April 7–13, 2008The IntelliShield Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The Cyber Risk Reports are a result of collaborative efforts, information sharing, and collective security expertise of senior analysts from Cisco security services that include the IntelliShield team (IntelliShield Alert Manager, Applied Intelligence, and IPS), ROS, PSIRT, the Corporate Security Programs Organization, and Legal Support. VulnerabilityThe monthly Microsoft Security Update was released April 8, 2008. The security update consisted of eight bulletins that address vulnerabilities in the Windows operating system, the Internet Explorer web browser, and the Project and Visio applications. IntelliShield analysts reported on 10 new and one previously disclosed vulnerabilities. The Cisco Applied Intelligence group released an Applied Mitigation Bulletin outlining mitigation strategy to protect against attacks using these vulnerabilities. These strategies are outlined in IntelliShield alert 15600. Of particular interest were the Microsoft Windows updates for the GDI file name parameter buffer overflow vulnerability as described in IntelliShield alert 15561. This vulnerability is currently being exploited in the wild by Trojan.Emifie, which is documented in IntelliShield alert 15642. Adobe released version 9.0.124.0 of the Flash Player media application. IntelliShield analysts identified four new and three previously disclosed vulnerabilities. Flash content is pervasive on the Internet and is also in use for business purposes. Administrators should weigh the risk of allowing these types of applications against business needs when deciding how best to mitigate against these vulnerabilities. During the time period, a recent variant of the Bobax family of worms was being used to build a massive network known as the Kraken botnet. A botnet is a collection of infected hosts that can be controlled for malicious purposes. Kraken has also been used to describe the malicious code that infects the host. Some antivirus vendors may refer to the malicious code that infects the host as Bobax, but others vendors are using the names Bobic, Oderoor, Cotmonger, Hacktool.Spammer, or Backdoor.Spakrab. Once the worm infects a host system, that host is added to the botnet. The attackers who control the botnet use the infected systems to deliver spam advertisement messages and to conduct other malicious activities such as denial of service attacks. The Kraken botnet is rumored to have grown in size from approximately 20,000 infected hosts to over 400,000 infected hosts during the past year. The Cisco Applied Intelligence group released an Applied Mitigation Bulletin outlining mitigation strategy to protect against attacks using these vulnerabilities. These strategies are outlined in IntelliShield alert 15624. Another variation of Storm was widely distributed this week. The Storm worm, documented in IntelliShield Alert 14009, is currently circulating love-themed e-mails that contain a link to a website that contains an embedded video. The site responds to the user with the error message You have no Storm Codec on your PC as the reason why the video isn't playing. At the bottom of this web page, a hyperlink is available to download the supposed codec, which is actually a copy of Storm. Users should verify the authenticity of unexpected links within e-mail. IronPort Threat Operations Center reported a virus outbreak for this worm variation on April 8, 2008. IntelliShield published 159 events last week: 62 new events and 97 updated events. Of the 159 events, 130 were Vulnerability Alerts, 11 were Security Issue Alerts, six were Malicious Code Alerts, five were Applied Mitigation Bulletins, four were Daily Malicious Code Summaries, one was a Cyber Risk Report, one was an updated Cyber Risk Report, and one was a Security Activity Bulletin. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for April 7–13, 2008 Microsoft Windows contains a vulnerability that could allow a remote attacker to execute arbitrary code with the privileges of the user. This vulnerability is currently being exploited in the wild by Trojan.Emifie, which is documented in IntelliShield Alert 15642. Microsoft has confirmed the vulnerability in a security bulletin and released software updates. Previous Alerts That Still Represent Significant Risk Multiple CA products contain a buffer overflow vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code. Exploit code that allows for the execution of arbitrary code is available. Reports indicate that attackers are actively exploiting this vulnerability. To exploit this vulnerability, an attacker must rely on user interaction. An attacker may employ social engineering tactics to convince a user to visit a malicious website by using a browser such as Internet Explorer that supports ActiveX controls. CA confirmed the vulnerability in a security response, but updates are not available. Microsoft Jet Database Engine Buffer Overflow Vulnerability Microsoft Jet Database Engine contains a vulnerability that could allow a remote attacker to execute arbitrary code on the affected system. This vulnerability is currently being exploited by malicious software. The vulnerability has been identified as being used by TROJ_MSJET.C, which is documented in IntelliShield Alert 15486, and Trojan.Acdropper.C, as described in IntelliShield Alert 10679. Microsoft has confirmed the vulnerability but software updates are unavailable. Microsoft Office Excel Malformed Header Handling Arbitrary Code Execution Vulnerability Microsoft Office Excel and