Cyber Risk Report

June 21–27, 2010

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.


Vulnerability and threat activity for this period was decreased from pervious periods. Significant activity for the period included security updates for Adobe, Apple, Cisco ASA, HP, Red Hat, Mozilla Firefox and SeaMonkey, Novell iManager, Trend Micro Interscan, and VMware ESX.

Mozilla released updated versions of the Firefox browser that corrected over 200 bugs and multiple critical vulnerabilities. The initial update included a correction that caused a conflict with some Facebook applications, and that was updated again on Friday to correct this conflict.

Apple released the new iPhone with iOS 4 correcting 65 vulnerabilities. An updated iOS is not yet available for the iPad, but the vulnerabilities do impact this product. Apple is expected to release an update for the iPad in coming weeks; until then users are cautioned to use extra vigilance because the vulnerabilities are public and updates for the iPad are not available.
Researchers reported a vulnerability in Cisco ASA and proof-of-concept exploit code. The vulnerability was reported in IntelliShield alert 20737 and was originally discovered and corrected in version 8.1(2) and reported in the release notes for this version.

VMware released a security advisory for ESX Third-party Console OS vulnerabilities. The update corrects 10 vulnerabilities, primarily in the Linux kernel that is included in the ESX Console. Notably, these vulnerabilities include vulnerabilities reported in 2009 and two from 2008.

Cisco released the results of the Bi-Annual Security Research highlighted in a Cisco Security Blog post by Christopher Burgess. The research is the result of an extensive survey of IT security professionals and highlights concern over social media and application security permeating the protected network.

Adobe released an advance notification that it will release security updates for Reader and Acrobat on July 29, 2010, to correct multiple critical vulnerabilities. The Adobe advance announcement also highlights that this release will be considered an early release of the scheduled July 13, 2010 quarterly security update. Accelerated and unscheduled security updates are one of the trends the Cisco Security Intelligence Operations have been tracking through the first six months of this year and will be further discussed in the Cisco Midyear Security Report to be released in July.

IntelliShield published 77 events last week: 34 new events and 43 updated events. Of the 77 events, 51 were Vulnerability Alerts, eight were Security Activity Bulletins, nine were Security Issue Alerts, seven were Threat Outbreak Alerts, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 06/25/2010 6 18 24
Thursday 06/24/2010 3 13 16
Wednesday 06/23/2010 14 6 20
Tuesday 06/22/2010 5 1 6
Monday 06/21/2010 6 5 11
Weekly Total 34 43 77


Previous Alerts That Still Represent Significant Risk

Microsoft Windows Help and Support Center Whitelist Bypass Vulnerability
IntelliShield Vulnerability Alert 20691, Version 4, June 16, 2010
Urgency/Credibility/Severity Rating: 2/5/4

Exploits of the Microsoft Windows Help and Support Center whitelist bypass vulnerability are being observed in the wild. Microsoft has confirmed this vulnerability in a security advisory; however, updates are not available.

Oracle Java Web Start Java Development Kit ActiveX Control Command-Line Injection Vulnerability
IntelliShield Vulnerability Alert 20314, Version 4, May 19, 2010
Urgency/Credibility/Severity Rating: 3/5/4

Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on the system with the privileges of the user. Systems with Oracle Java JRE and JDK 6 Update 10 and later contain the affected ActiveX control and are vulnerable. Apple has released security updates for Java for Mac OS X 10.6 Update 2 and Java for Mac OS X 10.5. Multiple vendor updates are available.

Kernel Hook Bypassing Engine Affects Multiple Security Applications
IntelliShield Vulnerability Alert 20433, Version 2, May 13, 2010
Urgency/Credibility/Severity Rating: 2/4/4

A security research team has created a tool that is able to bypass security software protections provided by host-based security software on Windows systems and execute arbitrary code with kernel privileges.

DNSSEC-Enabled Queries to the DURZ Serving Root May Affect DNS Services
IntelliShield Vulnerability Alert 20418, Version 1, May 3, 2010
Urgency/Credibility/Severity Rating: 2/5/3

DNSSEC-enabled queries to the root servers may be affected because the last (J-root) of the 13 root servers will begin serving the DURZ on May 5, 2010.

