May 14–20, 2012The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability activity was increased this period, following similarly heightened activity last period. The increased activity was highlighted by another large security update from Apple, this time for QuickTime to correct multiple vulnerabilities, and multiple updates from HP and MonteVista for previously reported vulnerabilities. Other highlights included security advisories and updates for Google Chrome 19, Symantec for multiple vulnerabilities in Web Gateway, and RealNetworks for RealPlayer. Cisco released IntelliShield alert 25939 detailing a Cisco ASA 5500 Series Adaptive Security Appliance Cut-Through Proxy Authentication Information Disclosure vulnerability, and updated IntelliShield alert 14480 for a Unified MeetingPlace Login Screen Cross-Site Scripting vulnerability with additional security response details. Threat activity included the reporting of proof of concept exploit code for multiple vulnerabilities in the Linux kernel; a denial of service vulnerability in RealNetworks RealPlayer; multiple remote vulnerabilities in Pro-Face Pro-Server EX; an Adobe Photoshop arbitrary code execution vulnerability; a denial of service vulnerability in Wonderware Archestra SuiteLink; an arbitrary code execution vulnerability in VMware ESX and ESXi VMX Process; a buffer overflow vulnerability in Oracle WebLogic Server; and a heap overflow vulnerability in OpenSSL ASN.1. Multiple web infection campaigns were identified and reported during the period; first with Wikipedia serving malicious advertising, and secondly some Zscaler research on the volume of popular websites infected with malicious advertising, JavaScript and iFrame infections. IntelliShield published 171 events last week: 65 new events and 106 updated events. Of the 171 events, 123 were Vulnerability Alerts, 12 were Security Activity Bulletins, one was a Security Issue Alert, 33 were Threat Outbreak Alerts, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for May 14–20, 2012PHP php5-cgi Binary Setup Remote Unsanitized Command-Line Parameter Processing Vulnerability PHP contains a vulnerability that could allow an unauthenticated, remote attacker to disclose sensitive information, cause a denial of service (DoS) condition, or execute arbitrary code. Functional code that exploits this vulnerability is available as part of the Metasploit framework. PHP has confirmed this vulnerability and released updated software. Red Hat has released a security advisory and updated software. Previous Alerts That Still Represent Significant RiskOpenSSL ASN.1 asn1_d2i_read_bio() Heap Overflow Vulnerability OpenSSL contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Proof-of-concept code that demonstrates this vulnerability is publicly available. OpenSSL, FeeBSD, Red Hat and HP have released security advisories and updates. Oracle Java SE Critical Patch Update February 2012 Oracle has released the February 2012 Critical Patch Update to address multiple security vulnerabilities in multiple Oracle Java SE versions. This update remediates 14 vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system. Oracle, CentOS, Red Hat, IBM, HP and Apple have released security bulletins and updated software. Red Hat and HP have released additional security advisories and updated packages. Samba Marshaling Code Remote Code Execution Vulnerability Samba contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system. If successful, the attacker could execute arbitrary code with root-level privileges. Samba, Apple, FreeBSD, Red Hat and oracle have released security advisories and updates. PHP Hash Collisions Fix Regression max_input_vars Arbitrary Code Execution Vulnerability PHP 5.3.9 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on the affected system. Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available. Apple has released a security advisory and updated software. Multiple Products Hash Collisions Denial of Service Vulnerability Multiple products contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are available. Apache, Microsoft, CentOS, IBM, ruby, FreeBSD, Red Hat, Oracle, HP and Apple have released security advisories and updates. Microsoft Windows, Office, and Silverlight TrueType Font Parsing Remote Code Execution Vulnerability Microsoft has released an additional security advisory and software updates to address the TrueType font parsing remote code execution vulnerability. Reports suggest that this vulnerability is being exploited by W32.Duqu to install itself on a targeted system. This trojan has been documented in IntelliShield Alert 24425. Adobe Flash Player Object Confusion Arbitrary Code Execution Vulnerability Adobe Flash Player contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are available. At the time of publication, reports indicate exploitation is ongoing in the wild. EXIM Mail Transfer Agent Arbitrary Configuration Loading root Privilege Escalation Vulnerability EXIM has released a changelog and updated software to address the mail transfer agent arbitrary configuration loading root privilege escalation vulnerability. Exploitation of this vulnerability has been observed in conjunction with exploits