Office Excel Viewer contain a vulnerability that could allow an attacker to execute arbitrary code. Exploit code demonstrating code execution is publicly available. Reports indicate that attackers are leveraging this vulnerability in ongoing, targeted attacks. The exploit code could be leveraged to conduct larger scale attacks. Microsoft has confirmed the vulnerability in a security bulletin and released software updates. Apple Security Update 2008-002 Multiple Mac OS X and OS X Server Vulnerabilities Apple has released Security Update 2008-002 to address multiple vulnerabilities in Mac OS X and Mac OS X Server. This update addresses vulnerabilities that could allow an attacker to cause a DoS condition or execute arbitrary code with elevated privileges. The update corrects flaws within core operating system components as well as third-party packages that are bundled with the operating system. Microsoft Windows Vista DHCP Request Processing Denial of Service Vulnerability Microsoft Windows Vista and Microsoft Windows Vista x64 Edition contain a vulnerability that could allow a remote attacker to cause a DoS condition. Event data from Cisco Remote Management Services has detected intrusion prevention system signature activity related to this vulnerability. The data, which was captured on March 13, 2008, could indicate exploit attempts. Microsoft confirmed this vulnerability in a security bulletin and released software updates. Microsoft Works File Converter Section Length Header Code Execution Vulnerability Microsoft Works File Converter contains a vulnerability when handling legacy-formatted Microsoft Works files that could allow a remote attacker to execute arbitrary code. To exploit this vulnerability, the attacker must convince a user to open a malicious .wps document with a vulnerable product. Exploit code that demonstrates the remote execution of arbitrary code is available. Microsoft has confirmed the vulnerability in a security bulletin and released software updates. F5 Networks BIG-IP Web Management Interface Cross-Site Request Forgery Vulnerability F5 Networks BIG-IP contains a vulnerability in the management interface that could allow a remote attacker to conduct cross-site request forgery attacks and make configuration changes to affected devices. Proof-of-concept exploit code is available that demonstrates the creation of additional administrative accounts. Sources indicate that this vulnerability is being actively exploited. F5 Networks has not confirmed this vulnerability and updates are unavailable. Linux Kernel vmsplice Invalid Memory Pointer Dereference Vulnerability The Linux Kernel contains a vulnerability that could allow a local attacker to gain superuser privileges. The attacker could leverage these privileges to take complete control of the vulnerable system. Exploit code demonstrating the privilege escalation vulnerability is publicly available. Reports indicate that this vulnerability is being actively exploited. Linux Kernel get_iovec_page_array() Privilege Escalation Vulnerability The Linux Kernel contains a vulnerability that could allow a local attacker to gain privileges equal to the superuser account. The attacker could leverage these privileges to take complete control of the vulnerable system. Exploit code is available. Reports indicate that attackers are actively exploiting this vulnerability to compromise affected systems. Adobe Acrobat and Reader Multiple JavaScript Methods Buffer Overflow Vulnerability Adobe Acrobat and Reader contain a vulnerability that could allow a remote attacker to cause the application to crash or execute arbitrary code. The attacker may be able to gain elevated privileges depending on the configuration of the affected system. This vulnerability is currently being exploited in the wild. The vulnerability has been identified as being used by Trojan.Pidief.C, which is documented in IntelliShield Alert 14388. Adobe confirmed the vulnerability in a security bulletin and released updated software. Adobe Reader and Acrobat Security Update 8.1.2 Adobe has released updates for Adobe Reader and Acrobat on the Mac OS X, Linux, Solaris, UNIX, and Windows platforms. The update corrects several unspecified vulnerabilities in versions of the affected applications prior to 8.1.2. Independent security researchers have released the technical details of several vulnerabilities corrected by this update. At least one has been used to distribute malicious code. Oracle Critical Patch Update January 2008 Oracle has released the Critical Patch Update Advisory for January 2008. The update provides patches for a total of 26 vulnerabilities affecting Oracle Database products, the Oracle Application Server, the Oracle Collaboration Suite, the Oracle E-Business Suite, and Oracle PeopleSoft Enterprise. Additional IntelliShield alerts that detail individual vulnerabilities will be released in the near future as technical details become available. PhysicalFederal Communications Commission to Propose Emergency Alert Text Messaging SystemThe United States Federal Communications Commission (FCC) has approved a plan that will allow cell phone users to receive text messages alerting them to emergency situations. The implementation of the plan requires that cell phone provider companies agree to FCC terms and conditions, which are optional choices for each provider. The plan will provide alerts on terrorist attacks, natural disasters, or Amber alerts on missing persons. Read more IntelliShield Analysis: Targeted bulk messaging will be difficult to implement. Would an imminent