November 19–25, 2007The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability and threat activity levels continued to rise during this time period. Multiple vendors released security advisories and updated software to address vulnerabilities in products such as Apache, Perl Compatible Regular Expressions, Samba, and VMware. Four vulnerabilities were publicly disclosed in the Ingate Firewall and SIParator; these vulnerabilities could allow an attacker to access information, cause a denial of service (DoS) condition, and execute arbitrary code. A vulnerability in Apple Mail when running on Mac OS X was discovered that could allow attackers to execute arbitrary commands on affected systems with the privileges of the user. IntelliShield reported this vulnerability in Alert 14608. The vulnerability was originally discovered in February 2006 and covered in Alert 10455; however, the vulnerability was reintroduced into the Mac OS X 10.5 train. Citrix also reported a cross-site scripting vulnerability in Citrix NetScaler and a vulnerability in Citrix Presentation Server that could allow an attacker to execute arbitrary code. IntelliShield published 157 events last week: 45 new events and 112 updated events. Of the 157 events, 136 were Vulnerability Alerts, three were Malicious Code Alerts, eleven were Security Issue Alerts, two were Daily Malicious Code Summaries, two were Security Activity Bulletins, two were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Previous Alerts That Still Represent Significant RiskMicrosoft Internet Explorer Script Error Handling Memory Corruption Vulnerability Microsoft Internet Explorer contains a vulnerability that could allow an attacker to execute arbitrary code. Attackers cannot exploit this vulnerability directly and instead must convince a user to visit a malicious website. The Cisco Remote Operations Services organization has detected activity that indicates public attempts to exploit this vulnerability. Microsoft has confirmed this vulnerability in a security bulletin and released updates. Microsoft Internet Explorer ShellExecute() URL Handling Vulnerability Microsoft Internet Explorer contains a vulnerability that may allow an attacker to execute arbitrary commands with the privileges of the user. If the user possesses sufficient privileges, an exploit could allow the attacker to gain full control over the affected system. This vulnerability was originally disclosed in July 2007. Exploit code is now publicly available, and attackers are actively exploiting this vulnerability in the wild. Microsoft has confirmed this vulnerability in a security advisory, and third-party vendor updates are available. RealNetworks RealPlayer ierpplug.dll ActiveX Control Arbitrary Code Execution Vulnerability RealPlayer contains a vulnerability that could allow an attacker to execute arbitrary code with the privileges of the user. Exploit code is publicly available, and reports indicate that active exploitation is currently ongoing. RealNetworks has confirmed this vulnerability and released updates. Microsoft Word Memory Corruption Vulnerability Microsoft Word and Office for Mac contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. Malicious code that exploits this vulnerability is circulating in the wild. IntelliShield reported this malicious code as a variant of the Mdropper trojan in Alert 12562. An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary code with the privileges of the user that started the affected application. Depending on the privileges of the user, the attacker could create new accounts, install programs, or view, change, or delete data. Security Activity Bulletin: Oracle Critical Patch Update October 2007 Oracle released the October 2007 Critical Patch Update to address 51 vulnerabilities across Oracle products. Oracle does not publicly release technical details that concern specific vulnerabilities. IntelliShield expects independent security researchers to release details regarding individual vulnerabilities as researchers test and verify the Oracle patches. MIT Kerberos and librpcsecgss RPC Library RPCSEC_GSS Authentication Buffer Overflow Vulnerability MIT Kerberos 5 contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition or execute arbitrary code. An exploit may result in a full system compromise. Many operating systems and third-party applications use Kerberos and will likely release updated software to address this vulnerability. Samba WINS Server Daemon Buffer Overflow Vulnerability Samba contains a vulnerability that could allow an attacker to cause a denial of service condition or execute arbitrary code. Only systems configured as WINS server daemons are vulnerable; however, this is a common configuration in environments that use Samba to perform domain authentication. Due to the large number of potential targets, this type of vulnerability could be used to produce malicious code that propagates in an automated manner. PhysicalTransit Strikes in FranceA nine-day transportation strike caused major disruptions throughout France during the time period. In addition to the general disruptions and protests, arson attacks that affected four train routes also occurred on November 21, 2007. Talks between union officials and the French government continue, and some workers began returning to work on November 22, 2007. Read more IntelliShield Analysis: Widespread strikes that interrupt or block transportation systems are risks that require business continuity planning. Similar to weather or other regional physical risks, organizations are advised to establish contingency plans for employees who are unable to reach offices and methods for communicating dangers to are workers. Businesses must also have emergency notification methods to alert employees when contingency plans are exercised