Cyber Risk Report

September 21–27, 2009

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.


Vulnerability and threat activity levels remained consistent with the previous periods. Significant activity during the time period included the Cisco Semiannual IOS Software Advisory release, continued heightened levels of activity of the Clampi and Zeus banking trojans, and an Apple update for iTunes.

Cisco released its Semiannual Cisco IOS Software Advisory bundled publication on September 23, 2009. The publication included 11 Security Advisories that addressed 12 individual vulnerabilities in Cisco IOS Software and Cisco Unified Communications Manager. Exploits of the individual vulnerabilities could result in two different impacts: a breach in confidentiality or a denial of service (DoS) condition. Additional information on the publication is available at the Security Intelligence Operations Event Response.

Cisco Security Intelligence Operations identified another spike in Clampi trojan activity during this period. The spike showed an increase of almost three times the normal levels during a 24-hour period. Clampi and the Zeus banking trojans continue to be identified in spam messages and remain a significant threat. The trojans are part of larger botnets that are designed to capture banking and financial account information and can be difficult to identify and remove because of the ability of the trojans to avoid antivirus detection.

Apple released an update for a vulnerability in iTunes that could allow a DoS condition or the execution of code. Apple's iTunes is one of those applications that, although unsupported by IT departments, may be on many users' systems, presenting an unknown level of risk to the business environment. The Apple advisory and an upgrade for the 9.0.1 version are available at Apple support.

IntelliShield published 86 events last week: 45 new events and 41 updated events. Of the 86 events, 70 were Vulnerability Alerts, two were Malicious Code Alerts, three were Security Activity Bulletins, six were Threat Outbreak Alerts, three were Security Issue Alerts, one was an Applied Mitigation Bulletins and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 09/25/2009 7 0 7
Thursday 09/24/2009 6 8 14
Wednesday 09/23/2009 16 13 29
Tuesday 09/22/2009 8 9 17
Monday 09/21/2009 8 11 19
Weekly Total 45 41 86


Significant Alerts for the Time Period

Microsoft Windows SMB2 Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 19000, Version 4, September 21, 2009
Urgency/Credibility/Severity Rating: 2/5/4

Microsoft Windows Vista SP2 and prior and Windows Server 2008 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. Microsoft has released a security advisory to address the Microsoft Windows SMB2 remote code execution vulnerability Updates are not available, but Microsoft has released an official workaround.

Previous Alerts That Still Represent Significant Risk

Microsoft Internet Information Services FTPd Remote Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 18951, Version 4, September 4, 2009
Urgency/Credibility/Severity Rating: 2/5/4

Microsoft Internet Information Services (IIS) versions 5.0, 5.1, and 6 contain a vulnerability in the FTPd service that could allow an authenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code with elevated privileges. Microsoft has confirmed this vulnerability and updated software is available for some platforms. Safeguards are available.

Linux Kernel sock_sendpage() Local Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 18847, Version 7, September 21, 2009
Urgency/Credibility/Severity Rating: 2/5/4

The Linux Kernel versions 2.4 through contain a vulnerability that could allow an unprivileged, local attacker to execute arbitrary code with elevated privileges or cause a denial of service (DoS) condition. Proof-of-concept exploit code is publicly available. Red hat has released updates.

Microsoft Visual Studio Active Template Library Uninitialized Object Vulnerability
IntelliShield Vulnerability Alert 18725, Version 9, August 27, 2009
Urgency/Credibility/Severity Rating: 2/5/4

Microsoft Visual Studio Active Template Library contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has released a security bulletin and software updates to address the Microsoft Visual Studio Active Template Library uninitialized object vulnerability in Microsoft Windows.

Microsoft Windows Video msvidctl ActiveX Control Code Execution Vulnerability
IntelliShield Vulnerability Alert 18595, Version 9, August 11, 2009
Urgency/Credibility/Severity Rating: 3/5/4

Microsoft Windows XP SP3 and prior and Windows Server 2003 SP2 and prior contain a vulnerability in the msvidctl ActiveX Control that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has released an additional security bulletin and software updates to address the Microsoft Windows video msvidctl ActiveX control code execution vulnerability.

