December 10–16, 2007The IntelliShield Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The Cyber Risk Reports are a result of collaborative efforts, information sharing, and collective security expertise of senior analysts from Cisco security services that include the IntelliShield team (IntelliShield Alert Manager, Applied Intelligence, and IPS), ROS, PSIRT, the Corporate Security Programs Organization, and Legal Support. VulnerabilityDuring the time period, vulnerability and threat activity levels continued to increase. Microsoft released a Security Update on December 11, 2007. The update contained seven security bulletins that addressed 11 distinct vulnerabilities. Cisco Remote Managed Services reported activity that could be related to attempts to exploit the dynamic HTML element processing memory corruption vulnerability in Microsoft Internet Explorer. IntelliShield Alert 14697 details this vulnerability. Additionally, Apple released security updates and updated software to address three vulnerabilities in the QuickTime media player and 30 vulnerabilities in Java. Reports indicate attackers are actively conducting limited targeted attacks by exploiting the msjet40.dll MDB parsing buffer overflow vulnerability in the Microsoft Jet Database Engine. Since users do not regularly receive Microsoft Database files from untrusted sources, this vulnerability is unlikely to be used to conduct widespread attacks. Microsoft has not yet publicly responded to this vulnerability or released updated software. IntelliShield Alert 14568 details this vulnerability. HP Info Center software contains a vulnerability that could allow an attacker to execute arbitrary code. The Info Center is distributed with many models of HP Compaq notebooks. The vulnerability exists because one of the associated ActiveX controls marked as Safe for Scripting fails to maintain proper access restrictions. Exploit code is available. An attacker may be able to take a number of actions, including modification of the system registry, placement of arbitrary executables, or execution of arbitrary commands. If an affected user has administrative level privileges, the system could be completely compromised. IntelliShield Alert 14747 details this vulnerability. Samba released a security advisory and updated software to address a buffer overflow vulnerability when handling SAMLOGON domain logon packets. IntelliShield Alert 14738 details this vulnerability. An attacker could exploit this vulnerability to cause Samba to crash or to execute arbitrary code. A system is only vulnerable under certain configuration settings, none of which are the default settings. IntelliShield analysts expect multiple Linux vendors to release updated software to address this vulnerability. In malicious code activity, reports indicate that the Stration family of worms, also known as Warezov, is still a predominant threat. Approximately half of the previously disclosed active domains associated with Stration are still active. The Stration family of worms uses the infected systems to distribute new variants, additional malware, spam, and host advertising sites. IntelliShield published 141 events during the time period: 49 new events and 92 updated events. Of the 141 events, 125 were Vulnerability Alerts, five were Security Issue Alerts, five were Malicious Code Alerts, three were Daily Malicious Code Summaries, three were Security Activity Bulletins, three were Applied Mitigation Bulletins, one was a Security Activity Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows:
Weekly Alert Totals
Significant Alerts for December 10-16, 2007Microsoft Jet Database Engine msjet40.dll MDB Parsing Buffer Overflow Vulnerability Microsoft Jet Database Engine contains a buffer overflow vulnerability that could allow an attacker to cause a denial of service condition execute arbitrary code. Proof-of-concept code that demonstrates the possibility of code execution on Microsoft Access 2003 SP3 is available. Public reports indicate this vulnerability is actively being exploited. Microsoft has not confirmed this vulnerability, and no updates are available. Previous Alerts That Still Represent Significant RiskCisco Security Agent Windows System Driver Buffer Overflow Vulnerability Cisco Security Agent contains a vulnerability that could allow an attacker to cause a denial of service or execute arbitrary code. A remotely exploitable vulnerability such as this, one that likely affects a large number of highly sensitive systems, is a very attractive target and may garner significant interest from agencies or individuals perpetrating attacks. Public knowledge of the details of this vulnerability may place these sensitive systems at increased risk. Cisco has confirmed this vulnerability and released updated software. Apple QuickTime RTSP Response Content-Type Header Buffer Overflow Vulnerability Apple QuickTime Player contains a buffer overflow vulnerability that could allow an attacker to cause a denial of service condition or execute arbitrary code. With the release of functional exploit code, this vulnerability will likely be exploited in the wild. The vulnerability is triggered during the initial handshake of the RTSP negotiation via a malformed Content-Type header. An attacker is required to send less than 2000 bytes of data to compromise an affected host. Because of the nature of the vulnerability, attackers have a large payload