Cyber Risk Report

September 13–19, 2010

The IntelliShield Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The Cyber Risk Reports are a result of collaborative efforts, information sharing, and collective security expertise of senior analysts from Cisco security services that include the IntelliShield team (IntelliShield Alert Manager, Applied Intelligence, and IPS), ROS, PSIRT, the Corporate Security Programs Organization, and Legal Support.

Vulnerability

Vulnerability activity was increased during the period, primarily due to the release of the Microsoft September Security Bulletins. In addition to the Microsoft vulnerabilities, security updates were released by IBM addressing multiple vulnerabilities, by HP, and by ISC BIND for a denial of service vulnerability. A new vulnerability was identified in Adobe Reader, Acrobat and Flash Player. Spam activity was also elevated for the period with IntelliShield releasing 17 Threat Outbreak Alerts in coordination with the Cisco IronPort Threat Operations Center.

Microsoft released 9 security bulletins, addressing 11 vulnerabilities. The most significant of the alerts for end user systems are likely the Microsoft Windows Print Spooler Service Privilege Escalation Vulnerability (MS10-061), reported in IntelliShield alert 21318, and the Microsoft Windows MPEG-4 Codec Arbitrary Code Execution Vulnerability (MS10-063), reported in IntelliShield alert 21308. For server systems, the most significant alerts are likely the multiple vulnerabilities in Microsoft Internet Information Services (MS10-065), reported in IntelliShield alerts 20826, 21313 and 21314. The Microsoft September Security Bulletins included updates for two vulnerabilities used by the Stuxnet malicious code that targeted control systems, but two other Stuxnet vulnerabilities remain uncorrected. All of the Microsoft IntelliShield alerts and the correlated Applied Mitigation Bulletin including mitigations of the Microsoft vulnerabilities using your existing Cisco products, IPS Signatures, and the Cisco Event Response for Microsoft September Bulletins are available on the Cisco Security Intelligence Operations portal.

A new vulnerability was reported in Microsoft ASP.NET systems that can be exploited using what is known as a "padding oracle" attack. Research suggests that many ASP.NET applications may be vulnerable to this attack, which results in exposing sensitive and encrypted data. Microsoft reported that it is investigating the vulnerability, which is reported in IntelliShield alert 21398 and included below with the significant alerts for the week.

SAP announced that they will join other vendors in providing scheduled security updates on the second Tuesday of the month. Oracle also releases on this date on a quarterly basis, and Adobe and Apple frequently release updates on this date. The scheduled security update practice has proven beneficial for users and IT organizations, allowing them to more efficiently and effectively manage their system patching.

Similarly, Cisco will release the scheduled IOS Security Bundle on September 22, 2010. Cisco releases IOS Security Bundles twice each year.

IntelliShield published 110 events last week: 60 new events and 50 updated events. Of the 110 events, 76 were Vulnerability Alerts, nine were Security Activity Bulletins, five were Security Issue Alerts, 17 were Threat Outbreak Alerts, two were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Saturday 09/18/2010 1 0 1
Friday 09/17/2010 10 6 16
Thursday 09/16/2010 10 12 22
Wednesday 09/15/2010 10 3 13
Tuesday 09/14/2010 19 6 25
Monday 09/13/2010 10 23 33
Weekly Total 60 50 110

 

Significant Alerts for September 13–19, 2010

Microsoft ASP.NET Information Disclosure Vulnerability
IntelliShield Vulnerability Alert 21398, Version 1, September 18, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2010-3332

Microsoft ASP.NET may contain a vulnerability that could allow an unauthenticated, remote attacker to view encrypted data or read data on system files. Updates are not available.

Adobe Flash Player, Acrobat, and Reader Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21358, Version 1, September 14, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-2884

Adobe Flash Player, Acrobat, and Reader contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the affected system. Updates are not available.

W32/VBMania@MM Mass-Mailing Worm Spikes Spam Traffic
IntelliShield Vulnerability Alert 21354, Version 1, September 13, 2010
Urgency/Credibility/Severity Rating: 3/5/4

A new worm began self-propagating using large numbers of e-mail messages. Labeled W32/VBMania@MM, also known as the "Here You Have" worm, the short-lived worm advertised a PDF or media file.

Adobe Reader and Acrobat Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 21341, Version 2, September 13, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-2883

Adobe Reader and Acrobat contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system. Adobe has acknowledged that exploits for this vulnerability are occurring in the wild. Updates are not available. Additional technical information that describes the Adobe Reader and Acrobat CoolType.dll remote buffer overflow vulnerability is available.