ISC BIND Dynamic Update Remote Denial of Service Vulnerability
IntelliShield Vulnerability Alert 18730, Version 9, August 25, 2009
Urgency/Credibility/Severity Rating: 3/5/3

ISC BIND contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. Apple and Novell have released security advisories and updated software to address the ISC BIND dynamic update remote DoS vulnerability.

Microsoft Office Web Components ActiveX Control Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 18633, Version 5, August 12, 2009
Urgency/Credibility/Severity Rating: 3/5/4

Microsoft Office Web Components contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. This vulnerability is due to an unspecified error in the Office Web Components ActiveX control. Reports indicate that exploits of this vulnerability are ongoing. Additional technical information is available to detail the Microsoft Office Web Components ActiveX control arbitrary code execution vulnerability.

Microsoft Windows DirectShow QuickTime Media Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 18366, Version 3, July 14, 2009
Urgency/Credibility/Severity Rating: 3/5/4

Microsoft Windows DirectShow contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has indicated that limited, active attacks are occurring. Microsoft has released an update that corrects this vulnerability.

Microsoft Internet Information Services WebDav Unicode Processing Security Bypass Vulnerability
IntelliShield Vulnerability Alert 18261, Version 3, June 9, 2009
Urgency/Credibility/Severity Rating: 2/5/3

Microsoft Internet Information Services (IIS) versions 5.0, 5.1, and 6.0 contain a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and access sensitive information. The vulnerability is due to improper processing of Unicode characters in HTTP requests. An exploit could allow the attacker to bypass security restrictions and download arbitrary files from the targeted system. Exploit code is available. Microsoft has confirmed this vulnerability in a security bulletin and released software updates.


There was no significant activity in this category during the time period.


There was no significant activity in this category during the time period.


University Researchers Expose Potential Problems in Vanish Software

Researchers from the University of Texas at Austin, Princeton University, and the University of Michigan introduced a method to recover information stored using the "Vanish" software previously developed by the University of Washington and discussed in the Cyber Risk Report for July 20-26, 2009. "Unvanish" can defeat the expiration of key data used by the Vanish software. The University of Washington acknowledged the weakness in their initial publication and has updated Vanish software to make key recovery more difficult. Read More

IntelliShield Analysis: The open publication of technical details of the Vanish software has enabled university groups to improve on the software function. The competition has driven improvements in the software that may not have come to light if the research was not publicized. Although not practical for some areas of development, the public release of research that is similar to the academic method, open-source software movement, and other special projects, such as the Netflix Prize, can allow for unforeseen innovation outside of closed research projects.


Banks Sends Confidential Information to Wrong Gmail Account

The Rocky Mountain Bank of Wyoming inadvertently sent the account information of 1,325 of its customers to the wrong Gmail account, potentially compromising customers' information. The bank initially replied to a customer request for loan information to be sent to a third party. The bank not only sent the information to the wrong Gmail account, it also accidentally included a file containing the names, addresses, and tax identification numbers of the additional 1,325 customers. Read More
IntelliShield Analysis: This unusual case combines human error with a compromise of identity information. The bank tried to contact the Gmail user to whom the account information was sent, but received no reply. The bank then asked Google to tell them if the account was dormant and to whom the account belonged. Google refused to supply the information without a court order and so the bank has filed an order requesting this information from Google. Google is likely trying to protect the privacy of its users by requiring a court order before providing the requested information. The bank wanted the request to be sealed to prevent a panic of its customers; however, courts denied the request and allowed the information to be made public, stating: "An attempt by a bank to shield information about an unauthorized disclosure of confidential customer information until it can determine whether or not that information has been further disclosed and/or misused does not constitute a compelling reason."


