The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity for the period was decreased, highlighted by additional vendor updates for previously reported vulnerabilities. Highlights for the period include the release of the Google Chrome stable channel May 2012 update, which updates automatically for Chrome users. This update corrected multiple vulnerabilities, including two rated critical and 14 rated high by Google. Multiple vulnerabilities were corrected in updates for Wireshark. Red Hat released multiple security advisories and updates for the Linux Kernel, Apache, and Tomcat. Symantec reported multiple vulnerabilities that impact end-user products and the web gateway.

Yahoo! reported a vulnerability in the Axis browser extension for Chrome that exposed the Yahoo! certificate. The exposed certificate information could be used to make malicious browser extensions appear to be trusted by Yahoo!.

A new Microsoft Windows XP local privilege escalation vulnerability was reported, but Microsoft has not released an advisory or software updates. New proof-of-concept exploit code was released for an HP StorageWorks vulnerability originally reported in IntelliShield Alert 24581 in November 2011. An HP advisory and software updates have also been available since November 2011.

Researchers have released some new information about tethered and untethered jailbreaks for the latest Apple iOS versions. The jailbreaks allow a user to escape the controls placed on the devices by Apple, which also exposes the devices to greater risks from malicious third-party applications. Users should carefully consider the risks of jailbreaking an Apple iOS device. Similarly, organizations should consider policies and technical controls to address these increased risks.

Cisco Remote Management Services has identified increased threat activity associated with the zeroaccess rootkit and the Black Hole and Bleeding Life toolkits. As reported last week, research and metrics from Zscaler and Shadowserver have identified an increasing number of infected legitimate websites. Users should ensure their browsers are updated and all available security features are enabled to detect and prevent exploits from infected websites.

McAfee released its analysis of the threats and activity identified during the first quarter of 2012. The report highlights what McAfee called the "busiest quarter in recent history," following the generally declining threats from the end of 2011. The full PDF format report is available at McAfee Threats Report: First Quarter 2012.

Google and researchers reported some of the details of the attacks used to win the Pwnium contest. The information released to date shows how attackers were able to string together a series of seemingly minor vulnerabilities to gain increased access and control, and ultimately full control. These reports raise the issue of organizations that delay the installation of software updates for vulnerabilities regarded as low risk. Those who delay updates may not consider the combination of multiple low-risk vulnerabilities that could allow attackers to cause significant damage or fully compromise systems. While these types of attacks do require a much more determined and skilled attacker, underestimating and delaying software updates places the enterprise in a race with attackers, and the risk increases the longer the updates are delayed.

IntelliShield published 92 events last week: 33 new events and 59 updated events. Of the 92 events, 49 were Vulnerability Alerts, three were Security Activity Bulletins, one was a Security Issue Alert, 37 were Threat Outbreak Alerts, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Significant Alerts for the Time Period

PHP php5-cgi Binary Setup Remote Unsanitized Command-Line Parameter Processing Vulnerability
IntelliShield Vulnerability Alert 25816, Version 9, May 22, 2012
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2012-1823
PHP contains a vulnerability that could allow an unauthenticated, remote attacker to disclose sensitive information, cause a denial of service (DoS) condition, or execute arbitrary code. Functional code that exploits this vulnerability is available as part of the Metasploit framework. PHP has confirmed this vulnerability and released updated software. FreeBSD and Red Hat have released security advisories and updated software.

Previous Alerts That Still Represent Significant Risk

Adobe Flash Player Object Confusion Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 25833, Version 2, May 23, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-0779
Adobe Flash Player contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are available. At the time of publication, reports indicate exploitation is ongoing in the wild. Adobe and Red Hat have released security advisories and software updates.

OpenSSL ASN.1 asn1_d2i_read_bio() Heap Overflow Vulnerability
IntelliShield Vulnerability Alert 25706, Version 6, May 17, 2012
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2012-2110, CVE-2012-2131
OpenSSL contains a vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition. Proof-of-concept code that demonstrates this vulnerability is publicly available. OpenSSL, FeeBSD, Red Hat, and HP have released security advisories and updates.

Oracle Java SE Critical Patch Update February 2012
IntelliShield Activity Bulletin 25191, Version 8, May 17, 2012
Urgency/Credibility/Severity Rating: 2/5/4
Multiple CVEs
Oracle has released the February 2012 Critical Patch Update to address multiple security vulnerabilities in multiple Oracle Java SE versions. This update remediates 14 vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a DoS condition on a targeted system. Oracle, CentOS, Red Hat, IBM, HP, and Apple have released security bulletins and updated software. Red Hat and HP have released additional security advisories and updated packages.

Samba Marshaling Code Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 25650, Version 5, May 11, 2012
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2012-1182
Samba contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system. If successful, the attacker could execute arbitrary code with root-level privileges. Samba, Apple, FreeBSD, Red Hat, and Oracle have released security advisories and updates.

