The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability levels continued to increase from previous weeks, and activity was highlighted this week by the continued exploitation of a vulnerability in Microsoft PowerPoint that was reported in IntelliShield Alert 17966. Additionally, a new Unicode character processing vulnerability in Microsoft Internet Information Services, which is reported in IntelliShield alert 18261, is raising potential risks that are similar to previous malicious codes and web server compromises.

In malicious code activity, the Gumblar malicious code continued to infect a growing number of web servers. According to researchers, the malicious software, which is described in IntelliShield alert 18286, accounted for 42 percent of Internet infections over a weekly period.

IntelliShield published 112 events last week: 51 new events and 61 updated events. Of the 112 events, 91 were Vulnerability Alerts, six were Security Activity Bulletins, nine were Threat Outbreak Alerts, two were Security Issue Alerts, two were Malicious Code Alerts, one was an Applied Mitigation Bulletin, and one was the Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Significant Alerts for March 18–24, 2009

Microsoft Internet Information Services WebDav Unicode Processing Security Bypass Vulnerability
IntelliShield Vulnerability Alert 18261, Version 2, May 19, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-1535

Microsoft Internet Information Services (IIS) versions 5.0, 5.1, and 6.0 contain a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and access sensitive information. The vulnerability is due to improper processing of Unicode characters in HTTP requests. An exploit could allow the attacker to bypass security restrictions and download arbitrary files from the targeted system. Exploit code is available.

Microsoft Office PowerPoint Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 17966, Version 3, May 12, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-0556

Microsoft has released a security bulletin and software updates to address the arbitrary code execution vulnerability in Office PowerPoint. Reports indicate that targeted attempts to leverage this vulnerability continue to occur. A variant of the Trojan.PPDropper trojan, which is described in IntelliShield Alert 10845, is actively exploiting this vulnerability.

Previous Alerts That Still Represent Significant Risk

Worm: W32/Conficker.worm
IntelliShield Malicious Code Alert 17121, Version 18, April 9, 2009
Urgency/Credibility/Severity Rating: 4/5/3

W32/Conficker has changed its command-and-control communications methods and begun to download malicious files to infected systems. Conficker has now changed from malicious code that infects vulnerable systems to an operational botnet. Conficker is expected to continue to infect vulnerable systems, change command-and-control communication, and download additional malicious files to the infected systems.

Adobe Reader getAnnots Function Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 18088, Version 2, May 4, 2009
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-1492

Adobe Reader and Acrobat 9.1, 8.1.4, and 7.1.1 and earlier versions contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. The vulnerability is due to insufficient boundary checking on annotation parameters in Adobe PDF documents. An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to view a malicious PDF file. If the user views the document, the attacker could execute arbitrary code with the privileges of the user. Proof-of-concept code is available. Adobe has confirmed this vulnerability and provided an official workaround.

Adobe Acrobat Products PDF File Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 17665, Version 11, April 24, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-0658

Adobe Reader, Adobe Acrobat Professional, Acrobat Professional Extended, and Acrobat Standard contain a buffer overflow vulnerability that could allow a remote attacker to create a denial of service condition or execute arbitrary code with the privileges of the user. The level of user privileges and the code that is executed determine the degree to which the system is compromised. This vulnerability is actively being exploited in the wild by the Pidief family of trojans. Additional information about the trojan is available in IntelliShield Alert 14388. Adobe has confirmed the vulnerability and released updated software.

Microsoft Office Excel Invalid Object Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 17689, Version 6, April 14, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-0238

Microsoft Excel and related products contain a vulnerability that could allow a remote attacker to execute arbitrary code. Attackers are actively exploiting this vulnerability to conduct limited malicious code attacks that are designed to infect targeted systems with a variant of the Mdropper family of trojans. This family of trojans is detailed in IntelliShield Alert 12562. Microsoft has confirmed this vulnerability, but updated software is not available.

Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability
IntelliShield Vulnerability Alert 17519, Version 6, March 13, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-0075

Microsoft Internet Explorer Version 7.0 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or crash the browser, resulting in a denial of service condition. On systems that grant users Administrator privileges, an attacker could execute code that may result in the complete compromise of the affected system. Reports have confirmed the existence of exploit code that is delivered using a Microsoft Office Word document saved in the XML format. Exploits have been observed wherein attackers build Word documents using XML constructs, save the documents as .doc files, and deliver the malicious documents via e-mail or host them on websites. Several antivirus vendors are reporting the activity.

Worm: W32.Waledac
IntelliShield Malicious Code Alert 17327, Version 10, March 23, 2009
Urgency/Credibility/Severity Rating: 4/5/4

W32.Waledac is a worm that attempts to open a back door on an infected system. The worm propagates by sending a copy of itself to e-mail addresses found on the infected system. The e-mail messages are configured to take advantage of interest in current events or holidays to convince users to open the malicious e-mail attachments. W32.Waledac may download files on an infected system and provide an attacker with backdoor access. The worm also attempts to steal confidential information that is related to numerous online banking entities.