Microsoft SharePoint Server 2007 Cross-Site Scripting Vulnerability
IntelliShield Vulnerability Alert 20415, Version 3, June 8, 2010
Urgency/Credibility/Severity Rating: 2/5/3

Microsoft SharePoint Server 2007 versions SP2 and prior contain a cross-site scripting vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary HTML or script code in a user's browser. Proof-of-concept code that exploits this vulnerability is publicly available. Microsoft has confirmed this vulnerability and released software updates.

McAfee VirusScan DAT Update May Cause Microsoft Windows System Failure
IntelliShield Vulnerability Alert 20375, Version 2, April 22, 2010
Urgency/Credibility/Severity Rating: 4/5/3

A McAfee DAT file that was distributed to VirusScan applications has caused errors on certain Microsoft Windows XP-based systems. As a result of installing the 5958 DAT file and rebooting, systems may be rendered unusable. McAfee has released a knowledgebase article with various workarounds.

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 58, June 14, 2010
Urgency/Credibility/Severity Rating: 2/5/3

Multiple Transport Layer Security (TLS) implementations contain a vulnerability when renegotiating a TLS session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Proof-of-concept code that exploits this vulnerability is publicly available. Mozilla and Oracle, in addition to other vendors, have released updates for this vulnerability.

Microsoft VBScript Unsafe Help File Handling Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20014, Version 3, April 13, 2010
Urgency/Credibility/Severity Rating: 2/5/4

Microsoft has released a security advisory with information about affected products to address the Microsoft Internet Explorer unsafe help file handling arbitrary code execution vulnerability. Proof-of-concept code that demonstrates code execution is available. Microsoft confirmed this vulnerability in a security bulletin and released software updates.

Microsoft Internet Explorer Invalid Pointer Reference Access Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20052, Version 4, March 30, 2010
Urgency/Credibility/Severity Rating: 3/5/4

Microsoft has re-released a security advisory and updated software to address the Microsoft Internet Explorer invalid pointer reference access arbitrary code execution vulnerability. Functional exploit code is being used in ongoing exploits, and Microsoft has released a security bulletin and updated software.

Mozilla Firefox WOFF Decoder Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19968, Version 2, March 23, 2010
Urgency/Credibility/Severity Rating: 2/5/4

Mozilla Firefox contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Mozilla has confirmed this vulnerability and has released updated software.


G20 Costs Spiral as Violence Escalates

Police fired tear gas and rubber bullets at agitators and activists and prepared to deploy sound cannons in Toronto as protests associated with the G20 Summit in Toronto escalated on the final day of the conference of world leaders. Police tweeted amongst themselves as did protestors. Despite cordoning off the city, bringing in 19,000 extra police, and having extensive security measures in place, at least four police cars were set on fire, windows of dozens of businesses, shops, and Toronto Police Headquarters were smashed, and multiple buildings and streetcars vandalized. Nearly 600 people were reported to have been arrested as the Summit wound down. Canada's security preparations for the G8 and G20 cost $1.2 billion and property damage could be in the millions.
Read More
Additional Information
Additional Information

IntelliShield Analysis: With banks, businesses, and means of transportation closed down on core streets in the security zone, the city was populated by protesters, onlookers, and police. Loss of revenue to businesses forced to close was no doubt exacerbated by the physical security measures, but the primary risk appears to have been to those who were inadvertently in the wrong place at the wrong time. One question rising from the cost and resulting damage to the city from the impact of the Summit is whether the expense was necessary. Technology has changed dramatically from the time of the infamous G20 Battle in Seattle in 1999. Particularly with social media and instant communications, flash mobs at major international political gatherings are on the rise. The new communication vehicles may require event planners to rethink the locations of their gatherings; possibly away from city centers where so much damage can be done and that are harder to defend, and, when possible, to take advantage of videoconferencing technologies. Virtual gatherings may be easier to defend and have less physical risk associated with them.


Payment Card Industry Council Announces Three-Year Development Cycle

The Payment Card Industry (PCI) Security Standards Council announced that upcoming development cycles will be increased to three years for the PCI Data Security Standard (DSS), PIN Transaction Security (PTS), and Payment Application Data Security Standard (PA-DSS) programs. The governing body increased the development cycle length to allow more time for feedback and adoption of upcoming measures in new standards, as well as to consider new additions to the standards based on technological and market innovation. The next upcoming standard to replace the PCI DSS version 1.2 is scheduled for release in October 2010, and will go into effect January 1, 2011. Read More

IntelliShield Analysis: With an increased development cycle, merchants and credit card processors have increased time to adopt and provide feedback to the PCI DSS. However, with the increased time to develop the standard, a greater lag exists between the time new innovations in attacks develop against security protections. While PCI DSS is a requirement for handling credit card information, additional protections are recommended beyond those spelled out in the standard. Protections for emerging technologies, such as cloud and mobile computing, and must be considered even if the PCI DSS requires no specific security measures.