PHP Hash Collisions Fix Regression max_input_vars Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 25100, Version 3, May 10, 2012
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2012-0830
PHP 5.3.9 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a DoS condition on the affected system. Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available. Apple has released a security advisory and updated software.

Multiple Products Hash Collisions Denial of Service Vulnerability
IntelliShield Security Activity Bulletin 24871, Version 11, May 10, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4461 , CVE-2011-4815 , CVE-2011-4885, CVE-2012-0193, CVE-2012-0841
Multiple products contain a vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition. Updates are available. Apache, Microsoft, CentOS, IBM, Ruby, FreeBSD, Red Hat, Oracle, HP, and Apple have released security advisories and updates.

Microsoft Windows, Office, and Silverlight TrueType Font Parsing Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 24500, Version 4, May 08, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-3402
Microsoft has released an additional security advisory and software updates to address the TrueType font parsing remote code execution vulnerability. Reports suggest that this vulnerability is being exploited by W32.Duqu to install itself on a targeted system. This trojan has been documented in IntelliShield Alert 24425.

EXIM Mail Transfer Agent Arbitrary Configuration Loading root Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 22053, Version 6, May 11, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-4345
EXIM has released a changelog and updated software to address the mail transfer agent arbitrary configuration loading root privilege escalation vulnerability. Exploitation of this vulnerability has been observed in conjunction with exploits for a vulnerability detailed in IntelliShield Alert 22051 (CVE-2010-4344). The vulnerability described by CVE-2010-4344 grants an unauthenticated, remote attacker exim privileges. The combination of these two vulnerabilities could allow an unauthenticated, remote attacker to gain root privileges on an affected system.

FreeType PostScript Type 1 Font Parsing callothersubr Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 23602, Version 6, May 11, 2012
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2011-0226
FreeType versions prior to 2.4.5 contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. FreeType.org has confirmed this vulnerability in the git repository and software updates are available. Functional exploit code for this vulnerability is used publicly in conjunction with other vulnerabilities to provide web-based "jailbreak" capabilities for Apple iOS devices. Other sites or exploits may be able to repurpose this exploit code for malicious purposes. Oracle has released a security advisory and updated software.

Oracle Database Server TNS Listener Remote Registration Vulnerability
IntelliShield Vulnerability Alert 25764, Version 2, May 1, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2012-1675
Oracle Database Server contains a vulnerability that could allow an unauthenticated, remote attacker to modify configuration parameters on a targeted system. Oracle has released a security advisory and patches to address the Oracle database server TNS listener remote registration vulnerability. Proof-of-concept code that demonstrates this vulnerability is publicly available.

Physical

Embedded Device Risk

On May 22, 2012, US Airways flight 787 traveling from Paris to North Carolina was diverted to Bangor International Airport in Maine. The reason was a French woman who made statements that seemed to imply she was carrying a device implanted in her body. She was examined during the flight, but doctors did not see evidence of recent surgery. The U.S. Federal Bureau of Investigation (FBI) investigated later and determined that the flight had not been in danger.
Read More

IntelliShield Analysis: The reason for this kind of reaction is the escalating game of cat and mouse between terrorists and transport security. Bombs and explosive materials were initially smuggled into airplanes in bags, then in containers on a person, followed by explosives hidden in the clothing. The next step is to hide materials within a person; the same progression that drug smugglers went through some time ago. Luckily, terrorists' attempts to hide explosives within a person are few and far between, so the threat is currently not that prominent. If the frequency of such attempts increases, there is a danger that all travelers will be subjected to even more invasive searches and more expensive equipment will be installed at airports. Because the deployment of new scanners will lag (assuming they continue) and the locations for this coverage may be limited, companies may rethink their policies of flying their executives on regular public flights. The only possible winner in this scenario could be private jet operators, who may see an increase in demand for charter flights.

Switching Bar Codes on Products

A prominent vice president of a West Coast software firm was arrested and charged with felony burglary when he was caught on a store's security camera system applying replacement bar codes on higher-end LEGO sets with discounted versions of bar codes. Police discovered several bags of fraudulent bar codes in his car, and when police entered his residence they discovered hundreds of unopened LEGO sets. A search of his computer indicated he ran a site called Tom's Brickyard on eBay and had sold about US$30,000 worth of LEGO sets in the past.
Read More
Additional Information

IntelliShield Analysis: This story highlights one of the issues with machine-readable codes and devices or systems that are not designed to be read or understood by human beings. Unless a method is provided by the device reading the bar code or radio frequency identification (RFID) tag and the person using the device actually vets the URI or link, there is no guarantee that the link is valid. In fact, it could very well lead the unsuspecting user to the download and installation of malware, particularly on mobile devices. In the case of the tampered bar codes in the LEGO story, the stores have a policy by which the cashiers do not confront or pursue the perpetrator, but let loss-prevention personnel deal with the situation. In the case when individuals casually browse quick response (QR) codes with phones, users are advised to ensure that the link to be visited is what they actually intended to use and that they do want to install any application the QR code leads them to.

