Cyber Risk Report

October 10–16, 2011

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity for the period was dramatically increased primarily because of the scheduled Microsoft monthly updates and large security updates from Apple and VMware. Microsoft released eight security bulletins, addressing 23 vulnerabilities in multiple products. Two of the bulletins were rated critical, and three of the vulnerabilities have public proof-of-concept exploit code available. The full details of the vulnerabilities, protection, and mitigations are available on the Cisco Security Intelligence Operations website and in Cisco Event Response: Microsoft Security Bulletin Release for October 2011.

Apple released multiple security advisories to address 98 individual vulnerabilities in iOS, iTunes, Safari, OS X, and Apple TV. The majority of the vulnerabilities continue to be related to open source software included in Apple products, including 79 associated with WebKit vulnerabilities. Apple remains a bellwether for vendors and end users attempting to manage open source vulnerabilities. As Cisco noted in the 2010 Annual Security Report, the difficulty associated with managing products that may include numerous open source products and packages changes the granularity required for vulnerability management.

Similarly, VMware released multiple security updates to address 50 vulnerabilities in the Linux Kernel and other vulnerabilities that impact the ESXi and ESX products. This is another prime case of the difficulty of maintaining and securing these open source vulnerabilities.

DerbyCon researchers presented an investigation of SCADA vulnerabilities they were able to identify from freely available software on the Internet. The researchers have not released details of the vulnerabilities, but reportedly found over 250 vulnerabilities with little effort or complex analysis. The researchers have turned over the information to US-CERT to coordinate the reporting with the vendors.

IntelliShield published 234 events last week: 99 new events and 135 updated events. Of the 234 events, 170 were Vulnerability Alerts, 12 were Security Activity Bulletins, 18 were Security Issue Alerts, one was a Malicious Code Alert, 30 were Threat Outbreak Alerts, two were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Saturday 10/15/2011 0 49 49
Friday 10/14/2011 29 26 55
Thursday 10/13/2011 29 38 67
Wednesday 10/12/2011 9 6 15
Tuesday 10/11/2011 28 3 31
Monday 10/10/2011 4 13 17
Weekly Total       — 99 135 234

 

Significant Alerts for the Time Period

Apache HTTP Server mod_proxy Module Information Disclosure Vulnerability
IntelliShield Vulnerability Alert 24327, Version 2, October 14, 2011
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-3368
Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to gain access to sensitive information. Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available. Apache has released a security notice, and IBM has released multiple APARs and software updates.

FreeType PostScript Type 1 Font Parsing callothersubr Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 23602, Version 5, October 14, 2011
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2011-0226
FreeType versions prior to 2.4.5 contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional exploit code for this vulnerability is used publicly in conjunction with other vulnerabilities to provide web-based "jailbreak" capabilities for Apple iOS devices. Other sites or exploits may be able to repurpose this exploit code for malicious purposes. Apple, Red Hat, and FreeBSD have released security updates.

Apache HTTP Server Overlapping Ranges Denial of Service Vulnerability
IntelliShield Vulnerability Alert 24004, Version 14, October 14, 2011
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-3192
Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. Proof-of-concept code that exploits this vulnerability is publicly available. Apache has confirmed this vulnerability and updated software is available. Oracle and multiple additional vendors have released security advisories.

Previous Alerts That Still Represent Significant Risk

Fraudulent DigiNotar Digital Certificates Could Allow Man-in-the-Middle Attacks
IntelliShield Vulnerability Alert 24031, Version 13, September 26, 2011
Urgency/Credibility/Severity Rating: 2/5/3
Fraudulent digital certificates were issued by a certificate authority. These certificates could allow an unauthenticated, remote attacker to access sensitive user data via a man-in-the-middle attack. The SSL certificates were issued by a trusted root certificate authority (CA). Multiple vendors have released security advisories and updates. IntelliShield has included information relating to affected Cisco products. Updated information is also available regarding Cisco IronPort Email Security Appliance firmware updates.

