Cyber Risk Report

July 5–11, 2010

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.


Vulnerability activity for the period was decreased from previous periods. Vulnerability updates were released by Novell addressing multiple vulnerabilities in the Tomcat HTTP server impacting Novell Identity Manager and Novell eDirectory. Novell corrected vulnerabilities that dated back to 2005 and 2006. Cisco released a Security Advisory for the Cisco Industrial Ethernet 3000 Series Switches Default Simple Network Management Protocol Community Names, reported in IntelliShield alert 20809. Panda released updates for vulnerabilities impacting multiple Panda products. Google Chrome released an updated version correcting multiple vulnerabilities.

Microsoft released the July 2010 Advance Notification for the update to be publicly released on Tuesday, July 13, 2010. The advance announcement includes four security bulletins correcting five vulnerabilities, with three of the bulletins rated Critical, and one rated Important. There are currently four publicly reported Microsoft vulnerabilities that have not been addressed with updates, including the Microsoft Help and Support Center vulnerability that is being actively exploited, a Microsoft Exchange Server Outlook Web Access vulnerability that has proof-of-concept exploit code publicly available, and vulnerabilities in Microsoft Internet Information Service (IIS) and Microsoft Windows UpdateFrame.

The July Microsoft monthly security update coincides with the Oracle Quarterly Critical Patch Update. Oracle posted a pre-release announcement for the quarterly update that includes a total of 58 vulnerabilities impacting the Oracle Database Server, Oracle Fusion Middleware, Oracle Enterprise Manage, Oracle Applications, and Oracle Solaris Products Suite.

IntelliShield published 53 events last week: 27 new events and 26 updated events. Of the 53 events, 30 were Vulnerability Alerts, eight were Security Activity Bulletins, three were Security Issue Alerts, ten were Threat Outbreak Alerts, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 07/09/2010 3 7 10
Thursday 07/08/2010 8 4 12
Wednesday 07/07/2010 8 7 15
Tuesday 07/06/2010 8 8 16
Monday 07/05/2010 0 0 0
Weekly Total 27 26 53


Significant Alerts for July 5-11, 2010

Microsoft Exchange Server Outlook Web Access Cross-Site Request Forgery Vulnerability
IntelliShield Vulnerability Alert 20854, Version 1, July 9, 2010
Urgency/Credibility/Severity Rating: 2/4/3

Microsoft Exchange Server contains a vulnerability that could allow an unauthenticated, remote attacker to conduct cross-site request forgery attacks on an affected site. Proof-of-concept code that exploits this vulnerability is publicly available. Updates are not available.

Previous Alerts That Still Represent Significant Risk

Multiple Adobe Products Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20625, Version 7, July 1, 2010
Urgency/Credibility/Severity Rating: 3/5/4

Multiple Adobe products contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system or cause a denial of service (DoS) condition. Functional code that exploits this vulnerability is available. Adobe has confirmed this vulnerability and released updated software.

Microsoft Windows Help and Support Center Whitelist Bypass Vulnerability
IntelliShield Vulnerability Alert 20691, Version 4, June 16, 2010
Urgency/Credibility/Severity Rating: 2/5/4

Exploits of the Microsoft Windows Help and Support Center whitelist bypass vulnerability are being observed in the wild. Microsoft has confirmed this vulnerability in a security advisory; however, updates are not available.

Oracle Java Web Start Java Development Kit ActiveX Control Command-Line Injection Vulnerability
IntelliShield Vulnerability Alert 20314, Version 4, May 19, 2010
Urgency/Credibility/Severity Rating: 3/5/4

Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on the system with the privileges of the user. Systems with Oracle Java JRE and JDK 6 Update 10 and later contain the affected ActiveX control and are vulnerable. Apple has released security updates for Java for Mac OS X 10.6 Update 2 and Java for Mac OS X 10.5. Multiple vendor updates are available.