Legal

There was no significant activity in this category during the time period.

Trust

Apple Siri Banned by IBM

Siri, the personal assistant application on Apple iPhone 4S, has been banned by IBM when phones are used on IBM's internal networks. IBM implemented access control lists that prevent communication between the internal networks and the Apple data center in North Carolina where Siri's queries are processed. IBM's concern centers on the storage and use of queries received by Apple. Apple's privacy policy places very few restrictions on the use of received voice queries.
Read More

IntelliShield Analysis: Information storage from the spoken word is not a new concern; the United States National Security Agency has previously banned all recording devices from their headquarters. The information in many queries should be a real concern to anyone who takes privacy seriously. Siri's queries can be combined with any information gleaned from the user running the query, including the contents of their personal contacts lists, current location information, and other "unspecified" information. Siri can also be used to compose text and e-mail messages. Thus far there have not been any requests from law enforcement related to the information stored from these queries. However, as stored queries accumulate, users can expect requests for disclosure of stored information in the not-too-distant future. Users are advised to carefully consider their use of search engines along with their privacy concerns.

Identity

There was no significant activity in this category during the time period.

Human

Google Warns Users About Malicious Software Infections

Google has started displaying warning messages on its websites when the company detects systems infected with the DNSChanger malicious software. The warning directs users to a page that describes how to remove the infection. Although numbers of the malicious software installations continue to fall, there are still an estimated 500,000 infected systems. Users of infected systems face a DNS outage as of July 9, 2012, when DNS servers that replaced malicious servers as part of the November 2011 Operation Ghost Click are scheduled to be removed.
Read More
Additional Information

IntelliShield Analysis: Various entities, from governments and ISPs, have employed warning messages in the past to notify users of malicious software infections. It remains to be seen whether users will trust warning messages displayed on Google websites and act on that information. Consequences for users are high; without intervention, DNS services on affected systems will fail when the replacement DNS servers are taken offline July 9. While the Google warnings and others are intended to assist users, they could also open users to malicious socially engineered warnings and links to infected websites. The official U.S. FBI website to check a user's system for a DNSChanger infection performs an automatic check and displays a green or red window with additional information and instructions from the FBI.

Geopolitical

Infosec Impact of a Greek Euro Exit

Major international banks are putting the chances of a Greek exit from the euro at better than 50 percent following an inconclusive election in Greece in early May that forced a second round of elections. This second round, expected on June 17, 2012, is being seen by many as a de facto referendum on Greece's continued membership in the euro zone (and potentially in the European Union as well). Policy makers are reluctant to speak on the record about whether contingency planning is taking place and what such an unscripted, undesirable scenario might look like, other than agreeing it would be damaging and messy. Top of mind for macroeconomic planners is whether an exit by Greece would prompt a rapid deterioration of neighboring, weak economies, particularly that of Spain. For information security specialists, however, concerns may be more tactical.
Read More
Additional Information

IntelliShield Analysis: Questions start with when—investor panic could trigger devaluation and euro exit, conceivably before the June 17 election date. One scenario points to an exit over a weekend, with an announcement following the close of markets in New York on a Friday. This would allow 2 days for euro zone leaders and other stakeholders, including the International Monetary Fund and the European Central Bank, to convene emergency meetings before international markets open on the following Monday morning. While many international currency and business contracts have already been renegotiated and/or hedged against, the electronic data flow aspects of a euro exit are unknown. ATMs and Greek bank-issued credit cards likely would not work, at least temporarily. Greeks may turn to bartering as a stopgap measure. Information security professionals may encounter extended bank closures, opportunistic malware attacks aimed at panicking deposit holders, and network surges. Businesses may be affected by physical disruptions, including looting, strikes, and protests. There are considerable opportunities for crime around the issuance of a new currency, such as phishing scams and counterfeiting because few will be able to identify the new paper currency with confidence. The euro itself is sound, as is the broader European banking system, but information security specialists may want to brace for a long week if this undesirable and uncharted scenario comes to pass.

Upcoming Security Activity

World IPv6 Launch: June 6, 2012
Cisco Live US: June 10–14, 2012
Gartner Security and Risk Management Summit: June 11–14, 2012
Black Hat USA 2012: July 21–26, 2012
DEFCON 20: July 26–29, 2012

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:

G20 Summit (Los Cabos, Mexico): June 18–20, 2012
Mexico General Elections: July 1, 2012
London Olympic Summer Games: July 27–Aug 12, 2012
U.S. Republican Convention (Tampa, FL): August 27–30, 2012
U.S. Democratic Convention (Charlotte, NC): September 3–6, 2012

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top