April 14–21, 2008The IntelliShield Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The Cyber Risk Reports are a result of collaborative efforts, information sharing, and collective security expertise of senior analysts from Cisco security services that include the IntelliShield team (IntelliShield Alert Manager, Applied Intelligence, and IPS), ROS, PSIRT, the Corporate Security Programs Organization, and Legal Support. VulnerabilityThe release of the Oracle Critical Patch Update (CPU) advisory for April 2008 highlighted vulnerability activity this week. The update is detailed in IntelliShield Alert 15676. This update addresses a total of 41 vulnerabilities in Oracle products. Independent security researchers have publicly released technical details to describe six of these vulnerabilities. This publication of technical information represents a departure from Oracle's release of its CPU for January 2008, for which few details were ever publicly released. Microsoft released a security advisory to address the token kidnapping privilege escalation vulnerability in Windows as described in IntelliShield Alert 15702. The vulnerability consists of multiple attack vectors that allow a local attacker to gain elevated privileges on the Windows platform. Few details regarding the vulnerability or the attack are available. The vulnerability was demonstrated to the public at the recent Hack in the Box conference in Dubai. Apple released versions 3.1.1 of its Safari web browser to address three new vulnerabilities and one previously disclosed vulnerability. These vulnerabilities include spoofing, cross-site scripting, and memory corruption. The Safari browser may represent an attractive target for attackers because of its recent release of a stable version for the Windows platform. During this timeframe, Trj/Fribet.A (as described in IntelliShield Alert 15704) attempted to capitalize on the current controversy associated with the upcoming Beijing Olympics. The trojan arrives as part of a video file called the Race for Tibet. After the malicious software is installed on the system, it attempts to log user keystrokes and send this information to a remote attacker. Such details could include authentication credentials, financial information, or other personal information that could be used to compromise the victim's identity and perform actions as that user. Sharing a similar name, Fribet (as described in IntelliShield Alert 15655) is also taking advantage of the events associated with the upcoming Beijing Olympics. This trojan is being inadvertently downloaded as a result of visits to two websites that are dedicated to the Tibetan independence, freetibet.org and savetibet.org. These websites contain a malicious iFrame that is redirecting visitors to another website that attempts to install Fribet. The website is exploiting a known vulnerability in Microsoft Windows to download and execute the malicious software. Fribet allows a remote attacker to take control over several functions on the system. What is unique about this trojan is that, if the system has a SQL server installed, the attacker could build and connect to local or remote databases using the infected host. The attacker could also query and obtain information from local or remote databases and inject arbitrary data, such as web exploits, into databases. Incorporating current political events into social engineering tactics has proven to be an effective method to convince users to open malicious media files that harbor malicious code. IntelliShield published 116 events last week: 60 new events and 56 updated events. Of the 116 events, 98 were Vulnerability Alerts, six were Security Issue Alerts, three were Daily Malicious Code Summaries, three were Malicious Code Alerts, three were Applied Mitigation Bulletins, two were Security Activity Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for April 14–20, 2008 Oracle Critical Patch Update April 2008 Oracle has released the Critical Patch Update advisory for April 2008. This update addresses a total of 41 vulnerabilities in Oracle products affecting Oracle Database products, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, and Oracle Siebel Enterprise products. Additional IntelliShield alerts that detail individual vulnerabilities will be released in the near future as technical details become available. Previous Alerts That Still Represent Significant Risk Microsoft Windows GDI File Name Parameter Vulnerability Microsoft Windows contains a vulnerability that could allow a remote attacker to execute arbitrary code with the privileges of the user. This vulnerability is currently being exploited in the wild by Trojan.Emifie, which is documented in IntelliShield Alert 15642. Microsoft has confirmed the vulnerability in a security bulletin and released software updates. CA BrightStor ARCserve Backup ListCtrl ActiveX Control AddColumn() Buffer Overflow Vulnerability Multiple CA products contain a buffer overflow vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code. Exploit code that allows for the execution of arbitrary code is available. Reports indicate that attackers are actively exploiting this vulnerability. To exploit this vulnerability, an attacker must rely on user interaction. An attacker may employ social engineering tactics to convince a user to visit a malicious website by using a browser, such as Internet Explorer, that supports ActiveX controls. CA confirmed the vulnerability in a security response, but updates are not available. Microsoft Jet Database Engine Buffer Overflow Vulnerability Microsoft Jet Database Engine contains a vulnerability that could allow a remote attacker to execute arbitrary code on the affected system. This vulnerability is currently being exploited by malicious software. The vulnerability has been identified as being used by TROJ_MSJET.C, which is documented in IntelliShield Alert 15486, and Trojan.Acdropper.C, as described in IntelliShield Alert 10679. Microsoft has confirmed the vulnerability but software updates are unavailable.
