The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

In comparison to previous time periods, this week was relatively slow for vulnerability activity.  However, a critical PHP version update will impact most organizations and web site operators, as well as correcting a number of potential SQL injection attacks that occurred during the period.

PHP released an updated version which addressed at least four new and one previously disclosed vulnerability.  These vulnerabilities could allow a remote attacker to cause a denial of service condition, bypass security restrictions or potentially execute arbitrary code.  In addition to addressing vulnerabilities in its own software, the updated version of PHP also updates its version of Perl Compatible Regular Expressions (PCRE).  Many of the Linux-based operating systems come bundled with PHP and will likely release updated software to address this vulnerability.  Additionally administrators should review any PHP applications to ensure they will be compatible with the updated release.

Microsoft released the Microsoft Security Bulletin Advance Notification for May 2008.  Microsoft scored three of the four bulletins scheduled for release on May 13 with a maximum severity rating of critical.  The remaining bulletin has a maximum severity rating of moderate.  The bulletins address vulnerabilities in Microsoft Jet Database, Microsoft Word, Microsoft Publisher, and security software products.

Massive SQL injection attacks against web servers have occurred during this time period and reports indicate that as many as 500,000 web pages may have been compromised.  These types of attacks are becoming more common as websites are increasing their use of back-end databases to improve their site functionality.  The attacks are often a result of insecure software development that allows malware authors take advantage of the improper sanitization to perform SQL injection attacks.  Compromised sites contain embedded code that infects visitors with additional malware.  Reports indicate that a password stealing trojan may be installed as a result of visiting these compromised sites.  Administrators are advised to review their website log files to determine if their site contains the malicious code and remove the code to ensure future visitors will not be infected.  Administrators are also advised to perform code reviews to ensure that data is properly sanitized before it is passed to their database and ensure code elements can not be stored.  As always, administrators should also install all appropriate updates. Read More

Better Business Bureau (BBB) e-mails have been circulating this week that are attempting to install a backdoor trojan onto the victim's machine.  The e-mail may appear to be from the BBB and the subject line contains a BBB complaint case number.  The recipient of the e-mail is instructed to click on a link to download a copy of this complaint for their records.  If user follows the link in the e-mail, the user is displayed a prompt that states Internet Explorer and ActiveX are required for the download to succeed.  If the user chooses to enable the ActiveX control, the website installs a backdoor trojan on the user's system, as acrobat.exe.  These e-mails are known to be targeted at higher level executives within an organization in order to gain greater access.  Heavy user interaction is required for this infection to be successful, as the user must click on the download link within the e-mail and choose to allow the ActiveX content to run on their system.  Administrators should warn all users of the organization to avoid such e-mails and remind users not to follow links that cannot be verified. Read More

IntelliShield published 98 events last week: 34 new events and 64 updated events.  Of the 98 events, 88 were Vulnerability Alerts, four were Security Issue Alerts, three were Daily Malicious Code Summaries, one was a Security Activity Bulletin, one was a Applied Mitigation Bulletin, and one was the Cyber Risk Report.  The alert publication totals are as follows:

Weekly Alert Totals

Previous Alerts That Still Represent Significant Risk
Oracle Critical Patch Update April 2008
IntelliShield Security Activity Bulletin 15676, Version 2, April 18, 2008
Urgency/Credibility/Severity Rating: 2/5/4

Oracle has released the Critical Patch Update advisory for April 2008.  This update addresses a total of 41 vulnerabilities in Oracle products that affect Oracle Database products, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, and Oracle Siebel Enterprise products.  Additional IntelliShield alerts that detail individual vulnerabilities will be released in the near future as technical details become available.

Microsoft Windows GDI File Name Parameter Vulnerability
IntelliShield Vulnerability Alert 15561, Version 4, April 24, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-1087

Microsoft Windows contains a vulnerability that could allow a remote attacker to execute arbitrary code with the privileges of the user.  This vulnerability is currently being exploited in the wild by Trojan.Emifie, which is documented in IntelliShield Alert 15642.  Microsoft has confirmed the vulnerability in a security bulletin and released software updates.

