Cyber Risk Report

February 12–18, 2007

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat activity increased significantly over the previous time period. Microsoft released security bulletins and patches to address multiple vulnerabilities in Microsoft Office applications that attackers were using to conduct targeted attacks. Microsoft also released security bulletins and patches to address vulnerabilities in Microsoft Windows, Microsoft Visual Studio, Step-by-Step Interactive Training, Microsoft Data Access Components, and Microsoft security applications. During the time period, Cisco also released security advisories to address vulnerabilities in Cisco Firewall Services Module, Cisco PIX and ASA, and Cisco IOS products.

Sun released a security advisory and patches to address the Sun Solaris Telnet and Login Combination Unauthorized Access Vulnerability, detailed in IntelliShield alert 12641. An unauthenticated, remote attacker could exploit this vulnerability to gain unauthorized access to a Solaris system running telnet. This vulnerability has received significant media attention, and exploit code is publicly available.

Trojan.PPDropper.G, reported in IntelliShield Daily Virus Report 12668, is currently circulating in the wild. This trojan exploits the Microsoft PowerPoint Unspecified Code Execution Issue reported in IntelliShield alert 12670. Attackers continued to take advantage of the Valentine's Day holiday by seeding Nuwar variants throughout the month. The latest seeding, WORM_NUWAR.AAI, propagated by sending enticing, holiday-related messages via e-mail. The attachments appear as harmless greeting cards, but a copy of the worm is installed on the machine after execution. The worm uses an executable as the attachment; this filetype should be blocked at e-mail gateways to reducing the likelihood of infection.

IntelliShield published 134 events last week; 61 new events and 73 updated events. Of the 134 events, 88 were Vulnerability Alerts, 34 were Security Issue Reports, three were Malicious Code Alerts, five were Daily Virus Reports, and four were Security Activity Reports. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 02/16/2007 6 12 18
Thursday 02/15/2007 9 17 26
Wednesday 02/14/2007 22 20 42
Tuesday 02/13/2007 20 15 35
Monday 02/12/2007 4 9 13
Weekly Total 61 73

134

 

Significant Alerts for February 12–18, 2007

Sun Solaris Telnet and Login Combination Unauthorized Access Vulnerability
IntelliShield Vulnerability Alert 12641 Version 3, February 14, 2007
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2007-0882

Sun Solaris contains a vulnerability that could allow an unauthenticated, remote attacker to access the system. Exploit code is publicly available. Sun confirmed this vulnerability in an alert notification and released patches.

Previous Alerts That Still Represent Significant Risk

Microsoft Word Arbitrary Code Execution Issue
IntelliShield Vulnerability Alert 12557 Version 5, February 13, 2007
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2007-0515

Microsoft Word contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with privileges of the user. Malicious code exploiting this vulnerability is circulating, and a proof-of-concept document is publicly available. IntelliShield reported this malicious code as Trojan.Mdropper.X in alert 12579, the Daily Virus Report for January 31, 2007. Microsoft confirmed the vulnerability in a security bulletin and released updated software

Microsoft Word Memory Corruption Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 12226, Version 2, February 13, 2007
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2006-5994

Microsoft Word contains a vulnerability that could allow a remote attacker to corrupt system memory and execute arbitrary code. Malicious code exploiting this vulnerability is publicly circulating. Microsoft confirmed this vulnerability in a security bulletin and released patches.

IntelliShield Activity Report: Super Bowl Website Compromise
IntelliShield Activity Report 12598 Version 2, February 5, 2007
Urgency/Credibility/Severity Rating: 3/5/3

A number of health care, government, and other websites have been found to contain links to malicious scripts similar to those found on the Dolphin Stadium website before Super Bowl Sunday. The attackers created a link to a malicious JavaScript file in the header of the main page of the affected site. The JavaScript file attempts to exploit the Microsoft Windows MDAC Remote Code Execution Vulnerability described in IntelliShield Vulnerability Alert 10698 and the Microsoft Windows VML Buffer Overflow Vulnerability described in IntelliShield Vulnerability Alert 12423 to download malicious files.

IntelliShield Activity Report: Multiple Root Domain Name Server Denial of Service Attacks
IntelliShield Activity Report 12619 Version 1, February 7, 2007
Urgency/Credibility/Severity Rating: 1/5/3

News media sources are reporting that several root-level domain name servers were subject to denial of service attacks on February 6, 2007. Reports indicate that thirteen root DNS servers were under attacks that lasted for an estimated twelve hours.  

Microsoft Office Malformed String Arbitrary Code Execution Issue
IntelliShield Vulnerability Alert 12599 Version 2, February 13, 2007
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2007-0671

Microsoft Office contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Attackers have used malicious code disguised as an Excel document to exploit this vulnerability in targeted attacks. Microsoft confirmed this vulnerability in a security bulletin and released software updates.

