Cyber Risk Report

October 12–18, 2009

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat activity increased during the time period due to large security announcements from Microsoft and Adobe. On Tuesday, October 13, 2009, Microsoft released 13 security bulletins, detailing 33 vulnerabilities. Later the same day, Adobe released security announcements for 29 vulnerabilities.

The Microsoft security bulletins addressed previously reported and new vulnerabilities including the SMB2 vulnerability, Internet Information Services (IIS) FTP vulnerability, and additional updates for the ATL vulnerabilities. IntelliShield alerts and detailed information about these vulnerabilities along with recommended mitigations are available at the Cisco Security Intelligence Operations portal and the Cisco Event Response: Microsoft Security Bulletin Release for October 2009. Multiple vulnerabilities reported in the October 2009 Microsoft bulletins are currently being exploited.

Adobe released announcements for 29 vulnerabilities that impact Adobe Reader and Acrobat. These applications are widely used for reading and creating PDF documents. Multiple vulnerabilities reported by Adobe are currently being exploited by compromised websites, phishing tactics, and spam e-mail. Users are advised to manually update their applications using the update features to ensure that they have installed the latest updates. Additional information about these vulnerabilities is available at the Cisco Security Intelligence Operations portal.

In addition to the current increased levels of banking trojans and botnets, Cisco Security Intelligence Operations has identified a resurgence of activity from the Asprox botnet. Earlier this year, the Asprox botnet was highly active and using the built-in SQL injection capabilities to compromise vulnerable websites, but this activity decreased after the first four months of 2009. In September 2009, the Asprox botnet again became active attempting to exploit similarly vulnerable websites. In this second surge, after compromising a website, Asprox installs malicious PDF documents that exploit the Adobe Reader vulnerabilities described in the preceding paragraph. Activity levels for this botnet have doubled from September to October 2009, increasing the urgency for users to install the Adobe updates released last week.

IntelliShield published 169 events last week: 76 new events and 93 updated events. Of the 169 events, 142 were Vulnerability Alerts, nine were Security Activity Bulletins, 11 were Threat Outbreak Alerts, three were Security Issue Alerts, three were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 10/16/2009 5 12 17
Thursday 10/15/2009 5 37 42
Wednesday 10/14/2009 25 13 38
Tuesday 10/13/2009 30 18 48
Monday 10/12/2009 11 13 24
Weekly Total 76 93 169

 

Significant Alerts for October 12–18, 2009

Microsoft Windows SMB2 Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 19000, Version 7, October 13, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-3103

Microsoft Windows Vista SP2 and prior and Windows Server 2008 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. Microsoft has released a security advisory to address the Microsoft Windows SMB2 remote code execution vulnerability. Microsoft has released a security advisory and updated software to address the Microsoft Windows SMB2 remote code execution vulnerability. Functional exploit code is publicly available.

Microsoft Internet Information Services FTPd Remote Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 18951, Version 5, October 13, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-3023

Microsoft IIS versions 5.0, 5.1, and 6 contain a vulnerability in the FTPd service that could allow an authenticated, remote attacker to cause a DoS condition or execute arbitrary code with elevated privileges. Microsoft has released a security bulletin with software updates to address the Microsoft Internet Information Services FTPd remote buffer overflow vulnerability.

Microsoft Visual Studio Active Template Library Uninitialized Object Vulnerability
IntelliShield Vulnerability Alert 18725, Version 11, October 13, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-0901

Microsoft Visual Studio Active Template Library contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has released a security bulletin and software updates to address the Microsoft Visual Studio Active Template Library uninitialized object vulnerability in Microsoft Windows.

Previous Alerts That Still Represent Significant Risk

Linux Kernel sock_sendpage() Local Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 18847, Version 9, September 30, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-2692

The Linux Kernel versions 2.4 through 2.6.30.4 contain a vulnerability that could allow an unprivileged, local attacker to execute arbitrary code with elevated privileges or cause a DoS condition. Proof-of-concept exploit code is publicly available. Kernel.org has confirmed the vulnerability in a changelog and released updated software.