CA BrightStor ARCserve Backup ListCtrl ActiveX Control AddColumn() Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 15402, Version 3, April 11, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-1472

Multiple CA products contain a buffer overflow vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code.  Exploit code that allows for the execution of arbitrary code is available.  Reports indicate that attackers are actively exploiting this vulnerability.  To exploit this vulnerability, an attacker must rely on user interaction.  An attacker may use social engineering tactics to convince a user to visit a malicious website using a browser, such as Internet Explorer, that supports ActiveX controls.  CA confirmed the vulnerability in a security response, but updates are not available.

Microsoft Jet Database Engine Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 15469, Version 4, May 1, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-1092

Microsoft Jet Database Engine contains a vulnerability that could allow a remote attacker to execute arbitrary code on the affected system.  The vulnerability has been identified as being used by TROJ_MSJET.C, as described in IntelliShield Alert 15486, and by Trojan.Acdropper.C, as described in IntelliShield Alert 10679.  Microsoft has confirmed the vulnerability but software updates are unavailable.

Apple Security Update 2008-002 Multiple Mac OS X and OS X Server Vulnerabilities
IntelliShield Security Activity Bulletin 15419, Version 1, March 18, 2008
Urgency/Credibility/Severity Rating: 2/5/4

Apple has released Security Update 2008-002 to address multiple vulnerabilities in Mac OS X and Mac OS X Server.  This update addresses vulnerabilities that could allow an attacker to cause a DoS condition or execute arbitrary code with elevated privileges.  The update corrects flaws within core operating system components as well as third-party packages that are bundled with the operating system.

Microsoft Windows Vista DHCP Request Processing Denial of Service Vulnerability
IntelliShield Vulnerability Alert 15092, Version 3, March 13, 2008
Urgency/Credibility/Severity Rating: 1/5/3
CVE-2008-0084

Microsoft Windows Vista and Microsoft Windows Vista x64 Edition contain a vulnerability that could allow a remote attacker to cause a DoS condition.  Event data from Cisco Remote Management Services has detected intrusion prevention system signature activity related to this vulnerability. The data, which was captured on March 13, 2008, could indicate exploit attempts.  Microsoft confirmed this vulnerability in a security bulletin and released software updates.

Linux Kernel vmsplice Invalid Memory Pointer Dereference Vulnerability
IntelliShield Vulnerability Alert 15127, Version 3, February 13, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-0009, CVE-2008-0010

The Linux Kernel contains a vulnerability that could allow a local attacker to gain superuser privileges.  The attacker could leverage these privileges to take complete control of the vulnerable system. Exploit code demonstrating the privilege escalation vulnerability is publicly available.  Reports indicate that this vulnerability is being actively exploited.

Linux Kernel get_iovec_page_array() Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 15128, Version 4, March 10, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-0600

The Linux Kernel contains a vulnerability that could allow a local attacker to gain privileges equal to the superuser account.  The attacker could leverage these privileges to take complete control of the vulnerable system.  Exploit code is available.  Reports indicate that attackers are actively exploiting this vulnerability to compromise affected systems.

Adobe Reader and Acrobat Security Update 8.1.2
IntelliShield Security Activity Bulletin 15115, Version 4, March 3, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-0655

Adobe has released updates for Adobe Reader and Acrobat on the Mac OS X, Linux, Solaris, UNIX, and Windows platforms.  The update corrects several unspecified vulnerabilities in versions of the affected applications prior to 8.1.2.  Independent security researchers have released the technical details of several vulnerabilities corrected by this update.  At least one has been used to distribute malicious code.

Physical

Current CCTV Implementation Plagues Britain

Scotland Yard has issued a statement that described Britain's current CCTV system as being ineffective in deterring and solving crimes.  In an effort to correct the current problems, the Yard is hoping to incorporate new software that would assist investigators in tracking suspects based on their clothes in cases where facial features are obscured.  Detective Chief Inspector Mick Neville has indicated that police forces have not been properly trained in using the equipment or how to use the evidence in court, adding to neglect of the system. 
Read more
Additional information
 
IntelliShield Analysis:  The CCTV system as implemented in Britain is an unfortunate demonstration of how a CCTV surveillance network is not a solution to any particular problem in and of itself.  With an estimated 4.2 million cameras, the effectiveness of the system lies with managing the information being collected and turning it into useful intelligence and evidence.  The program itself may not be as effective as originally hoped due to the system not being used as widely as originally designed, no practical back-end for investigators, and inadequate training for police forces.  The new searching capabilities could assist in easing the burden of investigation, but certain access controls are necessary in order to protect the privacy of British citizens.  Businesses that see the need to implement CCTV technology should take extra care in developing a surveillance plan that will maximize their coverage without overwhelming the team that monitors and manages the system.  Cameras themselves need to be checked regularly to ensure that they are functional, pointing in the appropriate direction, and that recorded video is correctly stored.