Microsoft Word Arbitrary Code Execution Vulnerability
IntelliShield Activity Report 12247, Version 3, February 13, 2006
Urgency/Credibility/Severity Rating: 3/5/4

Microsoft Word contains a vulnerability that could allow a remote attacker to execute arbitrary code on affected systems. Attackers are using malicious code that exploits this vulnerability to conduct limited attacks. Microsoft confirmed this vulnerability in a security bulletin and released updated software.

Cisco IOS Voice Service Session Initiated Protocol Denial of Service Vulnerability
IntelliShield Vulnerability Alert 12580 Version 2, January 31, 2007
CVE-2007-0648

Cisco IOS contains a vulnerability within the processing of SIP packets that could allow an unauthenticated, remote attacker to cause a temporary denial of service condition. The vendor scored this vulnerability to indicate active exploitation and reports random exploits of the vulnerability in the wild; however, these attacks may be accidental or unintentional. Cisco confirmed this vulnerability in a security advisory and issued approved workarounds.

Microsoft Visual Studio .rc File Handling Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 12525 Version 1, January 23, 2007
Urgency/Credibility/Severity Rating: 2/4/4
CVE-2007-0468

Microsoft Visual Studio contains a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Proof-of-concept code is available to demonstrate this vulnerability on Windows 2000 with SP4 installed. Microsoft has not confirmed this vulnerability, and updates are unavailable.

Adobe Reader Hosted PDF File Cross-Site Scripting Vulnerability
IntelliShield Vulnerability Alert 12376, Version 6, January 23, 2007
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2007-0044, CVE-2007-0045, CVE-2007-0046, CVE-2007-0047, CVE-2007-0048

Adobe Reader contains a cross-site scripting vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary JavaScript code in the user's browser session. This vulnerability opens potential cross-site scripting vulnerabilities in any site that hosts one or more PDF files. Proof-of-concept URLs are publicly available. Adobe confirmed this vulnerability and released updated software.

Apple Mac OS X DiskManagement BOM File Handling Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 12390, Version 1, January 8, 2007
Urgency/Credibility/Severity Rating: 3/4/4
CVE-2007-0117

Apple Mac OS X and Mac OS X Server contain a vulnerability within the handling of BOM files in the DiskManagement framework that could allow a local attacker to gain elevated privileges. Proof-of-concept code is available. Reports indicate this vulnerability is being exploited in the wild. Apple has not acknowledged this vulnerability, and updated software is unavailable.

Computer Associates BrightStor ARCserve Backup Tape Engine Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 12136, Version 2, January 8, 2007
Urgency/Credibility/Severity Rating: 2/4/4
CVE-2006-6076

Computer Associates BrightStor ARCserve Backup contains a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to crash the affected application or execute arbitrary code. Exploit code is publicly available. US-CERT has released a vulnerability note. Computer Associates has not confirmed this vulnerability, and updated software is unavailable.

Microsoft Windows Workstation Service NetrWkstaUserEnum() Denial of Service Issue
IntelliShield Activity Report 12347, Version 1, December 25, 2006
Urgency/Credibility/Severity Rating: 2/4/3

Microsoft Windows 2000 and Windows XP contain an issue in the Workstation service that could allow an unauthenticated, remote attacker to cause denial of service condition. Attacks via this exploit are likely to succeed against Windows 2000 and XP systems in their default configuration; however, a firewall blocking ports 445/tcp and 139/tcp will mitigate the attack. Exploit code is publicly available. Microsoft has not acknowledged this vulnerability, and software updates are not available.

Microsoft Windows Client Server Run-Time Subsystem Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 12340, Version 2, December 28, 2006
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2006-6696

Microsoft Windows contains a vulnerability within the Client Server Run-Time Subsystem that could allow a local attacker to cause a denial of service condition or execute arbitrary code with SYSTEM privileges. Proof-of-concept code is available to demonstrate the denial of service condition and information disclosure. The Microsoft Security Response Center confirmed this vulnerability, but updates are not available.

Microsoft Visual Studio WMI Object Broker ActiveX Control Arbitrary Code Execution Issue
IntelliShield Security Issue Report 12006, Version 3, December 12, 2006
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2006-4704

Microsoft Internet Explorer contains an issue in the WScript.Shell object that could allow an attacker to execute arbitrary code with privileges of the user. Exploit code is publicly available, and this issue is being actively exploited in the wild. Microsoft confirmed this vulnerability in security bulletin MS06-073 and released software updates.

