Cyber Risk Report

October 19–25, 2009

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.


Vulnerability and threat activity was elevated again during the time period. The increase was primarily related to the release of the Oracle Critical Patch Update (CPU) for October 2009 and a large VMware update. Additional spam and malicious code activity involving the Gumblar botnet was also identified. Cisco Security Intelligence Operations continues to observe increased levels of activity related to this threat.

The Oracle CPU included security fixes for 38 vulnerabilities, many of which an attacker can exploit remotely and without prior authentication. All patches included in the update were cumulative, except those for the E-Business Suite and Oracle BEA products. The Oracle CPU was reported in IntelliShield alert 19236.  In addition to the CPU, two additional Oracle vulnerabilities were reported recently. Exploit code is available for both vulnerabilities, which are reported in IntelliShield alerts 19241 and 19244.

The VMware update (VMSA-2009-0014) included updates for ESX vulnerabilities in DHCP, Service Control Kernel, and Java Runtime Environment. Attackers have demonstrated a focus of exploiting weaknesses and vulnerabilities in ESX systems in the hopes of assuming control of virtual servers that are under the systems' control.

Attackers have adapted the Gumblar botnet with new behavior and infection vectors. New Gumblar versions embed content directly on compromised websites instead of injecting malicious iFrames that redirect users to central servers, and malicious HTML and script code use character obfuscation to avoid signature-based detection. As a result, it may be more difficult to locate, find, and correct compromised websites. The new versions include exploits for previously reported vulnerabilities in Adobe Acrobat and Microsoft Office. These vulnerabilities were previously reported in IntelliShield alerts 19180, 15623, and 18633.

IntelliShield published 108 events last week: 26 new events and 82 updated events. Of the 108 events, 91 were Vulnerability Alerts, one was a Malicious Code Alert, three were Security Activity Bulletins, six were Threat Outbreak Alerts, five were Security Issue Alerts, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 10/23/2009 6 0 6
Thursday 10/22/2009 5 7 12
Wednesday 10/21/2009 1 13 14
Tuesday 10/20/2009 4 49 53
Monday 10/19/2009 10 13 23
Weekly Total 26 82 108


Significant Alerts for October 19–25, 2009

Gumblar Malicious Code Adopts Additional Exploit Methods
IntelliShield Vulnerability Alert 19237, Version 1, October 20, 2009
Urgency/Credibility/Severity Rating: 3/4/3

Reports indicate additional activity related to the Gumblar malicious code.

Previous Alerts That Still Represent Significant Risk

Microsoft Windows SMB2 Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 19000, Version 7, October 13, 2009
Urgency/Credibility/Severity Rating: 3/5/4

Microsoft Windows Vista SP2 and prior and Windows Server 2008 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. Microsoft has released a security advisory to address the Microsoft Windows SMB2 remote code execution vulnerability. Microsoft has released a security advisory and updated software to address the Microsoft Windows SMB2 remote code execution vulnerability. Functional exploit code is publicly available.

Microsoft Internet Information Services FTPd Remote Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 18951, Version 5, October 13, 2009
Urgency/Credibility/Severity Rating: 2/5/4

Microsoft IIS versions 5.0, 5.1, and 6 contain a vulnerability in the FTPd service that could allow an authenticated, remote attacker to cause a DoS condition or execute arbitrary code with elevated privileges. Microsoft has released a security bulletin with software updates to address the Microsoft Internet Information Services FTPd remote buffer overflow vulnerability.

Microsoft Visual Studio Active Template Library Uninitialized Object Vulnerability
IntelliShield Vulnerability Alert 18725, Version 11, October 13, 2009
Urgency/Credibility/Severity Rating: 2/5/4

Microsoft Visual Studio Active Template Library contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has released a security bulletin and software updates to address the Microsoft Visual Studio Active Template Library uninitialized object vulnerability in Microsoft Windows.
Microsoft Office Web Components ActiveX Control Arbitrary Code Execution Vulnerability

IntelliShield Vulnerability Alert 18633, Version 6, October 12, 2009
Urgency/Credibility/Severity Rating: 3/5/4

Microsoft Office Web Components contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. This vulnerability is due to an unspecified error in the Office Web Components ActiveX control. Reports indicate that exploits of this vulnerability are ongoing. Additional technical information is available to detail the Microsoft Office Web Components ActiveX control arbitrary code execution vulnerability. IntelliShield has re-released this alert to clarify the availability of software updates.

ISC BIND Dynamic Update Remote Denial of Service Vulnerability
IntelliShield Vulnerability Alert 18730, Version 10, September 22, 2009
Urgency/Credibility/Severity Rating: 3/5/3

ISC BIND contains a vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition. This vulnerability is being exploited in the wild. Exploit code is publicly available. ISC has confirmed this vulnerability and updated software is available.

Linux Kernel sock_sendpage() Local Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 18847, Version 9, September 30, 2009
Urgency/Credibility/Severity Rating: 2/5/4

The Linux Kernel versions 2.4 through contain a vulnerability that could allow an unprivileged, local attacker to execute arbitrary code with elevated privileges or cause a DoS condition. Proof-of-concept exploit code is publicly available. has confirmed the vulnerability in a changelog and released updated software.