Legal

Investors File Lawsuits Against Yahoo

Two pension funds that have large investments in Yahoo stock have filed lawsuits against the company and its corporate board of directors.  The lawsuits state that the board of directors failed to take the shareholders best interests into consideration when rejecting the recent Microsoft purchase bid, which has since been withdrawn.  The bid would have provided shareholders with a 62% gain on their stock interests.  The two lawsuits are being combined into a single class action suit. Read More
 
IntelliShield Analysis:  While corporate executives and boards of directors often wish to maintain their independent status, these individuals are legally bound to pursue the best interests of their shareholders.  The plaintiffs in these cases are alleging that Yahoo's board did not negotiate in good faith and that they passed up an opportunity to increase stock value for investors. 

Russia Tightens Restrictions on Foreign Investment

In one of his final acts in office, outgoing Russian President Vladimir Putin signed legislation that placed new restrictions on foreign investment.  The law, aimed primarily at protecting Russia's energy resources, requires government approval for companies in strategic sectors with a foreign ownership greater than 50 percent.  Among others, these sectors include fixed and mobile communications, aerospace and defense industries, and major media organizations.  In addition, any proposed ownership greater than 25  percent that includes a foreign government will require review.  Russia's IT and Communications Ministry successfully blocked the inclusion of Internet service providers, arguing that the growing sector needs foreign capital and expertise to compete in the global marketplace.
Read More
Additional Information

IntelliShield Analysis:  From a positive standpoint, the new Strategic Sectors law clearly indicates which industries undergo close monitoring, while incoming president Dmitri Medvedev has committed to upholding Russia's current laws.  This commitment should provide foreign investors with a visible framework.  However, some experts have expressed concern over Russia's notoriously subjective enforcement of laws, suggesting that some potential investors may consider waiting until the new Medvedev administration has ample opportunity to set the tone for the coming decade, especially considering that Prime Minister Putin has been selected as the chairman of the new commission that will review potential foreign acquisitions.

Trust

Mozilla Vietnamese Language Pack Infected

The Mozilla Firefox browser Vietnamese Language Pack Version 2.0 contained malicious code within all .xhtml files.  The file was scanned with anti-virus products and uploaded to the Firefox servers on February 18, 2008 but the malicious code was not detected until May 6, 2008.  The inclusion of the malicious code was likely the result of an infected host on the contributor's network and not a deliberate attempt to sabotage Firefox users.  The malicious code is the result of a virus, but not the virus itself.  The infection causes displays of nuisance-type banners, but cannot propagate.  The affected files have been removed from the Firefox servers and Mozilla.org states that they will implement after-the-fact scans in hopes of preventing a recurrence of this sort of malicious code event.  Mozilla.org has said that anyone who downloaded the most recent Vietnamese language pack from February 18, 2008, is vulnerable.  Initial estimates indicate 16,667 total downloads have taken place.
Read More
Additional Information

IntelliShield Analysis:  Users should remain conscious of the risk involved with Open Source and non-commercial software that is often supplied and modified by unknown contributors.  Open Source software is widely used and much of it can be downloaded from multiple sources; however, the incident of the inserted code into the Vietnamese language pack raises questions of trust and diligence of those sites, and inherent problems with anti-virus products.  While the Open Source community and its advocates may downplay the impact of this particular event because a comparatively small number of users may be affected, it highlights the potential for wide-spread impact if a similar infection was overlooked with greater distribution.  It remains advisable to avoid the contributions of unknown developers, refrain from using untrustworthy download hosts, and perform additional anti-virus scanning of downloaded software.  In addition, the incident reinforces the need to update anti-virus products regularly and to perform full scans of the system for potential infections that were not identified during previous scans.  Some antivirus vendors detect the malicious code as Xorer.O as described in IntelliShield alert 15284.