Kernel Hook Bypassing Engine Affects Multiple Security Applications
IntelliShield Vulnerability Alert 20433, Version 2, May 13, 2010
Urgency/Credibility/Severity Rating: 2/4/4

A security research team has created a tool that is able to bypass security software protections provided by host-based security software on Microsoft Windows systems and execute arbitrary code with kernel privileges.

DNSSEC-Enabled Queries to the DURZ Serving Root May Affect DNS Services
IntelliShield Vulnerability Alert 20418, Version 1, May 3, 2010
Urgency/Credibility/Severity Rating: 2/5/3

DNSSEC-enabled queries to the root servers may be affected because the last (J-root) of the 13 root servers will begin serving the DURZ on May 5, 2010.

Microsoft SharePoint Server 2007 Cross-Site Scripting Vulnerability
IntelliShield Vulnerability Alert 20415, Version 3, June 8, 2010
Urgency/Credibility/Severity Rating: 2/5/3

Microsoft SharePoint Server 2007 versions SP2 and prior contain a cross-site scripting vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary HTML or script code in a user's browser. Proof-of-concept code that exploits this vulnerability is publicly available. Microsoft has confirmed this vulnerability and released software updates.

McAfee VirusScan DAT Update May Cause Microsoft Windows System Failure
IntelliShield Vulnerability Alert 20375, Version 2, April 22, 2010
Urgency/Credibility/Severity Rating: 4/5/3

A McAfee DAT file that was distributed to VirusScan applications has caused errors on certain Microsoft Windows XP-based systems. As a result of installing the 5958 DAT file and rebooting, systems may be rendered unusable. McAfee has released a knowledgebase article with various workarounds.

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 58, June 14, 2010
Urgency/Credibility/Severity Rating: 2/5/3

Multiple Transport Layer Security (TLS) implementations contain a vulnerability when renegotiating a TLS session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Proof-of-concept code that exploits this vulnerability is publicly available. Mozilla and Oracle, in addition to other vendors, have released updates for this vulnerability.

Microsoft VBScript Unsafe Help File Handling Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20014, Version 3, April 13, 2010
Urgency/Credibility/Severity Rating: 2/5/4

Microsoft has released a security advisory with information about affected products to address the Microsoft Internet Explorer unsafe help file handling arbitrary code execution vulnerability. Proof-of-concept code that demonstrates code execution is available. Microsoft confirmed this vulnerability in a security bulletin and released software updates.


There was no significant activity in this category during the time period.


Public Interest Group Asks for Ruling on Data Broker Practices

The Center for Democracy and Technology (CDT), a non-profit public interest group, has asked the United States (U.S.) Federal Trade Commission (FTC) for a ruling regarding, a social information aggregator. The CDT has argued in an official complaint that because Spokeo is a paid service that offers an estimation of the fitness of a person's credit or reputation, it is covered under the Fair Credit Reporting Act (FCRA) of 1970 as a Credit Reporting Agency (CRA). If an organization is classified as a CRA, it must comply with the rules and regulations of the FCRA, including giving individuals an opportunity to dispute any information that is listed for their identity.
Read More
Additional Information

IntelliShield Analysis: The FTC has previously stated that even if the information offered is public record, companies that charge customers for ratings based upon that information can be classified as a CRA. If the FTC agrees with the CDT complaint, consumers could receive additional protection from unwarranted access to their personal information. However, if complying with these restrictions results in a net loss of access to consumers of consolidated personal information (because the data brokers cease operations instead of becoming legally compliant), then this ruling could hurt consumers more than help. Information that is public on the Internet can be difficult or impossible to change or remove, making awareness more valuable than the ability to take corrective action. Businesses that use these data broker services may be impacted by the ruling and handling of the personal data provided by the service.


There was no significant activity in this category during the time period.