Apple Security Update 2008-002 Multiple Mac OS X and OS X Server Vulnerabilities Apple has released Security Update 2008-002 to address multiple vulnerabilities in Mac OS X and Mac OS X Server. This update addresses vulnerabilities that could allow an attacker to cause a DoS condition or execute arbitrary code with elevated privileges. The update corrects flaws within core operating system components as well as third-party packages that are bundled with the operating system. Microsoft Windows Vista DHCP Request Processing Denial of Service Vulnerability Microsoft Windows Vista and Microsoft Windows Vista x64 Edition contain a vulnerability that could allow a remote attacker to cause a DoS condition. Event data from Cisco Remote Management Services has detected intrusion prevention system signature activity related to this vulnerability. The data, which was captured on March 13, 2008, could indicate exploit attempts. Microsoft confirmed this vulnerability in a security bulletin and released software updates. Microsoft Works File Converter Section Length Header Code Execution Vulnerability Microsoft Works File Converter contains a vulnerability when handling legacy-formatted Microsoft Works files that could allow a remote attacker to execute arbitrary code. To exploit this vulnerability, the attacker must convince a user to open a malicious .wps document with a vulnerable product. Exploit code that demonstrates the remote execution of arbitrary code is available. Microsoft has confirmed the vulnerability in a security bulletin and released software updates. F5 Networks BIG-IP Web Management Interface Cross-Site Request Forgery Vulnerability F5 Networks BIG-IP contains a vulnerability in the management interface that could allow a remote attacker to conduct cross-site request forgery attacks and make configuration changes to affected devices. Proof-of-concept exploit code is available that demonstrates the creation of additional administrative accounts. Sources indicate that this vulnerability is being actively exploited. F5 Networks has not confirmed this vulnerability and updates are unavailable.
Linux Kernel vmsplice Invalid Memory Pointer Dereference Vulnerability The Linux Kernel contains a vulnerability that could allow a local attacker to gain superuser privileges. The attacker could leverage these privileges to take complete control of the vulnerable system. Exploit code demonstrating the privilege escalation vulnerability is publicly available. Reports indicate that this vulnerability is being actively exploited. Linux Kernel get_iovec_page_array() Privilege Escalation Vulnerability The Linux Kernel contains a vulnerability that could allow a local attacker to gain privileges equal to the superuser account. The attacker could leverage these privileges to take complete control of the vulnerable system. Exploit code is available. Reports indicate that attackers are actively exploiting this vulnerability to compromise affected systems. Adobe Acrobat and Reader Multiple JavaScript Methods Buffer Overflow Vulnerability Adobe Acrobat and Reader contain a vulnerability that could allow a remote attacker to cause the application to crash or execute arbitrary code. The attacker may be able to gain elevated privileges depending on the configuration of the affected system. This vulnerability is currently being exploited in the wild. The vulnerability has been identified as being used by Trojan.Pidief.C, which is documented in IntelliShield Alert 14388. Adobe confirmed the vulnerability in a security bulletin and released updated software. Adobe Reader and Acrobat Security Update 8.1.2 Adobe has released updates for Adobe Reader and Acrobat on the Mac OS X, Linux, Solaris, UNIX, and Windows platforms. The update corrects several unspecified vulnerabilities in versions of the affected applications prior to 8.1.2. Independent security researchers have released the technical details of several vulnerabilities corrected by this update. At least one has been used to distribute malicious code. PhysicalAir Marshal Program CriticizedThe CNN Special Investigations Unit has published an article claiming that the United States air marshal program has suffered a high rate of attrition and that the Federal Air Marshal Service has drastically reduced the application requirements to bolster their numbers. In addition to this, CNN claims that air marshals have been sent on shorter flights to skew the reported percentage of flights covered by the air marshal program. Kip Hawley, head of the Transportation Security Administration (TSA), contradicted the report at a congressional hearing. Hawley stated that the number of flights covered is considered a national secret but was at least an order of magnitude above the "fewer than 1 percent" that CNN reported. TSA spokesman Greg Alter sent out an e-mail refuting the other claims made by CNN's Special Investigations Unit. Texas Representative Sheila Jackson Lee has begun to conduct closed-door meetings to determine whether the oversight committee is receiving the whole truth. Read more IntelliShield Analysis: Although both CNN and the Federal Air Marshal Service are claiming to have all the facts, the truth most likely lies somewhere in the middle. Historically, organizations that have attempted to rapidly increase their physical security teams have found it necessary to lower their acceptance requirements, decrease their training standards, and risk high turnover from their more experienced staff. A smaller, well-trained staff is typically better equipped to respond to incidents than a larger, less trained force. It the long run, reactive security is rarely effective, and should be used sparingly, kept restricted in scope, and limited to a temporary lifecycle. Funding and bureaucracy created for temporary security teams should be easy to remove after the objective has been achieved. LegalNew Version of PCI DSS Is Being PreparedA new version of the Payment Card Industry