Microsoft Windows Video msvidctl ActiveX Control Code Execution Vulnerability
IntelliShield Vulnerability Alert 18595, Version 9, August 11, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-0015

Microsoft Windows XP SP3 and prior and Windows Server 2003 SP2 and prior contain a vulnerability in the msvidctl ActiveX Control that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has released an additional security bulletin and software updates to address the Microsoft Windows video msvidctl ActiveX control code execution vulnerability.

ISC BIND Dynamic Update Remote Denial of Service Vulnerability
IntelliShield Vulnerability Alert 18730, Version 10, September 22, 2009
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2009-0696

ISC BIND contains a vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition. This vulnerability is being exploited in the wild. Exploit code is publicly available. ISC has confirmed this vulnerability and updated software is available.

Microsoft Office Web Components ActiveX Control Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 18633, Version 6, October 12, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-1136

Microsoft Office Web Components contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. This vulnerability is due to an unspecified error in the Office Web Components ActiveX control. Reports indicate that exploits of this vulnerability are ongoing. Additional technical information is available to detail the Microsoft Office Web Components ActiveX control arbitrary code execution vulnerability. IntelliShield has re-released this alert to clarify the availability of software updates.

Microsoft Windows DirectShow QuickTime Media Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 18366, Version 3, July 14, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-1537

Microsoft Windows DirectShow contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has indicated that limited, active attacks are occurring. Microsoft has released an update that corrects this vulnerability.

Microsoft Internet Information Services WebDav Unicode Processing Security Bypass Vulnerability
IntelliShield Vulnerability Alert 18261, Version 3, June 9, 2009
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-1535

Microsoft IIS versions 5.0, 5.1, and 6.0 contain a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and access sensitive information. The vulnerability is due to improper processing of Unicode characters in HTTP requests. An exploit could allow the attacker to bypass security restrictions and download arbitrary files from the targeted system. Exploit code is available. Microsoft has confirmed this vulnerability in a security bulletin and released software updates.

Physical

There was no significant activity in this category during the time period.

Legal

Court to Rule on Damage Question from Data Breach Case

A judge in the United States (U.S.), who is ruling on a data breach case, has asked the Supreme Court in the U.S. state of Maine to resolve the following legal question: can plaintiffs file claims of damages for the time and effort needed to change credit and debit cards in the aftermath of a data breach?  The case follows a breach last year where more than 4.2 million credit and debit cards were stolen.
Read More
Additional Information

IntelliShield Analysis: Until now, most claims brought forward on cases of lost or stolen credit or debit cards have been dismissed if the user could not demonstrate a monetary loss due to the incident. And, if a monetary loss was suffered but reimbursed by a bank, there were no grounds for a case either. However, the question being raised to the Maine Supreme Court could set a precedent that makes data breaches much more expensive for the companies who suffer them. For example, if the court rules that claimants can seek damages for the time it takes to change their cards following a breach and awards claimants US$15 per card, the cost for the company would be US$63 million.
 
In another case overseen by a court in the U.S. state of Illinois, two claimants are attempting to sue their bank for having too lax of  security protection for their compromised accounts. Because the bank did not offer the two-factor authentication, a widely available form of online security, plaintiffs claim the bank was lax in their security and that they should be reimbursed for their monetary losses. If this claim stands, banks and other institutions may need to increase investment in security of their online accounts, or pay costly fees associated with breaches.

