Cyber Risk Report

November 19–25, 2007

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.


Vulnerability and threat activity levels continued to rise during this time period. Multiple vendors released security advisories and updated software to address vulnerabilities in products such as Apache, Perl Compatible Regular Expressions, Samba, and VMware. Four vulnerabilities were publicly disclosed in the Ingate Firewall and SIParator; these vulnerabilities could allow an attacker to access information, cause a denial of service (DoS) condition, and execute arbitrary code.

A vulnerability in Apple Mail when running on Mac OS X was discovered that could allow attackers to execute arbitrary commands on affected systems with the privileges of the user. IntelliShield reported this vulnerability in Alert 14608. The vulnerability was originally discovered in February 2006 and covered in Alert 10455; however, the vulnerability was reintroduced into the Mac OS X 10.5 train.

Citrix also reported a cross-site scripting vulnerability in Citrix NetScaler and a vulnerability in Citrix Presentation Server that could allow an attacker to execute arbitrary code.

IntelliShield published 157 events last week: 45 new events and 112 updated events. Of the 157 events, 136 were Vulnerability Alerts, three were Malicious Code Alerts, eleven were Security Issue Alerts, two were Daily Malicious Code Summaries, two were Security Activity Bulletins, two were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 11/23/2007 0 16 16
Thursday 11/22/2007 1 15 16
Wednesday 11/21/2007 7 24 31
Tuesday 11/20/2007 17 23 40
Monday 11/19/2007 20 34 54
Weekly Total 45 112 157


Previous Alerts That Still Represent Significant Risk

Microsoft Internet Explorer Script Error Handling Memory Corruption Vulnerability
IntelliShield Vulnerability Alert 14243, Version 3, November 7, 2007
Urgency/Credibility/Severity Rating: 3/5/4

Microsoft Internet Explorer contains a vulnerability that could allow an attacker to execute arbitrary code. Attackers cannot exploit this vulnerability directly and instead must convince a user to visit a malicious website. The Cisco Remote Operations Services organization has detected activity that indicates public attempts to exploit this vulnerability. Microsoft has confirmed this vulnerability in a security bulletin and released updates.

Microsoft Internet Explorer ShellExecute() URL Handling Vulnerability
IntelliShield Vulnerability Alert 13688, Version 17, November 19, 2007
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2007-3670, CVE-2007-3896, CVE-2007-3954

Microsoft Internet Explorer contains a vulnerability that may allow an attacker to execute arbitrary commands with the privileges of the user. If the user possesses sufficient privileges, an exploit could allow the attacker to gain full control over the affected system. This vulnerability was originally disclosed in July 2007. Exploit code is now publicly available, and attackers are actively exploiting this vulnerability in the wild. Microsoft has confirmed this vulnerability in a security advisory, and third-party vendor updates are available.

RealNetworks RealPlayer ierpplug.dll ActiveX Control Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 14365, Version 2, October 22, 2007
Urgency/Credibility/Severity Rating: 3/5/4

RealPlayer contains a vulnerability that could allow an attacker to execute arbitrary code with the privileges of the user. Exploit code is publicly available, and reports indicate that active exploitation is currently ongoing. RealNetworks has confirmed this vulnerability and released updates.

Microsoft Word Memory Corruption Vulnerability
IntelliShield Vulnerability Alert 14224, Version 1, October 9, 2007
Urgency/Credibility/Severity Rating: 3/5/4

Microsoft Word and Office for Mac contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. Malicious code that exploits this vulnerability is circulating in the wild. IntelliShield reported this malicious code as a variant of the Mdropper trojan in Alert 12562. An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary code with the privileges of the user that started the affected application. Depending on the privileges of the user, the attacker could create new accounts, install programs, or view, change, or delete data.

Security Activity Bulletin: Oracle Critical Patch Update October 2007
Security Activity Bulletin 14327, Version 2, October 29, 2007
Urgency/Credibility/Severity Rating: 2/5/4

Oracle released the October 2007 Critical Patch Update to address 51 vulnerabilities across Oracle products. Oracle does not publicly release technical details that concern specific vulnerabilities. IntelliShield expects independent security researchers to release details regarding individual vulnerabilities as researchers test and verify the Oracle patches.

MIT Kerberos and librpcsecgss RPC Library RPCSEC_GSS Authentication Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 14083, Version 15, November 16, 2007
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2007-3999, CVE-2007-4743

MIT Kerberos 5 contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition or execute arbitrary code. An exploit may result in a full system compromise. Many operating systems and third-party applications use Kerberos and will likely release updated software to address this vulnerability.

Samba WINS Server Daemon Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 14546 version 2, November 19, 2007
Urgency/Credibility/Severity Rating: 2/5/4

Samba contains a vulnerability that could allow an attacker to cause a denial of service condition or execute arbitrary code. Only systems configured as WINS server daemons are vulnerable; however, this is a common configuration in environments that use Samba to perform domain authentication. Due to the large number of potential targets, this type of vulnerability could be used to produce malicious code that propagates in an automated manner.


