Cyber Risk Report

September 14–20, 2009

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

In vulnerability and threat activity this period, public proof-of-concept code and test tool exploits were released for the Microsoft SMB2 vulnerability and a combination exploit for Oracle Secure Backup vulnerabilities.  The Microsoft SMB2 exploit is reported to be effective in causing a DoS on Vista SP2 and Windows 2008 SP2, although additional researchers have reported that code execution is possible.  The Oracle exploit involves two vulnerabilities, reported in IntelliShield alerts 18874 and 18875, and allow a remote, unauthenticated attacker to first establish a session and then use the second vulnerability to execute arbitrary commands on the system with the privileges of the application. This combination exploit has been publicly disclosed.  The Oracle Critical Patch Update for July 2009 lists and confirms CVE-2009-1977 as corrected, as reported in IntelliShield alert 18875, but no technical details were released.

Recent arrests and convictions have again drawn researchers to focus on the criminal economy, and particularly the Zeus builder tool kit that continues to be used by criminals to create new trojans.  Cisco Security Intelligence Operations has identified 13 spam outbreaks that directed users to download versions of the Zeus trojan.  Recent research reported that the trojan and botnet continue to persist, evolve and avoid antivirus detection.  Once a system is infected, the trojan can continue to download malicious codes to the system and communicate with the botnet for instructions.  In addition to the Zeus botnet of infected systems, the Clampi botnet also shows signs of continued growth and evolution.  Both of these trojans and botnets are primarily designed as banking trojans, stealing login credentials for bank and financial institution accounts.  Recent reports by the US Federal Bureau of Investigation estimate the underground economy for identity and financial information in the low billions of US dollars.  Read More

In upcoming activity, Cisco is scheduled to release the Semiannual Cisco IOS Software Advisory Bundled Publication on September 23, 2009.

IntelliShield published 75 events last week: 46 new events and 29 updated events.  Of the 75 events, 59 were Vulnerability Alerts, five were Security Activity Bulletins, three were Threat Outbreak Alerts, six were Security Issue Alerts, one was an Applied Mitigation Bulletin and one was a Cyber Risk Report.  The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 09/18/2009 4 5 9
Thursday 09/17/2009 9 5 14
Wednesday 09/16/2009 14 7 21
Tuesday 09/15/2009 8 3 11
Monday 09/14/2009 11 9 20
Weekly Total 46 29 75

 

Significant Alerts for the Time Period

Microsoft Windows SMB2 Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 19000, Version 4, September 21, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-3103

Microsoft Windows Vista SP2 and prior and Windows Server 2008 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code.  Microsoft has released a security advisory to address the Microsoft Windows SMB2 remote code execution vulnerability  Updates are not available, but Microsoft has released an official workaround.

Previous Alerts That Still Represent Significant Risk

Microsoft Internet Information Services FTPd Remote Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 18951, Version 4, September 4, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-3023

Microsoft Internet Information Services (IIS) versions 5.0, 5.1, and 6 contain a vulnerability in the FTPd service that could allow an authenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code with elevated privileges.  Microsoft has confirmed this vulnerability and updated software is available for some platforms.  Safeguards are available.

Linux Kernel sock_sendpage() Local Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 18847, Version 7, September 21, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-2692

The Linux Kernel versions 2.4 through 2.6.30.4 contain a vulnerability that could allow an unprivileged, local attacker to execute arbitrary code with elevated privileges or cause a denial of service (DoS) condition.  Proof-of-concept exploit code is publicly available.  Red hat has released updates.

Microsoft Visual Studio Active Template Library Uninitialized Object Vulnerability
IntelliShield Vulnerability Alert 18725, Version 9, August 27, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-0901

Microsoft Visual Studio Active Template Library contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code.  Microsoft has released a security bulletin and software updates to address the Microsoft Visual Studio Active Template Library uninitialized object vulnerability in Microsoft Windows.