Identity

Crimeware Server Steals Business and Personal Information

Finjan, a security firm based in San Jose, CA, discovered a server store of compromised information from 40 different global businesses.  The crimeware server contained 1.4 gigabytes of information that was stolen using two backdoor trojans.  The crimeware server also contained 5388 log files.  The server used a botnet command and control application in order to gather the information, which included patient information, e-mail addresses and financial data.  The information was stored in plain text, available to anyone who accessed the server. Read More
 
IntelliShield Analysis:  These type of attacks that use keylogging and crimeware technology appear to have increased dramatically since January of 2007, with the second highest number of identified crimeware servers recorded in January 2008 when compared over the previous 12 months.  Phishing, which is a type of identity theft that uses social engineering to steal personal information, had a drastic one month increase from December 2007 to January 2008, with over 3,600 additional incidents reported to the Anti-Phishing Working Group (APWG).  User training could be a significant advantage to avoid phishing scams, as well as the increasing technical capabilities of anti-spam and anti-phishing products.  Training and technology implementations could be enforced to focus not only on responding to attacks, but also on the social engineering and electronic reconnaissance efforts that collect information leading up to the attacks.

Human

Safari Market Share Increase Leveraged by Existing Installations

New statistics indicate a recent growth in the market share of Apple Safari on Windows.  This growth follows the controversial distribution method of including the Safari browser with the Apple Software Update service on Windows, which auto-updates other existing applications such as QuickTime.  By prompting users repeatedly to install the additional software, the distribution method appears to have been successful in increasing the Safari browser market share. Read More

IntelliShield Analysis: The rapid growth in market share of Safari may represent a troubling development in the distribution of software, often referred to as nagware.  Based on the apparent success, other software vendors may follow this trend to attempt to install new software in combination with existing installations.  Many products now include auto-update features for maintaining current versions and patch levels, which have contributed to improving the security of the systems.  The risk of compromising this distribution method with unwanted or unauthorized software should be a major concern to IT and security staffs.  If this method is exploited for marketing purposes, users, IT departments, and security staff departments may disable the feature or disregard the updates.  This may cause the users or departments to reconsider the use of the auto-update features.

Geopolitical

Competing Satellite Navigation Systems Fill the Skies

The Peoples Republic of China plans to launch an Asia-wide satellite navigation system by 2010.  The system, known as Beidou/Compass, already has four satellites in orbit.  According to the China Satellite Navigation Project Center, the system ultimately will boast a network of 30 satellites in medium Earth orbit plus 5 geostationary satellites.  It will be available for public use but will include an encrypted channel for military applications.  The system is expected to be compatible with Europe's Galileo global positioning system, in which China is a major investor.   The Beidou/Compass system, when it goes global, will join not only the U.S.-owned Global Positioning System (GPS), but also Europe's oft-delayed Galileo satellite navigation system and Russia's aging GLONASS.
Read More
Additional Information 

IntelliShield Analysis:  China's plans, and in particular the relative lack of detail provided given the near-term launch date, have alarmed some observers.  Although Chinese authorities have spoken of their intent to make the systems interoperable with GPS and Galileo, frequencies have yet to be coordinated.  Japan, who is working on a satellite navigation system of its own, has expressed concern over China's military intentions.  Japanese authorities desire that China should be more forward-leaning about coordination with them, given that Japan would fall within the range of the Beidou/Compass system.  In the long run, these redundant systems probably buttress global security by ensuring that no single super power can control access to satellite navigation, and by making the job harder for any attackers aiming to cripple global navigation systems.

Upcoming Security Activity

Microsoft Security Bulletin Update for May:  May 13, 2008
ChicagoCon 2008: May 12–18, 2008
CONFidence: May 16–17, 2008
LayerONE 2008: May 17–18, 2008
AusCERT 2008: May 18–23, 2008
EUSecWest 2008:  May 21–22, 2008
PH-Neutral 0x7d8: May 23–25, 2008
APWG 2008 CeCOS: May 26–27, 2008
EC-Council Hacker Halted USA: May 29–June 4, 2008
Shakacon 2008: June 9–13, 2008
RECON 2008: June 13–15, 2008
FIRST: June 22–27, 2008
The Last HOPE: July 18–20, 2008
USENIX: May 28–August 1, 2008
Black Hat: August 6–7, 2008
DEFCON 16: August 8–10, 2008

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top