Cyber Risk Report

May 30–June 5, 2011

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.


Vulnerability activity for the period was slightly increased, impacted somewhat by the U.S. holiday on Monday, May 30, 2011. Highlights for the period include security updates from Cisco for multiple vulnerabilities; HP for Java; Apple for MacDefender; VMware for multiple vulnerabilities; Red Hat for multiple vulnerabilities; Symantec for vulnerabilities in Backup Exec and PRZ file processing in multiple products; IBM, Tivoli, and Wireshark for multiple vulnerabilities; and Adobe for Flash Player.

Vulnerability metrics for May and 2011 have surpassed those of 2010. The increase trend for the first 5 months of 2011 has now reached 2,183 alerts, compared to 2,062 alerts at this time in 2010. This is a significant increase for a 5-month period, and shows a substantial increase in vulnerability activity for 2011 following the declining trend through 2009 and 2010.

Cisco released four security advisories for multiple vulnerabilities in Cisco Unified IP Phones and Cisco AnyConnect Secure Mobility Client, a default credentials vulnerability in Cisco Network Registrar, and a default credentials vulnerability for the Cisco Media Experience Engine. These security advisories, IntelliShield alerts, IPS signatures, and Applied Mitigation Bulletin are available at the Cisco Security Intelligence Operations website.

Wireshark released version 1.4.7 to correct multiple vulnerabilities in prior versions. Due to Wireshark's wide use by network administrators, these vulnerabilities impact systems with elevated privileges.

HP released multiple advisories, including Java updates reported in the April Oracle Critical Patch Update. Java vulnerabilities continue to be highly targeted in exploits and attacks, making these updates a priority for HP systems.

Apple released a security advisory and updates for the MacDefender malware currently targeting Apple Mac OS X systems. The update is in addition to the previously released advisory with recommendations.

Multiple antivirus sources reported activity of the Droid Dream Light malware that targets Android operating system smart phones. The malware was identified in multiple applications for the Google Android Market, which have now been removed from the market. However, thousands of Android users have reported being impacted by the malware. Additional detail on this malware is available in IntelliShield Alert 23296.

In upcoming activity, World IPv6 Day is scheduled for June 8, 2011. On this date, several major Internet companies will offer IPv6 services for organizations and individuals to test their systems for IPv6 functionality. Additional information about the event is available at the Internet Society website, Cisco's World IPv6 Day website, and multiple vendor websites.

IntelliShield published 91 events last week: 42 new events and 49 updated events. Of the 91 events, 63 were Vulnerability Alerts, five were Security Activity Bulletins, four were Security Issue Alerts, 17 were Threat Outbreak Alerts, one was a Malicious Code Alert, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 06/03/2011 13 18 31
Thursday 06/02/2011 9 8 17
Wednesday 06/01/2011 12 15 27
Tuesday 05/31/2011 12 15 27
Monday 05/30/2011 8 8 16
Weekly Total       — 42 49 91


2011 Monthly Alert Totals

Month New Updated Monthly Total
January 166 237 403
February 224 176 400
March 225 276 501
April 246 229 475
May 219 185 404
Annual Total 1,080 1,103 2,183


Significant Alerts for the Time Period

Apple Mac OS X MacDefender Fake Antivirus Malicious Software
IntelliShield Vulnerability Alert 23239, Version 2, June 1, 2011
Urgency/Credibility/Severity Rating: 3/5/3
Apple has released a security advisory detailing ongoing phishing attacks that target multiple Apple Mac OS X operating systems. Apple has released security updates and updated software.

Previous Alerts That Still Represent Significant Risk

Microsoft Office Excel Array Indexing Vulnerability
IntelliShield Vulnerability Alert 22797, Version 2, May 2, 2011
Urgency/Credibility/Severity Rating: 2/5/4
Microsoft Office Excel contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available.