Microsoft Windows Video msvidctl ActiveX Control Code Execution Vulnerability
IntelliShield Vulnerability Alert 18595, Version 9, August 11, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-0015

Microsoft Windows XP SP3 and prior and Windows Server 2003 SP2 and prior contain a vulnerability in the msvidctl ActiveX Control that could allow an unauthenticated, remote attacker to execute arbitrary code.  Microsoft has released an additional security bulletin and software updates to address the Microsoft Windows video msvidctl ActiveX control code execution vulnerability.

ISC BIND Dynamic Update Remote Denial of Service Vulnerability
IntelliShield Vulnerability Alert 18730, Version 9, August 25, 2009
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2009-0696

ISC BIND contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.  Apple and Novell have released security advisories and updated software to address the ISC BIND dynamic update remote DoS vulnerability.

Microsoft Office Web Components ActiveX Control Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 18633, Version 5, August 12, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-1136

Microsoft Office Web Components contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user.  This vulnerability is due to an unspecified error in the Office Web Components ActiveX control.  Reports indicate that exploits of this vulnerability are ongoing.  Additional technical information is available to detail the Microsoft Office Web Components ActiveX control arbitrary code execution vulnerability.

Microsoft Windows DirectShow QuickTime Media Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 18366, Version 3, July 14, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-1537

Microsoft Windows DirectShow contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code.  Microsoft has indicated that limited, active attacks are occurring.  Microsoft has released an update that corrects this vulnerability.

Microsoft Internet Information Services WebDav Unicode Processing Security Bypass Vulnerability
IntelliShield Vulnerability Alert 18261, Version 3, June 9, 2009
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-1535

Microsoft Internet Information Services (IIS) versions 5.0, 5.1, and 6.0 contain a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and access sensitive information.  The vulnerability is due to improper processing of Unicode characters in HTTP requests.  An exploit could allow the attacker to bypass security restrictions and download arbitrary files from the targeted system. Exploit code is available.  Microsoft has confirmed this vulnerability in a security bulletin and released software updates.

Physical

There was no significant activity in this category during the time period.

Legal

ISP to Appeal Shutdown of Pirate Bay Court Case

Black Internet, a Swedish Internet Service Provider, has announced that it will appeal the Stockholm district court's decision to force the ISP to cut off the Internet connection for Pirate Bay, citing that the precedent of holding ISPs accountable for the actions of those who use their services was a step in the wrong direction and that they are ready to fight it.  Also, in a similar development, France is close to passing what is known as the Three Strikes law that would cut off Internet access to individuals who violated copyrights of music and videos by file sharing and downloading.  The French law could also hold owners of Wi-Fi networks used in the illegal downloads responsible for securing their networks.  Read More 
Additional Information  
Additional Information
 
IntelliShield Analysis:  If it is upheld, the Black Internet case could set a new precedent for how ISPs are treated.  The precedent has already been set for web hosting services, where the web host could be held accountable for the actions of those businesses and individuals who were using their web hosting services.  But the ISP itself is a step away from the web hosting service.  If ISPs will be held accountable for users' actions, will they be required to police individuals, or will they only need to respond to complaints by copyright holders?  And how will they know who actually owns copyrights when approached to take users' Internet connections offline?  This responsibility could be a big new burden on ISPs.  The case in France is more geared toward individuals who violate copyright laws by means of file sharing and downloading.  The law is meeting some resistance in France, but it has passed the lower house and is now at the upper house.  Under this law, ISPs will be required to take individuals off of the Internet, and potentially black list them for Internet access for up to a year.

Trust

Times Web Ads Show Security Breach

Originally claiming to be part of Vonage, and after placing what appeared to be legitimate Vonage ads, a group of scammers tricked the digital advertisement group of the NY Times website into showing an ad for fake antivirus software. The scam worked by allowing the embedding of an iframe in the ads that included content hosted outside the control of the NY Times. Last weekend java code in that iframe was switched, and the new code redirected users browsers to pop-up ads for the fake software.  Read More 
Additional Information

IntelliShield Analysis:  Chains of trust on the Internet can show up in unexpected places and can be difficult to trace when there are multiple parties or proxies involved.  Allowing advertisers to dynamically change displayed content can remove some overhead for the web master but does not remove responsibility for the content. When your reputation can be compromised by third-party content posted to your website, your reputation is in the hands of that third party. Although in this instance the scammers relied on an individual clicking through the ad and causing code to be downloaded, this same style of scam could make use of previously known or unknown browser bugs to dynamically display a page with embedded malicious code that could reach a new group of users.  Website owners may want to consider additional controls on site content, particularly with the current attack activity focused on exploiting trusted websites.

