. Of the 124 events, 108 were Vulnerability Alerts, six were Malicious Code Alerts, five were Security Issue Reports, two were Daily Malicious Code Summaries, one was an Applied Mitigation Bulletin, one was a Security Activity Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
2008 Monthly Alert Totals
Significant Alerts for March 31–April 6, 2008CA BrightStor ARCserve Backup ListCtrl ActiveX Control AddColumn() Buffer Overflow Vulnerability Previous Alerts That Still Represent Significant RiskMicrosoft Jet Database Engine Buffer Overflow Vulnerability Microsoft Jet Database Engine contains a vulnerability that could allow a remote attacker to execute arbitrary code on the affected system. This vulnerability is currently being exploited by malicious software. The vulnerability has been identified as being used by TROJ_MSJET.C, which is documented in IntelliShield Alert 15486, and Trojan.Acdropper.C, as described in IntelliShield Alert 10679. Microsoft has confirmed the vulnerability but software updates are unavailable. Microsoft Office Excel Malformed Header Handling Arbitrary Code Execution Vulnerability Microsoft Office Excel and Office Excel Viewer contain a vulnerability that could allow an attacker to execute arbitrary code. Exploit code demonstrating code execution is publicly available. Reports indicate that attackers are leveraging this vulnerability in ongoing, targeted attacks. The exploit code could be leveraged to conduct larger scale attacks. Microsoft has confirmed the vulnerability in a security bulletin and released software updates. Apple Security Update 2008-002 Multiple Mac OS X and OS X Server Vulnerabilities Apple has released Security Update 2008-002 to address multiple vulnerabilities in Mac OS X and Mac OS X Server. This update addresses vulnerabilities that could allow an attacker to cause a DoS condition or execute arbitrary code with elevated privileges. The update corrects flaws within core operating system components as well as third-party packages that are bundled with the operating system. Microsoft Windows Vista DHCP Request Processing Denial of Service Vulnerability Microsoft Windows Vista and Microsoft Windows Vista x64 Edition contain a vulnerability that could allow a remote attacker to cause a DoS condition. Event data from Cisco Remote Management Services has detected intrusion prevention system signature activity related to this vulnerability. The data, which was captured on March 13, 2008, could indicate exploit attempts. Microsoft confirmed this vulnerability in a security bulletin and released software updates. Microsoft Works File Converter Section Length Header Code Execution Vulnerability Microsoft Works File Converter contains a vulnerability when handling legacy-formatted Microsoft Works files that could allow a remote attacker to execute arbitrary code. To exploit this vulnerability, the attacker must convince a user to open a malicious .wps document with a vulnerable product. Exploit code that demonstrates the remote execution of arbitrary code is available. Microsoft has confirmed the vulnerability in a security bulletin and released software updates. F5 Networks BIG-IP Web Management Interface Cross-Site Request Forgery Vulnerability F5 Networks BIG-IP contains a vulnerability in the management interface that could allow a remote attacker to conduct cross-site request forgery attacks and make configuration changes to affected devices. Proof-of-concept exploit code is available that demonstrates the creation of additional administrative accounts. Sources indicate that this vulnerability is being actively exploited. F5 Networks has not confirmed this vulnerability and updates are unavailable. Linux Kernel vmsplice Invalid Memory Pointer Dereference Vulnerability The Linux Kernel contains a vulnerability that could allow a local attacker to gain superuser privileges. The attacker could leverage these privileges to take complete control of the vulnerable system. Exploit code demonstrating the privilege escalation vulnerability is publicly available. Reports indicate that this vulnerability is being actively exploited. Linux Kernel get_iovec_page_array() Privilege Escalation Vulnerability The Linux Kernel contains a vulnerability that could allow a local attacker to gain privileges equal to the superuser account. The attacker could leverage these privileges to take complete control of the vulnerable system. Exploit code is available. Reports indicate that attackers are actively exploiting this vulnerability to compromise affected systems. Adobe Acrobat and Reader Multiple JavaScript Methods Buffer Overflow Vulnerability Adobe Acrobat and Reader contain a vulnerability that could allow a remote attacker to cause the application to crash or execute arbitrary code. The attacker may be able to gain elevated privileges depending on the configuration of the affected system. This vulnerability is currently being exploited in the wild. The vulnerability has been identified as being used by Trojan.Pidief.C, which is documented in IntelliShield Alert 14388. Adobe confirmed the vulnerability in a security bulletin and released updated software. Adobe Reader and Acrobat Security Update 8.1.2 Adobe has released updates for Adobe Reader and Acrobat on the Mac OS X, Linux, Solaris, UNIX, and Windows platforms. The update corrects several unspecified vulnerabilities in versions of the affected applications prior to 8.1.2. Independent security researchers have released the technical details of several vulnerabilities corrected by this update. At least one has been used to distribute malicious code. Oracle Critical Patch Update January 2008 Oracle has released the Critical Patch Update Advisory for January 2008. The update provides patches for a total of 26 vulnerabilities affecting Oracle Database products, the Oracle Application Server, the Oracle Collaboration Suite, the Oracle E-Business Suite, and Oracle PeopleSoft Enterprise. Additional IntelliShield alerts that detail individual vulnerabilities will be released in the near future as technical details become available. PhysicalEco-terrorism Ranked Primary Domestic ThreatThe United States Federal Bureau of Investigation (FBI) has ranked militant environmentalist groups operating in the United States (U.S.) the primary domestic terrorist threat. The most recent announcement was in response to arson involving luxury homes near Seattle, Washington. The FBI has reported 180 ongoing investigations, with eco-terrorists accounting for over 1,800 criminal acts. In related activity, several environmental groups sponsored "Fossil Fools Day" on April 1, 2008 to protest the use of fossil fuels across the U.S. The activities blocked the entrance to the Bank of America in Boston, and a North Carolina coal power plant that is currently under