Cyber Risk Report

May 31–June 6, 2010

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat activity for the period remained consistent with previous periods. The large VMware update correcting 43 vulnerabilities released late last period is reflected in this period's numbers, accounting for the increased level of alert activity. The monthly and annual numbers continue to reflect the declining number of reported vulnerabilities that impact business, government and education environments. Similarly, despite the continued threat of modified existing spam activity, the Senderbase statistics also show a decline in levels of spam activity for the first months of 2010. However, as Cisco reported in the 2009 Annual Security Report, the threat trend toward increased social engineering and application exploits continues to increase. Many of the application and user threats are not reflected in vendor security announcements and vulnerability tracking due to the local nature of these threats. The reduced levels of vulnerability and spam activity should be interpreted as indicators of this threat shift, not a reduction of the overall threat levels.

The Microsoft Advance Notification for June 2010 stated that Microsoft intends to release 10 security bulletins on Tuesday June 8, addressing 34 vulnerabilities. Of the bulletins, 3 are rated Critical and 7 Important by Microsoft, and impact Windows, Office and Internet Explorer products.

Adobe announced that it was considering moving to a monthly security update schedule from its current quarterly schedule. Although Adobe's policy has been to release quarterly updates, due to the increased threats and vulnerabilities with Adobe products this year, the security updates have been more frequent and unscheduled. The scheduled release policies of Microsoft, Oracle, Cisco, Adobe and others are a significant benefit to security teams, allowing them to better prepare, organize and improve the efficiency of their internal patch and vulnerability management procedures. While unscheduled security updates will likely always be a factor, this scheduling trend by the major vendors is an aid to most organizations in reducing the number of rapid responses.

IntelliShield published 146 events last week: 22 new events and 124 updated events. Of the 146 events, 116 were Vulnerability Alerts, three were Security Activity Bulletins, 14 were Security Issue Alerts, 12 were Threat Outbreak Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 06/04/2010 7 7 14
Thursday 06/03/2010 5 16 21
Wednesday 06/02/2010 3 11 14
Tuesday 06/01/2010 7 90 97
Monday 05/31/2010 0 0 0
Weekly Total 22 124 146

 

2010 Monthly Alert Totals

Month New Updated Monthly Total
January 158 259 417
February 177 253 430
March 194 324 518
April 208 167 375
May 148 174 322
Annual Total 885 1177 2066


Previous Alerts That Still Represent Significant Risk

Oracle Java Web Start Java Development Kit ActiveX Control Command-Line Injection Vulnerability
IntelliShield Vulnerability Alert 20314, Version 4, May 19, 2010
Urgency/Credibility/Severity Rating: 3/5/4

Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on the system with the privileges of the user. Systems with Oracle Java JRE and JDK 6 Update 10 and later contain the affected ActiveX control and are vulnerable. Apple has released security updates for Java for Mac OS X 10.6 Update 2 and Java for Mac OS X 10.5. Multiple vendor updates are available.

Kernel Hook Bypassing Engine Affects Multiple Security Applications
IntelliShield Vulnerability Alert 20433, Version 2, May 13, 2010
Urgency/Credibility/Severity Rating: 2/4/4

A security research team has created a tool that is able to bypass security software protections provided by host-based security software on Windows systems and execute arbitrary code with kernel privileges.

DNSSEC-Enabled Queries to the DURZ Serving Root May Affect DNS Services
IntelliShield Vulnerability Alert 20418, Version 1, May 3, 2010
Urgency/Credibility/Severity Rating: 2/5/3

DNSSEC-enabled queries to the root servers may be affected because the last (J-root) of the 13 root servers will begin serving the DURZ on May 5, 2010.

Microsoft SharePoint Server 2007 Cross-Site Scripting Vulnerability
IntelliShield Vulnerability Alert 20415, Version 2, April 30, 2010
Urgency/Credibility/Severity Rating: 2/5/3

Microsoft SharePoint Server 2007 versions SP2 and prior contain a cross-site scripting vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary HTML or script code in a user's browser. Proof-of-concept code that exploits this vulnerability is publicly available. Microsoft has confirmed this vulnerability, but software updates are not available.

McAfee VirusScan DAT Update May Cause Microsoft Windows System Failure
IntelliShield Vulnerability Alert 20375, Version 2, April 22, 2010
Urgency/Credibility/Severity Rating: 4/5/3

A McAfee DAT file that was distributed to VirusScan applications has caused errors on certain Microsoft Windows XP-based systems. As a result of installing the 5958 DAT file and rebooting, systems may be rendered unusable. McAfee has released a knowledgebase article with various workarounds.

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 57, June 7, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555

Multiple Transport Layer Security (TLS) implementations contain a vulnerability when renegotiating a TLS session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Proof-of-concept code that exploits this vulnerability is publicly available. Mozilla and Oracle, in addition to other vendors, have released updates for this vulnerability.

Microsoft Internet Explorer Invalid Pointer Reference Access Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20052, Version 4, March 30, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-0806

Microsoft has re-released a security advisory and updated software to address the Microsoft Internet Explorer invalid pointer reference access arbitrary code execution vulnerability. Functional exploit code is being used in ongoing exploits, and Microsoft has released a security bulletin and updated software.

Mozilla Firefox WOFF Decoder Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19968, Version 2, March 23, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-1028

Mozilla Firefox contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Mozilla has confirmed this vulnerability and has released updated software.