Identity

There was no significant activity in this category during the time period.

Human

US Retailer Fined by FTC for Tracking Program

A US retailer has settled a suit from the Federal Trade Commission (FTC) regarding a tracking program that the FTC says overstepped legal bounds.  The retailer offered customers $10 to download and install software on their computers that was described as "research" into online browsing habits, if the customer agreed to "participate in exciting, engaging, and on-going interactions,­ always on your terms and always by your choice."  After complaints, the FTC found that the software was not limited to tracking interactions with the retailer's site, but also collected unencrypted transaction information destined for other sites, including banking and shopping sites.  The FTC has ordered that any data collected by this software be destroyed and that the scope of similar efforts in the future be more clearly disclosed.  Read more

IntelliShield Analysis:  The retailer took efforts to be pro-consumer in not only providing an opt-in advertising effort, but also in compensating users for their participation.  However, the FTC found they did not fully disclose the details of that program, which the FTC argued was not in the consumer's best interest.  The complaint by the FTC asserted that the retailer did not share sufficient information with consumers regarding the extent of monitoring performed by the installed software.  As a result, the actions were believed to be a deceptive trade practice, in violation of Section 5(a) of the Federal Trade Commission Act.  Organizations that undertake similar advertising endeavors must ensure that they fully understand what the law requires them to disclose, and if they are going to disclose they will be held to a reasonable understanding of that disclosure.  Additionally, users participating in such programs should carefully review the information before enrolling in the program.

Geopolitical

Implications of Japan's Political Reset

After 55 years of almost uninterrupted rule by a single party, Japan's voters have handed the ruling Liberal Democratic Party a major defeat, handing the reins of government to the opposition Democratic Party of Japan (DPJ) and new Prime Minister Yukio Hatoyama.  The DPJ's aim includes reinvigorating the suffering economy by emphasizing domestic consumption, rolling back the previous government's stimulus policies and reforming the entrenched bureaucracy.  On technology, Hatoyama's government has been fairly quiet, beyond general promises to encourage growth of the high tech sector, particularly green and nano-technologies.  Read More 
Additional Information 
Additional Information 

IntelliShield Analysis:  The gentlemanly new Prime Minister, a Stanford University graduate whose father was a minister before him, has been dismissed as weak and even famously nicknamed soft ice cream.   His party's agenda is ambitious, however, and from a technology perspective, the chief near-term impact may come from higher emissions standards and an emphasis on green technologies.  While his party acclimates and attempts to reform cozy political-business-bureaucratic relationships, progress may be slow-going.  The DPJ's call for a more independent defense policy may push Japan to spend more on space technology and defense, while its review of stimulus plans and increased protections for temporary workers may cause nervous Japanese businesses to postpone spending until the new government can prove itself.

Upcoming Security Activity

ASIS International 55th Annual Seminar and Exhibits: September 21–24, 2009
Cisco IOS Security Bundle Release: September 23, 2009
G20 Summit, Pittsburgh, Pennsylvania: September 24–25, 2009
U.S. National Cyber Security Awareness Month: October, 2009
Hack In The Box Malaysia 2009: October 5–6, 2009
Oracle Critical Patch Update: October 20, 2009
CSI2009 Annual Conference, Washington, D.C.: October 24–30, 2009

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

UN General Assembly 64th session: 15 September, 2009
Ramadan: August 21–September 19, 2009
Rosh Hashanah: September 18, 2009
Yom Kippur: September 27, 2009
German Parliament Elections: September 27, 2009
China National Day Holiday: October 1, 2009

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

 


This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top