Adobe Flash Player AVM Stack Overflow Multiple Memory Corruption Vulnerabilities
IntelliShield Vulnerability Alert 24189, Version 2, September 23, 2011
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2011-2426 , CVE-2011-2427 , CVE-2011-2428 , CVE-2011-2429 , CVE-2011-2430 , CVE-2011-2444
Adobe Flash Player versions 10.3.183.7 and prior for Windows, Macintosh, Linux, and Solaris and Adobe Flash Player versions 10.3.186.6 and prior for Android contain multiple vulnerabilities that could allow a remote attacker to conduct a cross-site scripting attack, cause a denial of service (DoS) condition, bypass security restrictions, or execute arbitrary code on a targeted system. Adobe has released a security bulletin and updated software.

Microsoft SharePoint Server Contact Details Cross-Site Scripting Vulnerability
IntelliShield Vulnerability Alert 24068, Version 4, September 20, 2011
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-1891
Microsoft SharePoint Server contains a vulnerability that could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks. Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available. Microsoft has confirmed the vulnerability in security bulletin MS11-074 and released software updates. IntelliShield has updated this alert to report an increase in intrusion prevention system activity that is related to the Microsoft SharePoint Server Contact Details cross-site scripting vulnerability.

Multiple Microsoft Products toStaticHTML Information Disclosure Vulnerability
IntelliShield Vulnerability Alert 23357, Version 3, September 13, 2011
Urgency/Credibility/Severity Rating: 3/5/2
CVE-2011-1252
Multiple Microsoft products contain a vulnerability that could allow an unauthenticated, remote attacker to access sensitive information on a targeted system. Proof-of-concept exploit code is publicly available. This code could allow an attacker to convert existing functional cross-site scripting exploits into formats that bypass protections by exploiting this vulnerability. Updates are available. Microsoft has released an additional security bulletin and software updates to address the toStaticHTML information disclosure vulnerability in Microsoft SharePoint Services.

HTTPKiller: Apache HTTP Server Denial of Service Tool
IntelliShield Vulnerability Alert 23983, Version 3, August 26, 2011
Urgency/Credibility/Severity Rating: 3/5/3
A publicly available exploit tool that exploits a vulnerability in Apache HTTP Server could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected system. Apache has reported that active use of this tool has been observed. The vulnerability exploited by the tool is documented in IntelliShield Alert 24004.

CA ARCserve D2D Security Bypass Vulnerability
IntelliShield Vulnerability Alert 23735, Version 4, August 11, 2011
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2011-3011
CA ARCserve D2D contains a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and gain unauthorized access to a system. Functional code that demonstrates an exploit of this vulnerability is available as part of the Metasploit Framework. CA has confirmed this vulnerability and updates are available.

Multiple Oracle Products Authentication Bypass Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 22963, Version 2, August 8, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-0807
Oracle Sun GlassFish Enterprise Server and Sun Java System Application Server contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that demonstrates an exploit of this vulnerability is publicly available. Oracle has confirmed the vulnerability and released updated software.

Microsoft Windows Client/Server Run-time Subsystem Console Object Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 23555, Version 3, August 5, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-1281
Microsoft Windows contains a vulnerability that could allow a local attacker to gain elevated privileges on the system. Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available. Microsoft has confirmed the vulnerability in security bulletin MS11-056 and released software updates.

Mozilla Firefox and SeaMonkey Dangling Pointer Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 23046, Version 3, August 5, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-0065
Mozilla Firefox and SeaMonkey contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system. Functional code that demonstrates an exploit of this vulnerability is publicly available. Mozilla has confirmed this vulnerability and released updated software.

Physical

There was no significant activity in this category during the time period.

Legal

German Authorities R2D2 Trojan Opens Systems to Criminal Attacks

The Chaos Computer Club has reportedly captured and analyzed trojan malicious code that is being used by German authorities to perform lawful intercept of computer communications. The trojan reportedly collects and transmits screen captures and other data and reports the collected data to a server based in the United States, which may violate the strict European Union privacy laws. More notably, the trojan appears to have weaknesses that could allow other criminals to access and use the trojan to compromise the system where the trojan has been installed by the German authorities.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Aside from the legal questions on lawful intercept and privacy protections, the possibly greater risk associated with this incident is the poor properties of the trojan code used. The researchers reported that the trojan does use encryption of the data, but it uses a common and fixed encryption key. The trojan also reportedly has no authentication controls. The use of this poorly coded trojan by German authorities could open the monitored system to additional attacks and exploits. Criminals may be able to use the government-installed trojan to gain access to the system, download additional malicious software, and perform criminal activity, arguably enabled by the authorities' installation of the trojan.