ICANN's First DNSSEC Key Ceremony for the Root Zone

The deployment of Domain Name System Security Extensions (DNSSEC) reached an important milestone recently when the Internet Corporation For Assigned Names and Numbers (ICANN) hosted a DNSSEC key ceremony at which the first cryptographic digital key used to secure the Internet root zone was generated and stored in a highly secured data center. These key ceremonies are now scheduled to take place four times a year, occurring two times each at two separate secure facilities in the United States.
Read More
Additional Information

IntelliShield Analysis: Significant milestones related to DNSSEC are started to occur with increasing frequency as the implementation of DNSSEC is becoming closer to a reality. Last month (May 5, 2010) the last (J-root) of the 13 DNS root servers began serving the signed root in the form of the Deliberately Unvalidatable Root Zone (DURZ) which marked the most recent date that any potential effects of larger responses from the signed DURZ root would be encountered. This was reported in IntelliShield alert 20418. The creation of this digital private key is a key component of the DNSSEC framework as it provides the foundation for the mutual trust that needs to be established between the root servers and those DNS servers that query these root servers for DNS information.

Malware Exploiting Lax Procedures to Abuse Certificate Trust Models

Jarno Niemelä, of security firm F-Secure, recently gave a presentation on the topic of code signing and its extensive use by malware authors. Niemelä describes the various challenges presented by signed code, including the tendency for antivirus companies to skip over signed software during scans to reduce false alarms, or for AV analysts to mistake signed software as legitimate during in-depth analysis. Further, the presentation also explored the various methods used to obtain digital signatures for malware, and the challenges associated with a complicated public-key trust model with many available paths to assigning trust. Read More

IntelliShield Analysis: Malware authors are increasingly seeing signed code as a way to overcome some hurdles presented by preventive controls. They benefit if the operating system itself can be fooled into accepting the software as trustworthy automatically. Unfortunately, the web of trust relationships and lax procedures used by Certification Authorities (CAs) or signing services offered by binary redistributors have given attackers a variety of avenues to pursue bogus certificates. As Niemelä highlighted in his presentation, antivirus companies need to work together to identify bogus certificates, foster closer cooperation with CAs, and improve the effectiveness of certificate revocation.


There was no significant activity in this category during the time period.


There was no significant activity in this category during the time period.


Russia Returns to Tech

Russian President Dmitry Medvedev visited California's Silicon Valley last week, just one week after a group of high-tech executives met him in St. Petersburg to discuss Russia's new modernization push. During Medvedev's meetings in Silicon Valley, the President discussed plans to re-energize the Russian economy by diversifying it away from over-dependence on fossil fuels. The centerpiece of his effort is a planned technology innovation center to be built in Skolkovo, outside of Moscow. Medvedev announced in St Petersburg that he would personally head the new center's board of trustees, which also includes foreign investors.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Turning about the Russian economy will not be a quick or easy undertaking, and Medvedev has raised the political stakes by committing himself personally. The research and development focus makes sense in light of the former Soviet Union's earned reputation for leadership in science and technology, and the Russian Federation's ongoing wealth of scientists and engineers, 20 years after the end of the Cold War. For information security professionals, Russia's technology push may be a double-edged sword. The infusion of cash earmarked for technology startups and the influx of foreign companies into a region of the world not known for robust legal systems and infosec means that valuable intellectual property will be at risk. On the positive side, however, the modernization push may help to provide a new crop of legitimate jobs and opportunities to occupy young Russian technologists who may have otherwise been drawn to shadier pursuits. Moreover, Medvedev's efforts to attract outside talent have included promises to improve governance and intellectual property protection hard to deliver, but essential if his plan is to succeed.

Upcoming Security Activity

Cisco Live 2010 (Las Vegas): June 27–July 1, 2010
Black Hat USA (Las Vegas): July 24–29, 2010
DEFCON 18: July 29–August 1, 2010
BSides Las Vegas: July 28–29, 2010

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

World Expo (Shanghai, China): May 1–October 31, 2010
FIFA World Cup (South Africa): June 11–July 11, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top