HP, IBM, and Oracle Multiple Java Products Security Update
IntelliShield Vulnerability Alert 22466, Version 8, June 3, 2011
Urgency/Credibility/Severity Rating: 2/5/4
Multiple CVEs
Oracle has released the April 2011 Critical Patch Update to address 73 new vulnerabilities in multiple products. Multiple vendors have released security bulletins and updated software to address multiple vulnerabilities in Java products.

Multiple Vendor Issue Revocation for Fraudulent SSL Certificates
IntelliShield Vulnerability Alert 22740, Version 6, May 2, 2011
Urgency/Credibility/Severity Rating: 2/5/3
Multiple vendors have revoked several fraudulent SSL certificates to protect users from spoofing attacks. Microsoft has re-released a security advisory to address the multiple vendor SSL certificate revocation issue.

Microsoft Windows MHTML Protocol Handler Script Execution Vulnerability
IntelliShield Vulnerability Alert 22310, Version 7, April 28, 2011
Urgency/Credibility/Severity Rating: 2/5/3
Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary script in a user's browser session. Microsoft has confirmed the vulnerability in a security advisory; however, software updates are not yet available. Proof-of-concept code that demonstrates an exploit of Microsoft Windows MHTML protocol handler script execution vulnerability is publicly available. IntelliShield has updated this alert to report an increase in intrusion prevention system activity that is related to the Microsoft Windows MHTML protocol handler script execution vulnerability.

Multiple Adobe Products SWF File Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 22909, Version 6, April 29, 2011
Urgency/Credibility/Severity Rating: 3/5/4
Multiple Adobe products contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system. Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available. Adobe has released additional security bulletins and updated software to address the SWF file processing arbitrary code execution vulnerability.

LizaMoon SQL Script Injection Attacks
IntelliShield Vulnerability Alert 22869, Version 2, April 8, 2011
Urgency/Credibility/Severity Rating: 3/4/3
Multiple SQL script injection attacks have been detected. These attacks are designed to modify targeted sites and redirect users to malware distribution sites. A Cisco IPS signature that detects SQL script injection attacks is available.

RSA Breach Exposes SecurID Information
IntelliShield Vulnerability Alert 22689, Version 1, March 18, 2011
Urgency/Credibility/Severity Rating: 1/5/3
RSA has issued a security announcement about data compromises related to SecurID two-factor authentication products.

Multiple Apple Products Security Update on March 2, 2011
IntelliShield Vulnerability Alert 22583, Version 2, March 10, 2011
Urgency/Credibility/Severity Rating: 2/5/4
Multiple CVEs
Apple has released security notifications and updated software to address multiple Apple product vulnerabilities.

Linux Kernel video4linux and compat_mc_getsockopt() Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 21389, Version 13, March 9, 2011
Urgency/Credibility/Severity Rating: 3/5/4
VMware has re-released a security advisory and updated software to address the Linux Kernel video4linux and compat_mc_getsockopt() privilege escalation vulnerability. has released a changelog and updated software.

EXIM Mail Transfer Agent Arbitrary Configuration Loading root Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 22053, Version 5, April 15, 2011
Urgency/Credibility/Severity Rating: 3/5/4
EXIM Mail Transfer Agent contains a vulnerability that can allow an attacker with shell access to gain elevated privileges. Updates are available. Exploitation of this vulnerability has been observed in conjunction with exploits for a vulnerability detailed in IntelliShield Alert 22051 (CVE-2010-4344). CentOS has released updated packages to address the EXIM mail transfer agent arbitrary configuration loading root privilege escalation vulnerability.


There was no significant activity in this category during the time period.


Electronic Frontier Foundation Tor Challenge

The Electronic Frontier Foundation (EFF) has created a program to establish more anonymous relays for the Tor network, which provides anonymous network access for activists to protect their identity and bypass internet filtering and controls in their host countries. The EFF is attempting to recruit individuals to sign up for the challenge, providing instructions on creating different types of relays and how to register the relay for use.
Read More

IntelliShield Analysis: Many enterprises and organizations may already block access to the Tor network due to legal issues of intellectual property and copyright infringement, but the EFF Tor Challenge opens another consideration in the use of this network. While this may be a compelling cause for individuals, the use of business systems to support the EFF efforts could have legal repercussions to the business or organization as the owners of those systems. Malicious or attack activity could also be attracted to the relay systems. The relays could consume large amounts of bandwidth if they become actively used, which could also impact individual users who may have bandwidth limits on their service provider accounts.