Physical

Risks in United States Global Positioning Satellite System

Experts are concerned about degraded performance following reports that replacement satellites have not yet been deployed to address satellites in the United States Global Positioning Satellite (GPS) program that are near the end of their life expectancy. A newly deployed satellite is also experiencing difficulties and may not be fully operational. Besides U.S. civilians and military, much of the world relies on the U.S. GPS system for services from navigation to supply chain tracking to flight navigational information. Read More

IntelliShield Analysis: If a decline in service occurs, any or all reliant services will be at risk. Although a U.S. naval spokesman claims that the government will be able to maintain a necessary operational set of 24 satellites (31 satellites are currently under operation), any given satellite could fail before it is replaced. The government could also experience problems and delays with new deployments. Like all critical systems, organizations are advised to consider alternate business continuity and disaster recovery options to address this risk.

Legal

Examining Business Privacy Challenges in the Cloud

A recent University of Cambridge report found that many social networking sites were not actively removing photos that users had deleted. The author argues that failing to remove personally identifying information violates the European Union (EU) Data Protection Directive of 1995. Because the directive requires that users have access to all stored data about themselves, an additional violation may occur if the data is marked as deleted but not actually removed. Read more

IntelliShield Analysis: While these theories have not been tested in the courts, they introduce interesting conversations about technology of cloud computing, which is not actually insecure itself. However, organizations must carefully consider the implications of massively scalable design, storage, and computing, especially if those services are outsourced to cloud providers and not directly under company control. Businesses are faced with the challenge of ensuring that all copies of data throughout the cloud infrastructure fall under the appropriate policies. For these reasons, organizations are advised to consider the legal ramifications of computing across both national international boundaries.

Trust

MasterCard Mandates Smart Card Differential Power Analysis Protection

Following settlements over losses that were incurred over well-publicized data breaches at TJX and Heartland Payment Systems, MasterCard continued to reduce its exposure to another form of criminal activity-- defeating the cryptography of smart cards through usage of Differential Power Analysis (DPA). Because a criminal does not need to know the specific design of a card reader, DPA attacks on smart cards are both difficult to detect and device agnostic. MasterCard is now requiring vendors of smart cards and associated peripherals to employ a specific countermeasure technology that is designed to thwart DPA attacks.
Read more
Additional Information

IntelliShield Analysis: Valid credit and debit card numbers remain a key cyber crime currency, and their continued theft is driving increased adaptation of technology that is capable of protecting financial institutions from unauthorized usage and resulting losses. Technologies that establish a trust that transactions are legitimate are effective if a method to reverse engineer them is not widely available. MasterCard's standardization on a countermeasure should help protect all parties that are involved in the transaction, provided that the technology has been deployed end-to-end. Inevitably, this scenario will continue to escalate between criminals and financial institutions who must remain vigilant on a number of fronts.

Identity

There was no significant activity in this category during the time period.

Human

Facebook Implements OpenID Standard

The Facebook social networking website recently implemented OpenID authentication support as a relying party, which allows website users to log in to Facebook with the credentials of other OpenID issuers. Through this method, Facebook can allow new users to register and log in with credentials that are issued from another OpenID website.  Read More

IntelliShield Analysis: The move could prove beneficial to Facebook because users could be more inclined to use the service if they aren't forced to manage separate sets of authentication credentials. However, OpenID may represent a single source of failure for operations and security on the web. Although sites may be highly available, the failure of an OpenID authority prevents users from accessing many other dependent websites. Security concerns also exist, as the compromise of a single set of user credentials may affect multiple websites. Additionally, if users are more likely to enter credentials into sites that claim to be related to OpenID, phishing attacks against OpenID may be more likely to succeed. As a result, users may find OpenID suited for use on social networking and blog sites but retain separate credentials for online banking or shopping sites that may host more sensitive information.

Geopolitical

India Votes for Stable Growth

Indian voters recently delivered a decisive verdict in nationwide parliamentary elections. Although most analysts predicted the return of another unlikely coalition of widely differing parties, the ruling Congress Party led by Prime Meinister Manmohan Singh returned 206 out of 543 seats, which allowed the party to comfortably establish a ruling alliance with compatible goals. India's Sensex stock index surged on news of the elections, which has now contributed to a 70 percent rise in the index since March 2009. Many experts believe this increase reflects broad optimism of an era of solid growth and necessary economic reforms.
Read more
Additional Information

IntelliShield Analysis: One of the new government's most pressing tasks will be delivery of basic services, such as potable water and electricity, to India's rural areas. There are also ambitious plans to extend Internet connectivity to millions of Indians who are not yet online. The incoming government will attempt to improve these services while forging a modern legal and communications network infrastructure. Unfortunately, bureaucracy, corruption, and terrorism pose major obstacles. Riots in India's northern region of Punjab only underscored the country's need for unity and stability. Fortunately, the new government has a clearer mandate now than at any time in recent memory.

Upcoming Security Activity

NANOG46: June 14–17, 2009
Cisco Live: June 27–July 2, 2009
21st Annual FIRST Conference: June 28–July 3, 2009
International ISACA Conference: July 19–22, 2009
Black Training and Briefings: July 25–31, 2009
DEFCON: July 31–August 3, 2009
18th USENIX Security Symposium: August 12–15, 2009

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

20th Anniversary of Tiananmen Incident (China): June 4, 2009
Lebanon Parliamentary Elections: June 7, 2009
Iran Presidential Elections: June 12, 2009

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top