Trust

Service Failures for Facebook and Microsoft Sidekick

Two Internet services experienced outages last week. Foremost among them was a failure in Microsoft's Sidekick mobile device service, which resulted in reports of data loss for every Sidekick user and further speculation that data was unrecoverable. Since October 15, 2009, Microsoft has reported that only a minority of users were affected and that most of the affected data was recovered. Also reported was a database failure at Facebook that resulted in 150,000 users losing access along with recent data and settings. Affected users had privacy settings reset to the most restrictive values because of an inability to account for any changes to settings made prior to the outage.
Read more   
Additional Information

IntelliShield Analysis: Both outages appear to have been resolved. However, there was a great deal of speculation, especially about the Microsoft service failure. One of the primary talking points in online news and blogs was that the Sidekick outage represented a failure of "the cloud". However, using the term "cloud" has recently become popular for any service that is remotely hosted and Internet-accessible regardless of its implementation. And because of failures among high-profile services, some have taken an opportunity to infer things about "the cloud" from these two very different events. Organizations should consider that architecture and resiliency are essential. Even if the organization is not implementing that architecture, understanding what is taking place behind the scenes is very important.

Identity

There was no significant activity in this category during the time period.

Human

United States Army Special Forces Information Disclosure via P2P Network

As part of an ongoing investigation into inadvertent disclosure of private information over public P2P networks, a document was discovered that contained personal information about soldiers from the United States (U.S.) Third Special Forces group at Fort Bragg in the state of North Carolina, as well as information about the soldiers' families. Other information found during the course of this investigation included documents belonging to other military branches and several federal government agencies.
Read more    
Additional Information    
Additional Information (PDF)  

IntelliShield Analysis: Although the use of P2P networks is best known and most commonly used for the explicit sharing of public information, such as music files, the consequences of using P2P networks are not always fully understood by end users. If not configured correctly when initially installed, P2P applications and networks can inadvertently provide access to unexpected or all information that is contained on a user's P2P-enabled device, potentially granting access to anyone with an Internet connection and a compatible P2P network application. This information may be considered trivial, such as personal interests, friends and photos, or it could contain sensitive details such as birth dates, social security numbers, and passwords that could be exploited for malicious purposes. In either case, this information was intended to remain private, or shared only with chosen individuals and was not intended or expected to be accessed by the general public.

Geopolitical

Social Networking Offers Risk and Opportunity for Institutions

After only two days and after garnering some 2,000 followers, a Facebook page launched by Poland's Auschwitz-Birkenau Museum was abruptly taken down last week. The museum has long maintained a web presence with detailed information about the notorious World War II prison camps in which more than a million men, women and children lost their lives, but the Facebook page was seen as a more interactive way to educate a new generation, according to a museum representative. The museum provided no explanation for its abrupt retreat from Facebook.
Read more  
Additional Information  
Additional Information

IntelliShield Analysis: Social networking media such as Facebook and Twitter are fast becoming global communications platforms and in some cases, the new battlegrounds for an array of social and political issues. Experience has shown that these media are vulnerable to attack, and the informal, visceral nature of the medium encourages emotional outbursts. Although it is pointless to speculate over the Museum's reason for stepping back from Facebook, it illustrates the pressure that schools, businesses, and social organizations are under to establish a presence on social networking sites. Walking away from social networking may not be an option, so constant monitoring and an excess of caution may be the best choice while these sites work to address vulnerabilities. In the case of Facebook, use of third-party applications should be minimized; there are also tools that allow comments to be moderated. Particularly in the case of Twitter, the use of URL shortening tools should be used cautiously, because they can cause the user to be redirected to inappropriate sites.

Upcoming Security Activity

United States (U.S.) National Cyber Security Awareness Month: October, 2009
Cisco SecCon 2009: October 21–23, 2009
Oracle Critical Patch Update: October 20, 2009
CSI2009 Annual Conference, Washington, D.C.: October 24–30, 2009
Interop New York: November 16–20, 2009

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

Daylight Saving Time Ends (European Union and Russia): October 25, 2009
Daylight Saving Time Ends (U.S.): November 1, 2009
Additional Daylight Saving Time End Dates: Additional Information
Election Day (U.S.): November 3, 2009
The Hajj: November 25–30, 2009
Copenhagen Climate Change Summit: December 7–18, 2009

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top