There was no significant activity in this category during the time period.


There was no significant activity in this category during the time period.


Google Reports Account Phishing Campaign

Google reported that it identified and disrupted a malicious phishing campaign targeting Google Gmail accounts and attempting to monitor e-mail from those accounts. Google reported that their systems had not been compromised, but the phishing campaign was targeted at individual Gmail users. Google reported notifying the impacted account owners. Google also notified government officials because some of the identified accounts belonged to government officials in the U.S. and Asian governments as well as to activists and journalists.
Read More

IntelliShield Analysis: Credit Google for identifying and disrupting this phishing attack and quickly notifying users and government officials. While the phishing campaign was traceable to a city in China, that in itself does not attribute the attack to China or even a Chinese attacker. It does demonstrate the risks associated with individuals who use web-based mail accounts, particularly those who hold sensitive positions in business, politics, or the military. The attackers apparently thought they would be able to monitor sensitive information from these accounts, and they were likely correct. While many users maintain personal e-mail accounts outside their official or business accounts, the risk of information leaking in to those messages and the inadvertent disclosure of sensitive information is high. Individuals should be regularly reminded and aware of the risks of letting information slip between their official and personal accounts and constantly on guard to prevent that leakage.


Saudi Arabia and the Arab Spring

Yemeni President Ali Abdullah Saleh, injured in a rocket attack against his palace last week, was flown to Saudi Arabia for treatment. Press reports speculated that he might not return to Yemen, following weeks of increasingly violent protests against his continued presidency and failed negotiations on his peaceful departure. Saudi Arabia's offer of medical treatment and refuge for the widely reviled Saleh draws attention to Saudi Arabia's role in the Arab Spring. With the notable exception of demonstrations in Shia-dominated eastern Saudi Arabia near the border with Bahrain, protests in the kingdom this spring have been muted. Most citizens appear to favor gradual reform while maintaining the existing monarchy. The kingdom is not immune from regional winds of change, however, and social media plays a familiar role. A Twitter campaign is calling for women to drive cars in public on June 17 in defiance of the standing prohibition. Women also launched a Facebook page protesting exclusion from voting in long-delayed municipal elections this fall.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Regional unrest has added urgency to the Saudi Royal Family's ongoing efforts to invest oil wealth wisely to create a sustainable, knowledge-based economy. The 87-year-old King Abdullah has announced more than $100 billion in new public spending projects in the past few months, while some fear that the political upheaval in neighboring countries may have slowed the pace of social reforms. Efforts to attract foreign academics and technology innovators through mega-projects such as the King Abdullah University for Science and Technology and the King Abdullah Economic City have enjoyed some success, particularly in netting participants from emerging markets. However, technology multinationals may be able to support Saudi education officials in promoting the kingdom's resources as a virtual innovation hub, allowing people to participate without relocating physically to the kingdom. Saudi Arabia's conservative social policies and active monitoring of data networks, meanwhile, may mean that foreign companies will want to concentrate business focus on supporting the kingdom's stated public spending priorities, which include education, health care, maximizing scarce natural resources, and building infrastructure.

Upcoming Security Activity

CiscoLive Bahrain: Postponed
World IPv6 Day: June 8, 2011
23rd Annual FIRST Conference: June 12–17, 2011
CiscoLive 2011: July 10–14, 2011
Black Hat USA 2011: July 30–August 2, 2011
DEFCON 19: August 4–7, 2011
GFIRST National Conference: August 7–12, 2011
20th USENIX Security Symposium: August 8–12, 2011

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

National elections in Thailand and Mexico: July 3, 2011

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top