terrorist attack be broadcast to the entire country, a specific state or region, or could global positioning system (GPS) or other capabilities in phones determine the recipients? Alerting an overly broad audience may result in recipients ignoring messages, while alerting too few may limit the plan's effectiveness. Some users are also concerned about implications for privacy and whether this implementation might prompt other organizations to adopt bulk text messaging for commercial purposes. The plan is not fully worked out and no providers have officially signed on, but several have shown interest. Organizations are advised to track this developing program to determine whether it offers value in augmenting or providing a model for developing similar organizational alerting systems. LegalUpdated Release of United Kingdom Banking CodeThe updated Banking Code and Business Banking Code was publicly released last week by the British Bankers' Association (BBA). Among other updates and revisions, the Banking Code includes clauses that outline to customers safety precautions that the bank expects the customers to take in order to protect against identity theft and other criminal activities. The code outlines the issues and suggestions in clauses 12.5, 12.9 and 12.11 of the document. Clauses 12.5 and 12.9 provide customers with information about security-related and antivirus software, as well as advice on clicking links in e-mails. Clause 12.11 explicitly states that the customers may be liable for losses if they have acted in an irresponsible manner where recommended safety precautions are concerned. Read more IntelliShield Analysis: The Banking Code and Business Banking Code serves as a user agreement between customers and participating banks. The clauses regarding the security precautions and liability to the customer have been included in past iterations of the Banking Code and are now updated to reflect the latest technologies. The clause has never been invoked in the past, but customers may want to review the code to ensure that they are reasonably compliant. The Banking Code does not define an acceptable up-to-date policy to be applied on antivirus software and firewalls, but the burden of proof will be on banks to prove that customers behaved irresponsibly. Requiring customers to keep their systems updated may help keep users security-minded, but attackers continue to find new methods of bypassing security technologies. TrustBritish Internet Service Providers Trial Phorm Advertising SystemBritish Internet service providers (ISPs) may be entering into agreements to test a system developed by Phorm, Inc., that is used to display advertisements during a user's browser session based on the user's browsing habits. Privacy and security advocates have concerns with the plan, although Phorm states no personal information is used to deliver advertisements and browsing history is not stored for any length of time. Unless a user opts out, each user of a participating ISP would be part of the program. Read more IntelliShield Analysis: Several concerns are raised by the possible deployment of such an advertising system. Because this single system serves many users, it may become an attractive target for attackers. The system also relies on HTTP 307 redirects that attackers could manipulate or spoof and replace with other malicious content. Although Phorm stores no personally identifiable information, the company still sees the entire browsing behavior of system users, raising the possibility of misuse. Overall, the system may represent a potential risk to the trust arrangement between ISPs and end users. Participating ISPs and other providers are advised to ensure Phorm and similar systems meet rigorous security standards and that privacy concerns are addressed before implementation. IdentityThere was no significant activity in this category during the time period. HumanVirginia Mandates Internet Safety LessonsIn the United States, Virginia is the first state to require educators to provide Internet Safety classes to all primary school children and young adults. This requirement has been implemented because parents are perceived to lack the skills and experience required to properly instruct their children on the dangers of the Internet. Educators hope this new mandate will help protect students from online bullies and sexual predators. Read more GeopoliticalUnited States, Middle East, South Korea Improve Internet ConnectivityIn the newly-released Global Information Technology Report 2007-08 authored by France's INSEAD and the World Economic Forum, countries representing 95 percent of world's gross domestic product are ranked according to relative Internet connectivity. While northern European countries continue to top this annual list, several countries are on the move. South Korea showed one of the most dramatic improvements, jumping 10 positions to ninth place on the list. The United States (U.S.) moved up three notches to fourth place. While Latin America and Sub-Saharan Africa continue to lag in connectivity, Middle East and North African countries are improving rapidly. In particular, Egypt, Morocco, Qatar, Bahrain, and Jordan all showed marked gains, moving into the top half of the 127-country list. Read more Upcoming Security ActivityOracle Critical Patch Update: April 15, 2008 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following event: Easter (Eastern): April 27, 2008 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free, 6-month trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