Blizzard Entertainment Real ID Announced, then Cancelled

Blizzard Entertainment, the developer of the popular Warcraft, StarCraft, and World of Warcraft video game franchises, has abandoned a proposed plan for certain areas on their Battle.Net bulletin board forums in which all user posts would have been accompanied by the real name of the personal owner of the online profile. The proposal had been met with strong concerns from the gaming community. The plan would have been part of the newly available Real ID service offered by Blizzard, tying real names to online accounts. According to Blizzard, the reason behind the proposed change was to remove the veil of anonymity on the boards that allows some forum posters to hide their identity and post hateful, racist, or deliberately inflammatory comments. Read More

IntelliShield Analysis: Anonymity is a protection from persecution and protection for persecutors. Blizzard may have been inviting fraud and harassment on its customers with a plan to make real people easier to track down by malicious forum users. Real names have real power online and in the real world, with the potential to expose users to fraud, bullying, threats, or stalking. Other online communities, video game or otherwise, should carefully consider their protections on personally identifiable information collected about their users. Blizzard and other social sites may consider allowing user ratings on board posts, allowing users to self-police community content. Additional moderation, perhaps engaging the community, could also cut down on hateful speech within the public boards system.


Online Trust Experiment Reveals Human Frailty of Social Networking

Robin Sage, a fictional online persona experiment by Thomas Ryan, a security penetration tester, seems to have successfully deceived hundreds of security and military personnel, including members of the Joint Chiefs of Staff, into befriending her online through LinkedIn, Facebook, and Twitter. At least some sensitive military information was leaked through online friendships to reveal the location by coordinates of a U.S. Army soldier in Afghanistan. Ryan's conclusion: its easy to exploit trust based on gender, occupation, education/credentials, and friends. Read More

IntelliShield Analysis: While many who befriended Sage online quickly realized the hoax, enough did not to result in Ryan's ability to assert that fake online personas can be propagated virally to gain sensitive information simply by relying on the propensity of humans to trust an online friend or connection with the familiar connections or credentials, or simply by appearing as an attractive young woman. Ryan has said in interviews that he deliberately left clues that the online persona was false, including listing her personal address as the same as Blackwater, the headline-generating military contractor. Robin Sage is also the historic name of the last training exercise that Special Armed Forces members go through before becoming Green Berets and has been for decades. Robin Sage should have raised red flags, but Sage's credentials and personal appearance were able to override better judgment resulting in the information leakage. As the rate of users of social networks rises, users will need to exercise increased caution when accepting friend or connection requests to avoid security disclosures or data leakage. Robin Sage was most successful in garnering quick clicks, job offers, and gifts when respondents accepted her credentials at pretty-face value.


U.S. Geologist Sentenced under China State Secrets Law

A U.S geologist has been sentenced to an 8-year prison term for violating China's State Secrets Law, according to press reports. U.S. citizen Xue Feng has been detained since 2007 on charges for purchasing a database of oil industry information in China, information that he ostensibly believed was commercially available at the time. He was sentenced last week, despite requests from the U.S. government that he be deported back to the U.S. This case follows on the heels of another high-profile case in which Australian national Stern Hu, who worked for multinational mining company Rio Tinto, was sentenced to 10 years on bribery and trade secrets charges.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Foreign companies operating in strategic sectors in China—including critical infrastructure and telecommunications—may wish to be sensitive to the requirements of this law when dealing with information that could be perceived as critical to national security. Specific to the information technology industry, it may also be useful to note that China's State Secrets Law was amended earlier this year to obligate telecommunications providers to cooperate with officials in investigating possible leaks of information termed as state secrets, and to report any suspected leaks. When in doubt, it may be wise to obtain permission in writing ahead of time for any potentially sensitive information acquired during the course of business.

Upcoming Security Activity

Black Hat USA (Las Vegas): July 24–29, 2010
DEFCON 18: July 29–August 1, 2010
BSides Las Vegas: July 28–29, 2010

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

World Expo (Shanghai, China): May 1–October 31, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top