and ensure that employees are educated about about the plans. Remote worker capabilities can allow employees to work from any safe location with an Internet connection, but businesses must ensure that necessary systems and software are deployed, users are trained, and controls and policies are implemented without causing increased information security risks. LegalGoogle and DoubleClick Hope to Unite Online AdvertisingGoogle has proposed a US$3.1 million dollar buyout of advertising firm DoubleClick but is facing opposition from the United States Federal Trade Commission and European Union antitrust laws. Google specializes in search and search-related advertising, and DoubleClick is a leader in the online display advertising market. If successful, the deal would unite two of the largest companies in the Internet advertising space and lower competition. Read more IntelliShield Analysis: There are security concerns beyond the legal and economical ramifications of Google's proposed buyout, because the company has faced pressure from privacy advocates that are concerned about how Google collects and stores user information. DoubleClick tracks users as they click through an advertisement. If combined, this information could become an enticing target for attackers to exploit, which could increase the potential for abuse and exploitation. TrustTrusted Websites Used to Distribute Malicious CodeMonster.com reported recently reported that their website had been attacked and was being used to distribute malicious code to visitors. The compromise was identified as IFrame exploits and other attacks that used Monster.com web pages. The IFrame exploits direct users to malicious websites that can expose the users' systems to multiple attacks from a widely-used attack toolkit. Read more IntelliShield Analysis: The compromise of popular, generally trusted websites is an escalating method of exploit. With the holiday shopping season growing to peak levels through the end of December, businesses should be vigilant and carefully monitor websites for signs of compromise or malicious activity. IdentityUnited Kingdom Children and Families Suffer Identity ExposureTwo compact discs that contained password-protected, but unencrypted information for the United Kingdom (U.K.) Child Benefit program failed to arrive at the National Audit Office when sent via the HM Revenue and Customs internal courier service. The data included National Insurance numbers, bank details, names, birth dates, and address information of 25 million individuals, including all family members of any individual in the U.K. with a child of 16 years or younger. Read more IntelliShield Analysis: According to Chancellor Alistair Darling, the courier service ignored security procedures during this incident. As the British government determines the cause of the breach and adjusts policies to prevent a recurrence, citizens in the U.K. will need to determine how to monitor and protect their credit and identities. Frequent identity monitoring may become a necessity for many individuals around the world. HumanPhishing Attacks Becoming More ComplexA large-scale MySpace phishing attack that originated in China and operated for more than thirty days was detected during the time period. Using small-scale, directed spamming of links within internal comments, attackers were able to collect usernames and passwords while remaining hidden from security products and personnel. These "typo squatting" attacks that attempt to impersonate legitimate websites by registering web domains with intentionally misspelled trademarked names or popular keywords are not new to cyberspace but continue to grow in scope and sophistication. IntelliShield Analysis: The tactics used in phishing, domain squatting, and typo squatting attacks remain relatively unchanged, but technology that is capable of hiding the illegitimacy of websites and the keywords used to attract victims continues to improve. IntelliShield expects a rise of phishing attempts as attackers take advantage of the upcoming holiday season. Best practices, such as examining URLs before selecting web links, double-checking spelling within a typed URL, and using a search engine to double-check website legitimacy will be of benefit to users in the coming months. Several applications and browser plugins are available for use in warning against misleading websites. GeopoliticalChina Identified as Threat to United States Data and TechnologyChina has reacted negatively to a November United State (U.S.) Congressional report that named the country as the single largest threat to sensitive U.S. data and technology. The bipartisan U.S.-China Economic and Security Review Commission claims that China surprised the U.S. by the country's rapid advancement of technological capabilities, which was achieved in part through illicit technology transfer and espionage. The panel further stated that the Pentagon is failing to ensure that weapons contracts with U.S. companies do not result in the outsourcing of components manufacture to potential adversaries, such as China. Read more IntelliShield Analysis: The report by the U.S.-China Economic and Security Review Commission may be noteworthy more for its impact on perceptions than on its actual conclusions. From a business perspective, U.S. government decision-makers who are tasked with protecting sensitive data will likely direct funds towards increased China-focused network security spending and intelligence collection. Moreover, technology companies that are involved in off-shoring and outsourcing must consider whether these programs could negatively impact the prospects for obtaining government contracts in light of this report. Upcoming Security ActivityDeepSec IDSC: November 22–23, 2007 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