construction by Duke Energy. IntelliShield Analysis: Environmental groups continue to be a major threat with a primary focus on property damage and arson attacks to disrupt targeted developments and businesses. The majority of these attacks do not involve direct physical assaults, but activities such as tree spiking, arson, and violent protests have resulted in personal injuries and deaths. These militant groups operate with cell structures, are highly organized, and have a large on-line presence that is used to communicate, organize, and promote their activities. These groups have targeted a wide range of businesses for a variety of reasons related to environmental beliefs. While the majority of these attacks have occurred in the western U.S., the groups are also active in the eastern U.S. and should not be considered geographically restricted. As warmer weather sets in across the U.S., these groups are expected to increase their attacks, calling for an increased physical security posture. Businesses should establish and maintain close communications with local and federal law enforcement to monitor these groups' activities and respond to targeted attacks. LegalIBM Temporarily Unable to Seek New Business From Government AgenciesIBM was provisionally barred from acquiring new business with the Federal Government of the United States (U.S.) due to a current investigation involving a 2006 contract bid with the Environmental Protection Agency (EPA). IBM and some specific employees have been subpoenaed to a grand jury that is requesting documents and testimony. As of April 4, 2008, IBM and the EPA reached an agreement that lifts the company's ban on seeking new business with the Federal Government. IBM has agreed to suspend five employees, withdraw from the procurement in question, and pay EPA costs that are associated with protesting the contract. IntelliShield Analysis: A significant portion of IBM's business is with U.S. Federal Agencies and would have made this suspension damaging had a resolution not been reached. The EPA was able to quickly draw attention to their concern over IBM's alleged wrongdoing and elicit a reaction, indicating that serious infractions may have occurred. Organizations regularly doing business with U.S. government or other agencies that impose strict business conduct rules are advised to monitor this case as it develops. Proper training and firm employee codes of conduct that are regularly reviewed and acknowledged by employees doing business in those sectors are important for effectively managing the risk of legal action or lost business in the face of such suspensions. TrustAutomotive Parts Retailer and Ski Resort Suffer Payment Card IntrusionsAdvance Auto Parts recently reported that payment card data from nearly 56,000 customers across 14 individual stores in Georgia, Indiana, Louisiana, Mississippi, New York, Ohio, Tennessee, and Virginia had been exposed. A Vermont ski area, Okemo Mountain Resort, also reported the exposure of 40,000 customer payment card details during the time period. A spokeswoman for Okemo Mountain Resort noted that the stolen information was captured in real-time, as the transactions were taking place. IntelliShield Analysis: Intrusions into retailer networks are not new developments, but recent exposures have become more widely publicized. While the banks, payment card companies, and retailers are currently bearing most of the burden, they may not be able to do so indefinitely. As responsible dialog surrounding intrusions increases, customers may strenghten pressure on the payment card industry through calls for legislation or grassroots action. Organizations that can proactively improve information security may be best positioned to retain customer trust, meet current industry standards, and be prepared to support future customer or legislative requirements. IdentityBiometric Logging Application Demonstrates System FlawsA new biometric identification attack system called biologging is beginning to expose some flaws in the use of biometric security systems. A researcher recently demonstrated the use of this tool to collect information that is transmitted insecurely, without encryption, on internal networks. By monitoring the transmission of network traffic, an attacker could capture biometric identification credentials. IntelliShield Analysis: The biologging tool demonstrates the necessity of transport security on all data that transits networks, especially information such as biometric identification. The recent publication of two German officials' fingerprints further demonstrates the targeting of biometrics and the importance of protecting the technology in all forms. Sites that utilize biometric systems to control access to physical and electronic resources are advised to used encryption methods and network separation to secure the transmission of identification information over even secured, internal networks. The compromise of biometric information may be even more dangerous than that of password information. While personal identification numbers (PIN) numbers, passwords, and smartcard certificates are easily modified if information is recovered or stolen, biometrics cannot be changed and may be in use across multiple sites. HumanThere was no significant activity in this category during the time period. GeopoliticalInternational Cybercrime Guidelines DebatedParticipating countries are considering guidelines for international cooperation on fighting Internet crime during the Council of Europe's 2008 Conference on Cybercrime in Strasbourg, France. The movement to intensify cooperation has gained momentum following massive denial of service attacks against communications networks in Estonia, which is one one of the countries leading the initiative, in 2007. The guidelines would build on an existing international treaty. Under the proposal, participating countries would be asked to improve communication and information sharing between ISPs and government agencies, including across national borders. Read more IntelliShield Analysis: Privacy advocates who feel that commercial service providers could be pressed into policing their users by government authorities may resist the proposed guidelines. Moreover, questions of legal liability will vary across national borders. An attractive aspect of the proposal is a standard format for information requests and exchange that could assist in the collection of information. Overall, while the current proposal may never be enacted, the initiative is part of a necessary evolution toward establishing a framework for order and legality in the Internet frontier. Upcoming Security ActivityMicrosoft Security Bulletin Update for April: April 8, 2008
Easter (Eastern): April 27, 2008
Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