for a vulnerability detailed in IntelliShield Alert 22051 (CVE-2010-4344). The vulnerability described by CVE-2010-4344 grants an unauthenticated, remote attacker exim privileges. The combination of these two vulnerabilities could allow an unauthenticated, remote attacker to gain root privileges on an affected system. FreeType PostScript Type 1 Font Parsing callothersubr Arbitrary Code Execution Vulnerability FreeType versions prior to 2.4.5 contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. FreeType.org has confirmed this vulnerability in the git repository and software updates are available. Functional exploit code for this vulnerability is used publicly in conjunction with other vulnerabilities to provide web-based "jailbreak" capabilities for Apple iOS devices. Other sites or exploits may be able to repurpose this exploit code for malicious purposes. Oracle has released a security advisory and updated software. Oracle Database Server TNS Listener Remote Registration Vulnerability Oracle Database Server contains a vulnerability that could allow an unauthenticated, remote attacker to modify configuration parameters on a targeted system. Oracle has released a security advisory and patches to address the Oracle database server TNS listener remote registration vulnerability. Proof-of-concept code that demonstrates this vulnerability is publicly available. Microsoft .NET Framework GraphicsPathIterator Validation Arbitrary Code Execution Vulnerability Microsoft .NET Framework contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Updates are available. Proof-of-concept code to exploit the Microsoft .NET Framework parameter validation arbitrary code execution vulnerability is publicly available. Microsoft MSCOMCTL.OCX ActiveX Control Remote Code Execution Vulnerability Microsoft software MSCOMCTL.OCX ActiveX control contains a vulnerability that could allow an unauthenticated, remote attacker to execute code on a vulnerable system. Proof-of-concept code that exploits this vulnerability is publicly available. Microsoft has confirmed this vulnerability in a security bulletin and has released updated software. Multiple versions of Oracle Java Runtime Environment (JRE) contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that exploits this vulnerability is publicly available. Oracle has confirmed this vulnerability and released software updates. Red hat, HP and Apple have released security advisories. Red Hat has released an additional security advisory and updated packages. Apache HTTP Server Reverse Proxy Rewrite URL Validation Vulnerability Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to gain unauthorized access to internal networks. Apache has not confirmed the vulnerability and software updates are not available. The vulnerability is due to a regression error introduced by the vulnerability CVE-2011-3368, documented in IntelliShield alert 24327. Proof-of-concept code that exploits the vulnerability is publicly available. HP has released a security bulletin and updated software to address the Apache HTTP Server reverse proxy rewrite URL validation vulnerability. Oracle has released an additional security advisory and patches. PhysicalExposed Surveillance Camera AccessResearchers released information on potential vulnerabilities in three of the most popular closed-circuit surveillance cameras that include Internet access. The camera systems often enable Internet access by default and may contain weak passwords that can allow a remote attacker to gain access to the video feeds. These camera systems are widely used across multiple business sectors, are relatively easy to identify on the Internet using search engines, and allow remote access from virtually anywhere in the world when not configured securely. IntelliShield Analysis: Following up on a report from last week that elaborated on the continually growing use of surveillance systems, the exposure of these insecure settings change the scenario of organizations that are attempting to improve the monitoring of sensitive sites to exposing the activity at those sites. We have previously reported on similar security concerns with home security systems that include Internet access, and other video system vulnerabilities that potentially expose the video feeds to unauthorized access and monitoring. Organizations should ensure these systems are configured securely, updated as needed, and check configuration settings regularly to ensure they have not been compromised or exposed. Organizations should also include these systems in their penetration and vulnerability assessments and testing. LegalSEC Guidance Updated for Risk, Theft and Attack ReportingThe U.S. Security and Exchange Commission has issued new guidelines calling for publicly traded companies to report significant cyber theft and attack events, or changes in material risk from such events. The risk reporting has been in place, but the new guidelines go further to require companies to report cyber security events, which as the SEC described will "allow the market to evaluate companies in part based on their ability to keep their networks secure." IntelliShield Analysis: These new guidelines are a hot topic of debate