Microsoft VBScript Unsafe Help File Handling Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20014, Version 3, April 13, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-0483

Microsoft has released a security advisory with information about affected products to address the Microsoft Internet Explorer unsafe help file handling arbitrary code execution vulnerability. Proof-of-concept code that demonstrates code execution is available.

Physical

There was no significant activity in this category during the time period.

Legal

Government Involvement with Private Sector Cyber Security Issues

There were two significant stories this week regarding the U.S. Government's involvement with computer security issues; Pentagon officials suggested that use of the U.S. Government-developed Einstein 2 and 3 defensive systems be extended to private enterprise in a partnership to help the private sector become more secure, and Senator Lieberman has co-sponsored legislation that would allow government to take over the security responsibility for the private critical infrastructure. Last year, similar but more drastic legislation that would disconnect networks during severe security events was discarded after a public outcry.
Read More
Additional Information
Additional Information

IntelliShield Analysis: The government is very dependent upon private sector infrastructure for its operation. This legislation is a somewhat predicable reaction of government to protect itself and the general public if it sees a failure of cyber security in a network it deems as being part of critical infrastructure. Critical infrastructure providers have a contract with the public to reliably provide those services, and part of that reliability is to ensure the secure operation of their data networks. Since Congress tried unsuccessfully with the previous legislative effort, it seems only a matter of time until they are successful with some form of similar legislation. The best way to ensure that there is no government involvement in the operation of these networks is to take the necessary steps to properly secure critical infrastructure networks; anything less may be an invitation for government intervention.

Trust

There was no significant activity in this category during the time period.

Identity

Woman Mistaken for Litigious Pedestrian Receives Public Backlash

A woman from Los Angeles County, California, is suing Google because she received pedestrian directions via Google's Maps service on her Blackberry, which led her to walk along a busy highway where she was struck by a car. Some members of the public, upset by her litigation, have made an effort to identify her and voice their disdain directly. A different woman with the same name, a publicist from Santa Monica, California (also in Los Angeles County), has received several strongly worded e-mail and phone messages, and ridicule intended for the litigious pedestrian. The pedestrian is pursuing her suit against Google because she was directed along a route unfriendly to foot traffic; meanwhile, the publicist is pursuing damage control efforts to ensure that the public does not continue to confuse her with the injured plaintiff.
Read More
Additional Information

IntelliShield Analysis: Public backlash is not new to the Internet, though some might argue that the relative anonymity provided by online activities might embolden some participants. But the Internet has brought about an increasing availability of personal information online, from phone directories, real estate purchases, social networks, and more. As the irate portions of the public use search engines and amateur sleuthing to try to uncover phone numbers or addresses, there will inevitably be mistakes made and improper targets selected. Individuals and organizations should continue to monitor their reputations online, and prepare to take protective measures if a same- or similarly named entity starts to receive unwanted attention.

Human

There was no significant activity in this category during the time period.

Geopolitical

China and India Voice Frustration on Anti-Piracy and IP Protection Treaties

At this week's meeting of the council for the Trade Related Aspects of Intellectual Property Rights (TRIPS), representatives from China and India are expected to argue that developed countries are pushing emerging market partners beyond their World Trade Organization commitments without including them in the negotiations. India reportedly is particularly frustrated by the Anti-Counterfeiting Trade Agreement (ACTA), which is being negotiated by Australia, Canada, the European Union, the United States, Japan, Mexico, Morocco, New Zealand, Singapore, South Korea, and Switzerland. Under criticism for not sharing the details of the negotiations, these countries made a draft of the treaty public in April. In response, India is reportedly talking with other like-minded countries about formally opposing the ACTA treaty proposal.
Read More
Additional Information
Additional Information (PDF)

IntelliShield Analysis: The global anti-piracy push is gaining momentum, particularly in industrialized countries, as an ever-larger chunk of economic wealth can be measured in terms of abstract ideas or easily copied digital media. Mostly industrialized, mature countries lose billions of dollars on counterfeited goods manufactured and shipped primarily from emerging market ports. Few would argue against the notion that ideas should be protected in order to ensure innovation-encouraging return on investment, but creating an international pact that excludes parties affected by it based on their failure to meet certain intellectual property rights (IPR) standards, fair or not, feels unfair. The tussle over ACTA has become a public relations problem, even though the standards under discussion are badly needed. The dispute is a reminder of the extent to which industrialized and emerging countries have different priorities, different profit models, and different expectations with respect to intellectual property protection. Down the road, as emerging economies mature and have more intellectual property of their own to protect, the best outcome will be one in which national interests on IP protection converge, rather than diverge.

Upcoming Security Activity

FIRST Conference (Miami, Florida, U.S.): June 13–18, 2010
Gartner Security & Risk Management Summit: June 21–23, 2010
Cisco Live 2010 (Las Vegas, Nevada, U.S.): June 27–July 1, 2010
Black Hat USA (Las Vegas, Nevada, U.S.): July 24–29, 2010
DEFCON 18: July 29–August 1, 2010
BSides Las Vegas: July 28–29, 2010

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

World Expo (Shanghai, China): May 1–October 31, 2010
FIFA World Cup (South Africa): June 11–July 11, 2010
Poland Elections: June 20, 2010
G20 Summit (Toronto, Canada): June 26–27, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top