Previous Alerts That Still Represent Significant Risk

Microsoft Windows Applications Insecure Library Loading Behavior
IntelliShield Vulnerability Alert 21215, Version 3, August 30, 2010
Urgency/Credibility/Severity Rating: 2/5/4

Microsoft has released a security advisory that details an application behavior that could affect a large number of Windows-based applications. An unauthenticated, remote attacker could exploit the vulnerability to execute arbitrary code with the privileges of a user.

Adobe Acrobat and Reader cooltype.dll Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21093, Version 4, August 20, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-2862

Adobe Acrobat and Reader contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system. Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available. Adobe has confirmed this vulnerability and software updates are available.

Multiple Vendor PDF Viewer /launch Program Execution Attack
IntelliShield Vulnerability Alert 20294, Version 3, August 20, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-1240

Adobe has released a security bulletin and updated software to address the multiple vendor PDF viewer /launch program execution attack.

Microsoft Windows Win32k Kernel Driver Window Creation Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 21027, Version 3, August 12, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-1897

Exploits of the Microsoft Windows Win32k kernel driver window creation privilege escalation vulnerability are currently being observed in the wild.

Microsoft Windows XML Core Services Response Handling Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21021, Version 2, August 11, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-2561

Proof-of-concept code that exploits the Microsoft Windows XML core services response handling arbitrary code execution vulnerability is publicly available. The alert update also indicates an increase in the urgency.

Microsoft Windows Tracing Feature for Services Registry Key Access Control Lists Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 21018, Version 3, August 11, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-2554

Exploits are currently being observed in the wild. Microsoft is aware of an increase in the number of targeted attacks that use the readily available exploit code.

Microsoft Windows Server Message Block Packet Processing Pool Overflow Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 21014, Version 4, August 11, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-2550

Exploits are currently being observed in the wild. Microsoft is aware of an increase in the number of targeted attacks that leverage the readily available exploit code.

Microsoft Windows Kernel Win32k Driver Exception Handling Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 21024, Version 2, August 11, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-1894

Proof-of-concept code that demonstrates an exploit of the Microsoft Windows Kernel Win32k driver exception handling privilege escalation vulnerability is publicly available. This updated alert indicates an increase in the urgency.

Microsoft Windows .lnk File Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20918, Version 5, September 11, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-2568

Microsoft has released a security bulletin and updates to address the Windows .lnk file processing arbitrary code execution vulnerability. Functional exploit that is a part of the Metasploit framework is publicly available.

Microsoft Windows .lnk File Vulnerability Used for Malware Outbreak Targeting SCADA Systems
IntelliShield Vulnerability Alert 20915, Version 6, August 27, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-2568

Microsoft has released a security bulletin along with software updates to address the vulnerability exploited by malicious software.

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 62, September 16, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555

Multiple Transport Layer Security (TLS) implementations contain a vulnerability when renegotiating a TLS session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Proof-of-concept code that exploits this vulnerability is publicly available. HP has released an additional security bulletin and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Physical

There was no significant activity in this category during the time period.

Legal

There was no significant activity in this category during the time period.

Trust

Anti-censorship Software "Haystack" Comes Under Criticism

Following last summer's Iranian presidential election, protests disputing the fairness of results erupted in the streets, garnering worldwide attention. Particularly noticeable was the protesters use of Twitter, cell phone video, and Internet self-publishing to spread eyewitness accounts and testimony. Censorship sprung up quickly, and in the wake of this event, anti-censorship software Haystack was released by programmer Austin Heap and his Censorship Research Center. The software was granted an export license to Iran by the US State Department, which strictly controls software exports to the country, particularly if they include encryption. Questions about the software and how it functioned led to the Censorship Research Center and the Electronic Frontier Foundation recommending users stop using the software until security review could be completed.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Haystack's name is derived from concealment, suggesting that unauthorized traffic could be hidden within normal, authorized traffic: the unauthorized traffic being the "needle" in the "haystack" of allowable content. Because of the emotional and sympathetic response to the events in Iran, Haystack featured prominently in the media and among interested technologists. But now that concerns have arisen, and some who have been allowed to review the software suggest that it is quite unsafe, many of its supporters have abandoned the project. Organizations should exercise caution when adopting technology that is designed for use in sensitive environments. If the technology is not freely available for review or the reputation of its authors is not firmly established, particularly thorough testing may be warranted before deployment.