in corporate America. While the previous guidelines required material risk reporting, and a few companies including Intel and Google have reported compromises of their systems, it has largely resulted in non-specific statements of risk in SEC filings. The new guidelines require companies to not only assess the risk of such events, but also report specific events. The new guidelines are intended to increase transparency; however, they also increase the likelihood of lawsuits or SEC enforcement actions if companies fail to report the events. TrustAvira Update Blocks Legitimate ApplicationsAvira, a company that makes antivirus security software, released Service Pack 0 (SP0) for Avira Version 2012. The update is for its Avira Professional Security, Avira Internet Security 2012, and Avira Antivirus Premium 2012 products. Part of SP0 was an update to its ProActiv monitoring system. According to user reports, the update caused ProActive to block most .exe files as well as other files critical to the Windows operating system, crippling the systems. Avira released an advisory along with an additional update that disables the ProActiv monitoring feature. IntelliShield Analysis: Avira is not the first security company to release a faulty update. Other companies have had similar cases where an update prevented user systems from functioning properly, which underscores the need to test updates before applying them to critical systems or deploying them across the enterprise. Administrators should also have a disaster recovery plan ready in case a critical system goes offline unexpectedly. IdentityPersonal Data Breaches Make the News (Again)Another week, another breach of purported secured personal and financial data. In one instance, the data was available for more than one decade. Also in the news, government employees who were trusted with private citizen data, illegally accessed the data. These types of stories have become so common that people begin to ignore the consequences that may occur if they become a victim. Information gleaned from public sources such as genealogy research sites and public birth records can be combined with leaked or stolen information to perform social engineering attacks that completely compromise a person's identity. IntelliShield Analysis: The days of eliminating exposure to identity theft by not having online access to financial accounts and records are long gone. Whether we like it or not, we as individuals are very dependent on the information security practices of businesses and government entities for the protection of our personal data. As more records become correlated, our personal information becomes even more accessible. It is incumbent upon each individual to make identity theft awareness and protection a personal responsibility, with the knowledge that responsibility is not entirely within their own domain of control. This means that personal action is called for, such as periodically checking your own credit report. Persons living in the United States should take advantage of the free annual credit report from each of the three major credit reporting agencies. By staggering requests throughout a year, a credit report can be obtained at no cost every four months. There are anti-identity theft services available for a fee, but they do little more than what an individual can do at no cost by themselves. When answering security questions on a website, no publicly available information should be used, or those questions should be answered with incorrect information, and the answers stored in a secure encrypted repository. HumanBio-Hazard Tweet Triggers Cruise Ship IncidentA neurosurgeon aboard a cruise ship to give a presentation on his diet plan unexpectedly faced FBI agents and Homeland Security officials because a falsified Twitter account using the doctors name sent a threatening tweet about a bio-hazard. Although no threat was found, and the investigation determined the tweet came from the parody account; the doctor was removed from the ship while the investigation continued. IntelliShield Analysis: We have previously discussed the rapid growth and increased monitoring of social media by government and security organizations, although in this case it was reported by a private individual that saw the threatening tweet. Although organizations and celebrities are familiar with brand protection practices, most individuals would not likely consider it applicable to themselves. The growth of social media has increased the risk of malicious activity including being impersonated, which not only reflects poorly on the individual but also garners the attention of law enforcement officials. While this would not likely impact most individuals, social media users should take precautionary measures to help protect their accounts including conducting a name search to identify potentially malicious activity from imposters. GeopoliticalThere was no significant activity in this category during the time period. Upcoming Security ActivityWorld IPv6 Launch: June 6, 2012 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following: NATO Summit (Chicago, IL): May 20–21, 2012 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
