Cyber Risk Report

September 7–13, 2009

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

This week, vulnerability and threat activity remained at levels that were consistent with previous periods. Activity was highlighted by the release of the scheduled Microsoft Security Update for September, which included five security bulletins that addressed eight individual vulnerabilities. Microsoft also released a security advisory that indicated the vendor was investigating the Server Message Block version 2 (SMB2) vulnerability in Microsoft Windows Vista and Microsoft Server, but updates are not available. Additional information on the September Microsoft Bulletins is available in the Cisco Event Response on the Cisco Security Intelligence Operations portal.

During the time period, both Microsoft and Cisco responded to TCP vulnerabilities that were first reported in October 2008 by Outpost24 with the announcement of the sockstress tool. Microsoft Security Bulletin MS09-048 addressed three of these vulnerabilities that impact Windows operating systems, and the Cisco security advisory addressed these vulnerabilities in multiple Cisco products. The TCP vulnerability response has been coordinated through CERT-FI, and researchers have cooperated with vendors to correct the vulnerabilities without public disclosure of the technical details or the sockstress tool. Additional information on the vulnerabilities and multiple vendor responses are available in the CERT FI Advisory.

Later in the week, Mozilla released five security advisories and two updated versions to correct multiple vulnerabilities in the Firefox browser. Apple released multiple security advisories in response to the reported vulnerability in Adobe Flash player and various other components of the Mac OS X operating system. Mac OS X version 10.6.1 was also released to address these issues. Apple also released security updates for to correct multiple vulnerabilities in QuickTime and the iPhone. IntelliShield alerts that address these vulnerabilities are available on the Cisco Security Intelligence Operations portal.

In upcoming activity, Cisco is scheduled to release the Semiannual Cisco IOS Software Advisory Bundled Publication on September 23, 2009.

IntelliShield published 83 events last week: 42 new events and 41 updated events. Of the 83 events, 68 were Vulnerability Alerts, four were Security Activity Bulletins, two were Threat Outbreak Alerts, five were Security Issue Alerts, three were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 09/11/2009 12 22 34
Thursday 09/10/2009 5 4 9
Wednesday 09/09/2009 5 13 18
Tuesday 09/08/2009 20 2 22
Monday 09/07/2009 0 0 0
Weekly Total 42 41 83

 

Significant Alerts for September 7–13, 2009

Microsoft Windows SMB2 Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 19000, Version 2, September 9, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-3103

Microsoft Windows Vista SP2 and prior and Windows Server 2008 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. Microsoft has released a security advisory to address the Microsoft Windows SMB2 remote code execution vulnerability.

Previous Alerts That Still Represent Significant Risk

Microsoft Internet Information Services FTPd Remote Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 18951, Version 4, September 4, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-3023

Microsoft Internet Information Services (IIS) versions 5.0, 5.1, and 6 contain a vulnerability in the FTPd service that could allow an authenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code with elevated privileges. Microsoft confirmed this vulnerability; however, updated software is not currently available. Safeguards are available.

Linux Kernel sock_sendpage() Local Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 18847, Version 5, September 1, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-2692

The Linux Kernel versions 2.4 through 2.6.30.4 contain a vulnerability that could allow an unprivileged, local attacker to execute arbitrary code with elevated privileges or cause a denial of service condition. Proof-of-concept exploit code is publicly available. Red Hat has released updates to address this vulnerability.

Microsoft Visual Studio Active Template Library Uninitialized Object Vulnerability
IntelliShield Vulnerability Alert 18725, Version 9, August 27, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-0901

Microsoft Visual Studio Active Template Library contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has released a security bulletin and software updates to address the Microsoft Visual Studio Active Template Library uninitialized object vulnerability in Microsoft Windows.

Microsoft Windows Video msvidctl ActiveX Control Code Execution Vulnerability
IntelliShield Vulnerability Alert 18595, Version 9, August 11, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-0015

Microsoft Windows XP SP3 and prior and Windows Server 2003 SP2 and prior contain a vulnerability in the msvidctl ActiveX Control that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has released an additional security bulletin and software updates to address the Microsoft Windows video msvidctl ActiveX control code execution vulnerability.

ISC BIND Dynamic Update Remote Denial of Service Vulnerability
IntelliShield Vulnerability Alert 18730, Version 9, August 25, 2009
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2009-0696

ISC BIND contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Apple and Novell have released security advisories and updated software to address the ISC BIND dynamic update remote denial of service vulnerability.

Microsoft Office Web Components ActiveX Control Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 18633, Version 5, August 12, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-1136

Microsoft Office Web Components contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. This vulnerability is due to an unspecified error in the Office Web Components ActiveX control. Reports indicate that exploits of this vulnerability are ongoing. Additional technical information is available to detail the Microsoft Office Web Components ActiveX control arbitrary code execution vulnerability.

Microsoft Windows DirectShow QuickTime Media Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 18366, Version 3, July 14, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-1537

Microsoft Windows DirectShow contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has indicated that limited, active attacks are occurring. Microsoft has released an update that corrects this vulnerability.

Physical

There was no significant activity in this category during the time period.

Legal

Google Digital Book Settlement Meets Resistance from Privacy Advocates and Authors

A United States judge is presiding over a settlement that could allow Google to digitize millions of publications for its Google book service. A number of privacy advocates and authors are protesting the settlement on the grounds that Google would have access to too much personal information about users and their reading interests, including how much time they spend on specific pages of any given book.
Read More
Additional Information

IntelliShield Analysis: Google claims that it will protect users' privacy, but groups like the Electronic Frontier Foundation and the American Civil Liberties Union are concerned about the potential for misuse without a law in place to govern the use of collected data. Many are also concerned about a portion of the settlement that could allow Google to remove books from an availability list, which many experts feel could amount to a sort of digital censorship. Amazon experienced similar protests when Kindle users saw the books 1984 and Animal Farm disappear from their libraries after purchase. Although the incident was related to copyright issues, it generated fears of censorship among users and the media.