Installation of Spyware has Widespread and Unexpected Impact

An Ohio man, in an effort to spy on a woman with whom he had recently had a relationship, decided to install spyware on the woman's personal PC, sending it to her by means of an e-mail message. The man expected the woman to open the message sent to her public (Yahoo) account and to install the spyware on her home computer. However, she opened the e-mail message and installed the spyware on her workplace PC. The spyware propagated to multiple computers at the woman's place of employment, the Akron Children's Hospital, and resulted in the public release of medical information for more than 60 patients at the hospital. Read more

IntelliShield Analysis: While the initial blame for this event can be placed on multiple parties—the Ohio man for installing the spyware, the woman for opening up an e-mail attachment without validating the contents, and the hospital's IT department for allowing the download and not having the necessary measures in place to detect and prevent propagation of the malware —a key takeaway is that Internet connectivity has become ubiquitous. Because the Internet is accessible through multiple means, there are no guarantees where and how someone will open up and read an email message that may have been intended only for the recipient's eyes. E-mails messages can be accessed at home, at work, at public Internet stations, with Smartphones, etc. Users of e-mail programs, specifically when they are sending e-mail messages strictly for personal reasons, have to assume that the recipients can receive these emails anywhere and that unintended consequences may result..


Security Tight for People's Republic of China 60th Anniversary

China's capital of Beijing is preparing large-scale celebrations and demonstrations of military prowess for the 60th anniversary of the founding of the People's Republic of China. There will be a massive parade on National Day, which falls on October 1st, including a fly-over of Chinas most advanced military jets. Security will be tight, with tens of thousands of police deployed in Beijing, and some streets requiring identification for passage. The government has said that it will inoculate parade performers with the new H1N1 vaccine to prevent ill-timed outbreaks, and is unleashing its most aggressive effort to date to ensure good weather. Also in connection with National Day, some employees of foreign media outlets in China have reported receiving malware-laden emails, although the source of these emails has not been determined.
Read more
Additional Information
Additional Information

IntelliShield Analysis: A successful National Day is of great importance to Beijing, so from a physical security point of view, companies doing business in China may expect to find tight security, particularly at places like airports and train stations and in sensitive locales such as Tibet and Beijing. Communications may be slow from high-traffic levels and extra security measures. Past experience further points to an upward spike in malicious online activity prior to events of this kind, so companies may wish to be on guard. From a strategic point of view, many eyes worldwide will be on the substance of the military parades, which will be seen as a public inventory not only of China's military capabilities (that is, how many missiles and of which types), but as a showcase of a different sort than the Beijing Olympics of China's geopolitical rise.


Inferring Social Relationships with Mobile Phone and Location Data

Researchers Alex Pentland, Nathan Eagle, and David Lazer have published a paper regarding the use of mobile phone data to infer friendships, a practice they call "Reality Mining". The collected data, including location and phone logs, was compared to self-reported information provided by participants in the study. In comparing the information, the authors were not only able to confirm that location, proximity to other phones in the study, and phone logs were able to infer 95 percent of self-reported friendships. The researchers also suggest that phone usage could correlate to other social factors such as work satisfaction and the reliability of individuals' recall on other surveys.
Read more
Additional Information

IntelliShield Analysis: Researchers continue to find inventive ways to connect individuals to the vast amounts of digital data collected about them. In this instance, cell phone locations, call activity, and time data were correlated to infer the locations of the phones owners, who the phone owners spend time with, and to make some assumptions about work satisfaction based on how many calls were placed during working hours. Users leave digital traces in many places throughout an average day and researchers continue to find methods for making identification of users through these seemingly unimportant traces. Organizations should watch the developments in these areas because data and privacy regulations could be affected.

Upcoming Security Activity

U.S. National Cyber Security Awareness Month: October, 2009
Hack In The Box Malaysia 2009: October 5–6, 2009
Oracle Critical Patch Update: October 20, 2009
CSI2009 Annual Conference, Washington, D.C.: October 24–30, 2009
Interop New York: November 16–20, 2009

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

China National Day Holiday: October 1, 2009

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top