Identity

Increasing Levels of Social Engineering Attacks Targeting the Financial Industry

Recently, the Federal Deposit Insurance Corporation (FDIC) released a statement on telephone-based social engineering attacks, also known as vishing attacks. In such attacks, the attacker typically claims to be from the FDIC calling in reference to a delinquent loan. The attacker then attempts to gain access to the victim's sensitive personal and financial data. These attacks are a part of a recent trend of vishing scams where attackers are posing as members of financial institutions.
Read More

IntelliShield Analysis: The trend of malicious information gathering through methods other than e-mail continues to rise. People send and receive phone calls everyday, often not treating them with the same scrutiny they give to e-mail communication, and may be apt to provide more information over the phone. These types of attacks are expected to continue to increase, and highlight a trend that we have been tracking. While significant media attention was given to the DEFCON social engineering contest, users and organizations remain vulnerable to these kinds of attacks, indicating the need for specific guidance and user awareness training.

Human

Inherent Risks of Social Media on Corporate Networks

A recent survey performed by Panda Security indicates that 33% of Small-to-Medium Businesses (SMBs) fell victim to network-based malware through the channels of social media. The survey also noted that roughly 78% of these organizations leverage social media networks in some fashion to drive their business model. Read More

IntelliShield Analysis: It is very difficult to argue with many of the benefits being provided by the numerous social media networks for both personal and business purposes. These networks, Facebook, Twitter, LinkedIn, and YouTube to name some of the heavy hitters, enable millions of people to exchange up-to-the-minute information with each other across the globe. Companies are utilizing the pervasiveness of these social media networks to enhance, among other things, their marketing ideas, customer service offerings and brand name. As with most new voice, video, and data applications that traverse the network, this pervasiveness brings with it additional security concerns. It becomes difficult and, in fact, almost contradictory for organizations to crack down on the use of social networks while they are simultaneously promoting the use of such networks to do business. This balancing act can be made a bit easier through the development and enforcement of corporate security policies, through ongoing education of employees in the proper use of social networks when corporate assets are involved, and through the identification and mitigation of related malware using network and host-based anomaly detection technologies.

Geopolitical

Russian Police Said to Use Microsoft Piracy Concerns to Suppress Dissent

According to press reporting, Russian law enforcement officials raided the offices of activist organization Baikal Environmental Wave early this year, confiscating computers ostensibly because they had pirated Microsoft software installed on them. The group had been protesting against Russian President Putin's decision to reopen a paper mill on the shores of Lake Baikal, which had been shuttered because of environmental concerns. A New York Times article argued that the Russian authorities were in effect using the anti-piracy enforcement raids as cover to suppress anti-government activism, and asserted that pro-government NGOs rarely if ever suffered from such actions.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Microsoft is not alone among technology multi-nationals in being accused of complicity with government authorities to suppress dissent, nor is Russia the only country where such charges have emerged. In this case, Microsoft acted quickly to accept some blame for the situation and to spell out get-well measures, including allowing special use licenses for NGOs, but not before several negative news cycles had made their impact. Anti-piracy enforcement itself, without the added complication of political activism issues, can be tricky if bad public reception outweighs the benefits of encouraging proper use. In 2008, Microsoft was forced to retract an anti-piracy program deployed in China that caused the screens of unlicensed Windows software users to go black every sixty minutes. ICT multi-nationals increasingly run the risk of being drawn into national debates over free speech and democracy, and misunderstandings in one market can impact brand image in other markets overnight. When rolling out anti-piracy and anti-counterfeiting campaigns in particular, enterprise decision makers may want to consider the possible unintended consequences of their actions, particularly in environments where cooperation with law enforcement officials may pull them into public crossfire.

Upcoming Security Activity

Security Content Automation Protocol (SCAP): September 27–29, 2010
Cyber Security Awareness Month: October 2010
HackInTheBox Malaysia: October 11–14, 2010
RSA Europe: October 12–14, 2010
Microsoft Blue Hat v10: October 14–15, 2010
InterOp NY: October 18–22, 2010
Toorcon San Diego: October 22–24, 2010
CSI 2010: October 26–29, 2010
USENIX LISA: November 7–12, 2010
Black Hat Abu Dhabi: November 8–11, 2010

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

World Expo (Shanghai, China): May 1–October 31, 2010
Reunification of Germany Anniversary: October 3, 2010
General Elections (Brazil, Bosnia-Hercegovina): October 3, 2010
XIX Commonwealth Games (Delhi, India): October 3–14, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top