Trust

DuPont Alleges Second Insider Breach In Two Years

The DuPont Corporation recently filed a lawsuit against a Chinese national employee who was about to return to China with a laptop that contained DuPont intellectual property. The alleged theft attempt was discovered when the employee's laptop was examined prior to his transfer. Another DuPont employee was sentenced to 18 months in prison for a similar attempt after leaving DuPont to begin work for a competitor.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Data Loss Prevention (DLP) is an important issue for enterprises. Due diligence during the departure of employees who had access to company intellectual property can sometimes prevent a susequent disclosure. Another method for preventing document misappropriation is the installation of access controls on document storage systems. Multiple effective technology solutions are available for detecting, controlling, and blocking access to sensitive documents. For companies with significant research and development budgets, the additional protection offered by these solutions often outweigh the cost of implementation.

Identity

Developments in De-anonymizing Data

In August 2009, an Associate Professor at the University of Colorado Law School in the United States published a paper about the failures of anonymization in protecting sensitive data. The paper shows surprising results from recent high-profile incidents where individuals were identified from anonymized datasets. To overcome anonymization efforts that are applied to the target datasets, researchers combined them with other incomplete datasets to identify individuals with startling accuracy. Read more

IntelliShield Analysis: Data anonymization procedures are fully trusted to protect individual identity. In fact, government privacy regulations, such as the European Data Privacy Directive, release organizations that engage in the practice from liability if individuals are identified from anonymized data. The published paper shows that even these organizations could place individuals at risk if such information is released. It also calls data classification into question, particularly data that is not normally considered personally identifying. Organizations are advised to monitor developments in the field of de-anonymization to better prepare for upcoming changes in privacy requirements, laws, and practices.

Human

United States National Football League Season Begins

The United States National Football League (NFL) began it's regular season on September 10, 2009. The season runs for 17 weeks and concludes on January 3, 2010. The regular season is followed by a series of playoff games that culminate in a final Super Bowl championship game on February 7, 2010. Simultaneously, fantasy football leagues that are sponsored by multiple legitimate websites have already begun and will run through the 17-week NFL regular season. In addition to lost productivity from late-night games and time spent "coaching" fantasy teams, the NFL season is infamous for its association with spam e-mail messages, malicious websites, compromised legitimate websites, and malware on social networking websites.
Read More
Additional Information

IntelliShield Analysis: The media often focuses on productivity during the NFL season but seldom recognizes the associated security risks. The NFL and fantasy football seasons are prime time for online criminals who exploit fans with spam messages in the form of news updates; fantasy football player selections; team, roster and injury changes; and video clips. Users are forced to discriminate between numerous legitimate websites and mailers that provide these services and those are mired in malicious and criminal activity. Following the current trends, users will likely receive e-mail messages that contain embedded links or shortened URLs that should not be trusted. Similarly, users can expect malicious e-mail messages with attached video or links to video clips. Compromised legitimate websites will often display pop-up windows that intstruct users to update certain programs; users are advised to be extremely wary of such messages and only update browsers and multimedia players via feature within those programs. American football fans should locate trusted websites, bookmark these pages, and use only the bookmarks to easily return to the trusted locations.

Geopolitical

Broadband Stimulus Plans Move Forward, Haltingly

As economies around the world begin to show signs of recovery, G20 finance ministers reassured nervous investors of their intent to move forward with earlier stimulus commitments. They described a coordinated, three-stage exit strategy for governments to phase out stimulus without stalling current growth on public funds. These stimulus commitments include the United States US$7.2 billion Broadband Stimulus Program, 5 billion for the European Unions Energy and Internet plan, and $225 million for Canada's Broadband Canada project, among others.
Read more
Additional Information
Additional Information

IntelliShield Analysis: As economies revive, it is not suprising that governments are signaling a stimulus reevaluation, given the historic amounts that were pledged during the early days of the financial crisis. One way that government stimulus funds for Information and Communications Technology (ICT) investment may be dual-purposed is toward green technology priorities, especially considering the pressure on G20 nations to show leadership at the major Copenhagen climate summit that is set for December 2009. As governments contemplate the limits of fiscal commitments and companies become financially more secure, service providers are beginning to influence the terms in which they would receive government funds, including net neutrality requirements in the United States. Information security professionals are advised to monitor the economic and political aspects of this debate, which will affect outcomes for ambitious broadband investment plans worldwide.

Upcoming Security Activity

ASIS International 55th Annual Seminar and Exhibits: September 21–24, 2009
Cisco IOS Software Security Advisory Bundled Publication: September 23, 2009
G20 Summit (Pittsburgh, Pennsylvania): September 24[–25, 2009
United States National Cyber Security Awareness Month: October, 2009
Hack In The Box Malaysia 2009: October 5–6, 2009
Oracle Critical Patch Update: October 20, 2009
CSI2009 Annual Conference (Washington, D.C.): October 24-30, 2009

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

Ramadan: August 21–September 19, 2009
Rosh Hashanah: September 18, 2009
Yom Kippur: September 27, 2009
German Parliament elections: September 27, 2009
China National Day Holiday: October 1, 2009

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top