OnStar Service Ends Stolen Vehicle Chase

A police chase ended without a crash when OnStar controllers instructed a stolen sport utility vehicle (SUV) that was equipped with the communication system to ignore input from the gas pedal. After a thief approached and car-jacked their SUV, two men contacted local police, who in turn contacted OnStar. The vehicle was spotted and the police gave chase. Using a new aspect of the service, the OnStar controller was able to signal the SUV to slowly coast to a halt. The perpetrator then attempted to make a getaway on foot before being captured.
Read More 
Additional Information
Additional Information

IntelliShield Analysis: While this particular case ended happily, it presents concerns about the control of equipment that contains remote disablement capabilities. When a service such as OnStar has remote kill capabilities, vehicle owners are effectively ceding some amount of control to a foreign party. Does the controlling entity exercise adequate safeguards that the capability will not be misused? Could the controller be mislead into disabling the equipment without the express permission of the equipment owner? Cases of pranksters "swatting" victims, or calling out SWAT police teams to an unsuspecting victims homes, are becoming more common. Without strong authenticated controls, remote disablement capabilities may provide another avenue for malicious pranksters to cause a disruption for an unsuspecting victim.


Google Books Settlement Draws International Attention

The European Union (EU) commission is urging European countries to create their own version of Google Books, a digitized book service. Because the Google deal is still facing legal obstacles in the United States (U.S.), the commission believes a competitive European product can be ready for use before Google Books. In related reports, groups in China are protesting the scanning of books by Google that were written in China. This protest could further stall the Google Books settlement in the U.S..
Read More
Additional Information

IntelliShield Analysis: A portion of the Google Books settlement concerns anti-trust measures brought against Google by the United States government. If EU countries are able to create a digitized book service of their own, the case could be affected, as another vendor would also be offering the service. With such interest in this project, it is likely that multiple scanned book services will emerge. The Chinese complaint may slow the court case further, however, as a new interested party protests the settlement over concerns of intellectual property rights. This particular protest is interesting in that other countries have often accused China of not honoring copyright protection in software, books, and movies. Perhaps the interest in protecting Chinese authors may help develop and enforce more laws to protect copyrights in general.


Possible United States Federal Violations in Electronic Voting Machines

The Election Defense Alliance (EDA) requested that Riverside County, California in the United States (U.S.) turn over database files from the November 2008 general election. Sequoia Voting Systems, the manufacturer of the electronic devices that were used in the election, cited protection of trade secrets when it redacted portions of code used by the device prior to providing the database. However, the EDA determined the nature of the redaction and then uncovered information that suggests the devices violate federal rules governing electronic voting devices. Such a discovery was possible because the voting devices intermixed code that was used to run the machines in the actual data itself.
Read more
Additional information 
Additional Information

IntelliShield Analysis: This incident is not the first time electronic voting has faced scrutiny. Earlier this year, Sequoia admitted problems with its devices after election officials in Washington, D.C. threatened them with a lawsuit over approximately 1,500 "phantom" votes. This latest event has the potential to erode public trust in electronic voting systems that were designed in part to remove ambiguous situations such as the infamous hanging chad of the 2000 U.S. presidential election. Lack of transparency and acknowledged discrepancies will only further such erosion.


There was no significant activity in this category during the time period.


Entertainment Companies Begin to Set Social Media Policies

Reports that Hollywood studios are beginning to set social media usage guidelines have begun to surface recently. Although the use of such guidelines has reportedly not become pervasive, their adoption would follow a long-established tendency for entertainment studios to set rules for entertainers and other employees about what is acceptable to disclose to the media. With the rise of social media outlets like Twitter and Facebook, the intended audience is directly connected to the entertainers. Such a scenario removes any filters and delays between the posting and mass consumption. Far from abandoning or prohibiting social media usage, studios appear to be establishing reasonable guidelines that protect their interests while still benefiting from increased exposure and community involvement. Read More

IntelliShield Analysis: Although it may be too early to observe how the entertainment industry handles social media expression as a whole, early reports suggest a moderate approach. In many ways, this industry is at the forefront of monetizing personality, and social media will clearly continue to have a major impact on the lives and careers of entertainers. Moderation in social networking acceptable use suggests that studios are comfortable with a guided approach to this new technology. Organizations that have an interest in combining an individual personality with their brand and message might consider the trends in the entertainment industry as one benchmark against which social media usage and policy are measured.


Economic Espionage Trial Highlights Insider Threat

The first United States (U.S.) jury trial involving charges under the 1996 Economic Espionage Law began recently. Engineers Lan Lee (a U.S. citizen) and Yuefei Ge (a Chinese citizen) were arrested in 2006 on charges of stealing sensitive plans for a computer chip from their employer, NetLogic Systems, and another company, Taiwan Semiconductor (TSMC), with the intent to use that information to launch a start-up business in China. According to the indictment, they were seeking funding from China's 863 Program, a government venture capital organization dedicated to supporting the development of advanced technologies. Reports indicate that law enforcement authorities were warned by Ge's wife, who disapproved of her husband's business plans. The government of China has denied any knowledge of or involvement with the alleged crimes.
Read more
Additional Information

IntelliShield Analysis: For information security professionals, the most valuable lessons to be drawn from cases like the Li-Ge espionage trial may come from an analysis of the methods used to misappropriate company data. The indictment reveals that the defendants were found to possess unauthorized proprietary company information, correspondence with representatives of the 863 program, and business plans for their start-up on their home computers and personal e-mail files. It is not clear how the defendants allegedly transferred the data to personal systems, but the case underscores the need for security professionals to maintain their focus on insiders as possibly the weakest link in corporate information security systems. Counter-measures include regular need-to-know audits, regulation of access to company systems by portable devices, and a robust system for tracking movement of information beyond company firewalls.

Upcoming Security Activity

United States National Cyber Security Awareness Month: October, 2009
CSI2009 Annual Conference, Washington, D.C.: October 24–30, 2009
Interop New York: November 16–20, 2009

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

Daylight Saving Time Ends (United States): November 1, 2009
United States Election Day: November 3, 2009
The Hajj: November 25-30, 2009
Copenhagen Climate Change Summit: December 7–18, 2009

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top