Microsoft Windows Media Player ASX Playlist Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 12236, Version 3, December 14, 2006
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2006-6134

Microsoft Windows Media Player contains a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition or execute arbitrary code. Proof-of-concept code is available. Microsoft confirmed this vulnerability with security bulletin MS06-078 and released updated software.

Apple Safari Password Manager Information Disclosure Issue
IntelliShield Security Issue Report 12199, Version 1, December 1, 2006
Urgency/Credibility/Severity Rating: 3/4/3
CVE-2006-6238

Apple Safari contains an issue that could allow an unauthenticated, remote attacker to obtain saved user credentials. Attackers are actively exploiting this issue in the wild. Apple has not confirmed this issue, and no software updates are available.

Physical

FBI Laptop Loss

A recent report by the United States Justice Department claims that three to four FBI laptops are lost each month. Although this statistic is a decrease from a previous study, the report is still troubling, because the FBI cannot always determine whether the missing laptops contained classified data. Read more

IntelliShield Analysis:  Laptop thefts continue to plague both businesses and federal agencies with little reduction in loss. The FBI appears to have decreased the average number of incidents per month, but the bureau is still struggling to identify whether sensitive information has been compromised. Businesses are advised to continue educating users in proper laptop security and also ensure that sensitive information stored on laptops is properly secured.

Telkom Social Engineering Heist

An organized team of criminals recently bluffed their way into a business in South Africa and left with the Managing Director's laptop and the contents of his desk. Disguised as employees of the South African phone company Telkom, the group entered the office and informed the receptionist that they needed to check the PBX. The receptionist remained skeptical and phoned a superior, but the criminals managed to complete the theft in less then six minutes and escape the premises. Read more

IntelliShield Analysis: Most laptop thefts are considered "crimes of convenience," but this incident appears premeditated and organized. A physical presence and uniform is often convincing enough to discourage receptionists or employees from requesting identification or other credentials from guests. Organizations are advised to require inspectors, work crews, and visitors to be escorted through the premises. Organizations are also advised to authenticate unannounced visitors before allowing access to facilities.

Legal

Sandia Labs Verdict Awards US$4.3 Million

A jury in New Mexico recently awarded an ex-network security analyst US$4.3 million in a wrongful termination lawsuit. Shawn Carpenter was terminated in January 2005 after launching an independent investigation to identify and track an espionage intrusion into his company, Sandia National Laboratories. Carpenter then shared his information with multiple government agencies. Carpenter was terminated after Sandia officials learned of his investigation and ordered him to stop, even though the FBI requested that he continue to share information. Read more

IntelliShield Analysis: The jury awarded Carpenter an amount that doubled the original lawsuit's request. Most analysts claim the award could indicate that national security takes precedence over Sandia Lab's own interests. Information managers should take note of the judgment and remember to properly respond to information reported by employees regarding security incidents.

Trust

Mobile Malicious Code Rises

A recent Informa Telecom media study claimed that over 80-percent of mobile operator respondents suffered infections, and the number of incidences in 2006 were over five times higher than the previous year. The research indicates that mobile companies are most concerned with customer satisfaction, citing reductions in satisfaction related to reported infections. Read more

IntelliShield Analysis: Mobile devices are becoming prevalent in the work force, and security policies are advised to include the technology. As devices become more advanced, users will become dependent on their use in daily business activities. This factor could increase the amount of sensitive information that could be disclosed during a compromise. Users should be reminded to treat mobile devices similar to desktop or laptop computers, and information security departments are strongly advised to incorporate mobile device data protection strategies into user training.

Identity

There was no significant activity in this category during the time period.

Human

There was no significant activity in this category during the time period.

Geopolitical

Terrorist Attack on Indian Train

The recent bombing of an Indian train 80 kilometers north of Delhi is being attributed to terrorist attempts to disrupt peace talks between Pakistani and Indian leaders scheduled for the next day. As the train passed the city of Panipat, passengers reported hearing two explosions before a fire swept through several train cars. Indian Minister Khurshid Kasuri and Pakistani President Pervez Musharraf have both released statements condemning the attack. The two leaders also pledged to continue their commitment to the peace process. Read more

IntelliShield Analysis: The Samjhauta Express, which links New Delhi and Lahore, is often referred to as the "peace train," because the train resumed function during peace talks in 2004. The attacks appear to be aimed at increasing tension on both sides of peace negotiations; however, the incident may actually serve to unify India and Pakistan as the countries pursue anti-terrorist countermeasures.

Upcoming Security Activity

February 17–20, 2007: Carnival
February 18, 2007: Chinese New Year
February 20, 2007: Mardi Gras
February 21, 2007: Ash Wednesday
February 26–March 1, 2007: Black Hat DC, Washington DC

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top