Data Security Standard (PCI DSS) is scheduled to be released in September 2008. A beta version of this new standard will be released in August to participating organizations as well as security assessors who work with the standard. In addition to this new version, there is also some commentary from PCI Security Standards Council General Manager Bob Russo regarding requirement 6.6 of the standard. This requirement is currently considered a best practice, but on June 30 it will become mandatory. It has caused some confusion in the industry because of a lack of clarity about the actions companies will need to take to meet it. Read more IntelliShield Analysis: The 6.6 requirement states that companies need to protect their web-based applications against known threats, either by use of a source code review, or by means of a web application firewall (WAF). A WAF may be the preferred implementation because a third-party code review may be more costly to perform. Although a WAF could be a cheaper way to gain compliance, it may hinder performance and, if an attacker can bring down the WAF, the attacker could more easily create a denial of service (DoS) condition. The PCI DSS is an evolving standard that can offer some protection to the companies that conform to it. However, it is still a work in progress and over the course of time it is expected to grow in relevance and effectiveness. TrustU.S. Government to Increase DNA CollectionWithin the past few years, the authority of the United States Justice Department has been expanded to allow for more comprehensive collection of DNA samples. The Department may now collect DNA from any person, foreign or domestic, arrested by federal law enforcement agents. The samples are added to the CODIS database, which is a knowledge-sharing tool that helps various federal law enforcement agencies find suspects based on DNA evidence. Privacy advocates are concerned that because DNA of any detainee is stored in the database, whether or not they are eventually found guilty of a crime, the privacy of law-abiding persons will be at risk. Read more IntelliShield Analysis: There are conflicting views about the increased involvement of federal law enforcement agencies and personal information. Unlike fingerprints, DNA samples contain a vast amount of information that could be very valuable in the hands of the wrong person. In expanding the scope of data collection, the Justice Department will face the challenge of securely controlling this information, even from malicious insider attacks. Organizations should carefully consider the responsibilities involved with collecting sensitive information, storing only what is absolutely necessary. Detailed policies regarding scope of collection, quantity of information, and duration of retention are essential to controlling risks. IdentityTSA Trials New Boarding Pass SystemThe United States Transportation Security Administration has begun testing a new boarding pass system in cooperation with Continental Airlines in Houston, Texas. The airline signs boarding pass information using a private key and sends the pass as a high density bar code to passengers in the form of an SMS phone message. The TSA can then use scanners to read the information from passenger cell phones using the paired public key provided by the airline, positively verifying the passenger's identity from the pass signature, and making replication of fake passes more difficult. Read more IntelliShield Analysis: The new TSA program indicates a step in the right direction for securing airline boarding passes. The program leverages existing technologies at an apparently low cost, making for a simple system. Privacy concerns must be addressed to ensure data that is used as part of the system is not collected and stored beyond what is necessary for passenger identification. Additionally, even successful identification does not guarantee security or protect against those persons who may be unknown threats. Overall, this system could be an example for other groups who wish to leverage existing mechanisms to create secure identification systems. HumanHackers Use Targeted "Spear Phishing" Against CEOsRecently, a rash of thousands of targeted phishing e-mails has been delivered to various senior corporate officers, primarily CEOs. The targeted e-mails are individually researched for delivery to the e-mail account of the senior executive. They contain personal details of each victim, including things like full name, phone number, and organization name. The messages assert that the organization is subject to subpoena, and prompt the victims to review a document and download malicious code that masquerades as a plug-in to properly read the document. IntelliShield Analysis: Many technical solutions can reduce the impact of malicious code attacks, but targeted phishing assaults have been known to bypass traditional solutions such as antivirus software. In these situations, a depth of defense based in user training will be a significant advantage. Senior corporate officers are especially valuable targets for trojan and reconnaissance software, but are also likely to have delegated some responsibility for communications to administrative assistants, who should not be overlooked when planning this crucial training. Training and technology implementations need focus not only on responding to attacks, but also on the social engineering and electronic reconnaissance efforts that collect information leading up to the attacks. These pieces of contact information were carefully collected, and they are likely to be used again. GeopoliticalThere was no significant activity in this category during the time period. Upcoming Security ActivityHITBSecConf2008: April 14–27, 2008 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following event: Easter (Eastern): April 27, 2008 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free, 6-month trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