Trust

There was no significant activity in this category during the time period.

Identity

Sony PlayStation Network Attack and the Improved Response

Sony reported a brute-force attack attempt that may have compromised 93,000 accounts on the PlayStation network. The attack appears to have been quickly identified and controlled. Sony has reported locking the potentially compromised accounts and is forcing users to change their account passwords. The attack affected only a small number of accounts, and only a small number of those accounts showed possibly malicious activity.
Read More
Additional Information

IntelliShield Analysis: This activity from Sony should be a welcome improvement to users of these systems following the compromises of the PlayStation network earlier this year. Sony has apparently tightened its security measures and is actively monitoring the accounts for malicious activity. Despite the apparent poor security measures and response from the earlier attacks, Sony seems to have learned from those events and improved both its security practices and response measures. While the popular game networks will likely remain targets of attackers, the Sony security improvements less than 6 months after the previous compromises speak well for Sony's focus on improving its practices.

Human

Human Interaction Required

Microsoft released the Microsoft Security Intelligence Report (SIR) Volume 11, which includes a score of valuable metrics and statistics. The data highlights the vulnerability and threat activity associated with Microsoft systems and provides analysis of the activity to identify attack and criminal trends.
Read More
Additional Information

IntelliShield Analysis: This is a long and detailed report from Microsoft, as are all their Security Intelligence Reports, full of useful data and analysis. The one item that jumped out of the report regarding exploits is also a timely topic for October's Cyber Security Awareness month: 44.8 percent of exploits involved human interaction, and 26 percent were related to attached devices, such as USB memory sticks. Put together, that comes to over 70 percent of the exploits that can be avoided by relatively simple user practices. Additional technical controls--such as disabling links in e-mail, disabling autorun, and enabling security features in browsers--can reinforce those recommended user practices and further protect the systems. It's generally difficult to provide meaningful security metrics; however, this report is full of useful metrics and measures to pass on to users to raise their awareness.

Geopolitical

Keeping an Eye on the South China Sea

With the wind-down of wars in Afghanistan and Iraq, U.S. Secretary of State Hillary Clinton spelled out a redirection of foreign policy focus toward the Asia Pacific region in an article published in Foreign Policy magazine last week. This repositioning is in line with her assertion last summer that maintaining freedom of navigation in South China Sea shipping lanes is in the U.S. national interest and is also a reminder of the rising strategic importance of the region, not only for the United States but for the world. More than half of global merchant fleet volumes now transit the Straits of Malacca in the South China Sea, and most also pass by the contested Spratly Islands. Rising Asian demand for crude oil and raw materials accounts for much of the growth in traffic volume, which is already many times greater than Suez or Panama Canal traffic. And increasing the geopolitical stakes, vast reserves of oil and gas are believed to lie below the Spratlys, claimed by China, Vietnam, Malaysia, the Philippines, and others.
Read More
Additional Information
Additional Information

IntelliShield Analysis: With the world's primary technology component sourcing and production hubs located in the region, multinational companies that consume or produce technology would be wise to keep an eye on the South China Sea. While many technology components are shipped by air, some technology companies are looking to save costs by increasing their use of sea freight. Air logistics hubs can also be impacted if diplomatic rows lead to retaliatory over-flight restrictions or tariffs. In terms of information security, spending on naval-oriented weapons and reconnaissance technologies around the world is likely to rise. Moreover, a variety of reports indicate that efforts by nation-states to work out their disputes are being complicated by website hacks and cyber attacks by nongovernment groups. All parties have an interest in maintaining peace and open shipping lanes for global commerce, but the sheer volume of traffic, the rate at which demand is growing, the increasing clout of Southeast Asian markets, and the complex interplay of multilateral players suggest that technology specialists should stay vigilant.

Upcoming Security Activity

National Cyber Security Awareness Month: October 2011
RSA Europe: October 11–13, 2011
VMworld 2011 Copenhagen: October 18–20, 2011
International Cyber Conference (London): November 1–2, 2011
Cisco Live Mexico: November 7–10, 2011

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

Daylight saving time ends: November 6, 2011
Eid-al-Adha: November 7, 2011
U.S. election day: November 8, 2011
Al-Hijra/Muharram: November 26–December 24, 2011

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top