Transit Strikes in France

A nine-day transportation strike caused major disruptions throughout France during the time period. In addition to the general disruptions and protests, arson attacks that affected four train routes also occurred on November 21, 2007. Talks between union officials and the French government continue, and some workers began returning to work on November 22, 2007. Read more

IntelliShield Analysis: Widespread strikes that interrupt or block transportation systems are risks that require business continuity planning. Similar to weather or other regional physical risks, organizations are advised to establish contingency plans for employees who are unable to reach offices and methods for communicating dangers to are workers. Businesses must also have emergency notification methods to alert employees when contingency plans are exercised and ensure that employees are educated about about the plans. Remote worker capabilities can allow employees to work from any safe location with an Internet connection, but businesses must ensure that necessary systems and software are deployed, users are trained, and controls and policies are implemented without causing increased information security risks.


Google and DoubleClick Hope to Unite Online Advertising

Google has proposed a US$3.1 million dollar buyout of advertising firm DoubleClick but is facing opposition from the United States Federal Trade Commission and European Union antitrust laws. Google specializes in search and search-related advertising, and DoubleClick is a leader in the online display advertising market. If successful, the deal would unite two of the largest companies in the Internet advertising space and lower competition. Read more

IntelliShield Analysis: There are security concerns beyond the legal and economical ramifications of Google's proposed buyout, because the company has faced pressure from privacy advocates that are concerned about how Google collects and stores user information. DoubleClick tracks users as they click through an advertisement. If combined, this information could become an enticing target for attackers to exploit, which could increase the potential for abuse and exploitation.


Trusted Websites Used to Distribute Malicious Code reported recently reported that their website had been attacked and was being used to distribute malicious code to visitors. The compromise was identified as IFrame exploits and other attacks that used web pages. The IFrame exploits direct users to malicious websites that can expose the users' systems to multiple attacks from a widely-used attack toolkit. Read more

IntelliShield Analysis: The compromise of popular, generally trusted websites is an escalating method of exploit. With the holiday shopping season growing to peak levels through the end of December, businesses should be vigilant and carefully monitor websites for signs of compromise or malicious activity.


United Kingdom Children and Families Suffer Identity Exposure

Two compact discs that contained password-protected, but unencrypted information for the United Kingdom (U.K.) Child Benefit program failed to arrive at the National Audit Office when sent via the HM Revenue and Customs internal courier service. The data included National Insurance numbers, bank details, names, birth dates, and address information of 25 million individuals, including all family members of any individual in the U.K. with a child of 16 years or younger. Read more

IntelliShield Analysis: According to Chancellor Alistair Darling, the courier service ignored security procedures during this incident. As the British government determines the cause of the breach and adjusts policies to prevent a recurrence, citizens in the U.K. will need to determine how to monitor and protect their credit and identities. Frequent identity monitoring may become a necessity for many individuals around the world.


Phishing Attacks Becoming More Complex

A large-scale MySpace phishing attack that originated in China and operated for more than thirty days was detected during the time period. Using small-scale, directed spamming of links within internal comments, attackers were able to collect usernames and passwords while remaining hidden from security products and personnel. These "typo squatting" attacks that attempt to impersonate legitimate websites by registering web domains with intentionally misspelled trademarked names or popular keywords are not new to cyberspace but continue to grow in scope and sophistication.
Read more
Additional information
Additional information

IntelliShield Analysis: The tactics used in phishing, domain squatting, and typo squatting attacks remain relatively unchanged, but technology that is capable of hiding the illegitimacy of websites and the keywords used to attract victims continues to improve. IntelliShield expects a rise of phishing attempts as attackers take advantage of the upcoming holiday season. Best practices, such as examining URLs before selecting web links, double-checking spelling within a typed URL, and using a search engine to double-check website legitimacy will be of benefit to users in the coming months. Several applications and browser plugins are available for use in warning against misleading websites.


China Identified as Threat to United States Data and Technology

China has reacted negatively to a November United State (U.S.) Congressional report that named the country as the single largest threat to sensitive U.S. data and technology. The bipartisan U.S.-China Economic and Security Review Commission claims that China surprised the U.S. by the country's rapid advancement of technological capabilities, which was achieved in part through illicit technology transfer and espionage. The panel further stated that the Pentagon is failing to ensure that weapons contracts with U.S. companies do not result in the outsourcing of components manufacture to potential adversaries, such as China. Read more

IntelliShield Analysis:  The report by the U.S.-China Economic and Security Review Commission may be noteworthy more for its impact on perceptions than on its actual conclusions. From a business perspective, U.S. government decision-makers who are tasked with protecting sensitive data will likely direct funds towards increased China-focused network security spending and intelligence collection. Moreover, technology companies that are involved in off-shoring and outsourcing must consider whether these programs could negatively impact the prospects for obtaining government contracts in light of this report.

Upcoming Security Activity

DeepSec IDSC: November 22–23, 2007
Net&System Security Convention: November 27, 2007
PacSec 2007: November 29–30, 2007
Saudi Arabian Government Information Technology and National Security: December 1, 2007
Clubhack: December 9, 2007

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top