window that they may leverage. Apple has confirmed this vulnerability in a security bulletin and released updated software. Microsoft Internet Explorer Script Error Handling Memory Corruption Vulnerability Microsoft Internet Explorer contains a vulnerability that could allow an attacker to execute arbitrary code. Attackers cannot exploit this vulnerability directly and instead must convince a user to visit a malicious website. The Cisco Remote Operations Services organization has detected activity that indicates public attempts to exploit this vulnerability. Microsoft has confirmed this vulnerability in a security bulletin and released updates. Microsoft Internet Explorer ShellExecute() URL Handling Vulnerability Microsoft Internet Explorer contains a vulnerability that may allow an attacker to execute arbitrary commands with the privileges of the user. If the user possesses sufficient privileges, an exploit could allow the attacker to gain full control over the affected system. This vulnerability was originally disclosed in July 2007. Exploit code is now publicly available, and attackers are actively exploiting this vulnerability in the wild. Microsoft has confirmed this vulnerability in a security advisory, and third-party vendor updates are available. RealNetworks RealPlayer ierpplug.dll ActiveX Control Arbitrary Code Execution Vulnerability RealPlayer contains a vulnerability that could allow an attacker to execute arbitrary code with the privileges of the user. Exploit code is publicly available, and reports indicate that active exploitation is currently ongoing. RealNetworks has confirmed this vulnerability and released updates. Microsoft Word Memory Corruption Vulnerability Microsoft Word and Office for Mac contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. Malicious code that exploits this vulnerability is circulating in the wild. IntelliShield reported this malicious code as a variant of the Mdropper trojan in Alert 12562. An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary code with the privileges of the user that started the affected application. Depending on the privileges of the user, the attacker could create new accounts, install programs, or view, change, or delete data. Security Activity Bulletin: Oracle Critical Patch Update October 2007 Oracle released the October 2007 Critical Patch Update to address 51 vulnerabilities across Oracle products. Oracle does not publicly release technical details that concern specific vulnerabilities. IntelliShield expects independent security researchers to release details regarding individual vulnerabilities as researchers test and verify the Oracle patches. Samba WINS Server Daemon Buffer Overflow Vulnerability Samba contains a vulnerability that could allow an attacker to cause a denial of service condition or execute arbitrary code. Only systems configured as WINS server daemons are vulnerable; however, this is a common configuration in environments that use Samba to perform domain authentication. Due to the large number of potential targets, this type of vulnerability could be used to produce malicious code that propagates in an automated manner. PhysicalPolice Flag Vehicles to Deter TheftIn the United States (U.S.) city of Conyers, Georgia, police officers on foot patrols in shopping center parking lots began placing bright yellow warning tickets on car windows. The tickets are intended to alert vehicle owners that there are shopping parcels in plain view, either on the seats or the floorboards. Officers hope the tickets will remind shoppers to be more aware of the need to secure their packages carefully or place them in the locked trunk of the vehicle. Read more IntelliShield Analysis: Physical controls must often take into consideration the visibility of assets, and sometimes the ability to spot something of value can significantly raise the rate of threats against that asset. Opportunistic thieves could walk the shopping center parking lots and find packages and merchandise in plain sight inside vehicles, but with bright yellow stickers on the car windows of every offending shopper, the thieves can easily locate targets from a distance. Even an informal risk assessment should have identified this plan as liable to increase, not decrease, risk. LegalPayment Processor Accused of Aiding ScammersA third-party payment processor has been accused of aiding clients in the processing of fraudulent transactions or transactions that were deceptive to customers. In the United States (U.S.) seven states joined the U.S. Federal Trade Commission (FTC) in filing a complaint against the company Your Money Access. Records indicated that of US$200 million in debit requests or attempted debit requests, US$69 million were reversed or declined due to a lack of customer authorization or similar reasons. The complaint alleges that Your Money Access knew that its clients were attempting to defraud customers but continued to serve debit requests, in violation of Section 5 of the FTC Act. Read more IntelliShield Analysis: Although electronic payment transactions on the Internet are primarily a consumer issue, the U.S. government is trying to help by enforcing regulations against payment processors. If the government can suspend the payment processors who deal with disreputable merchants, it can inhibit the flow of income to those merchants and in turn, reduce fraudulent Internet transactions. The disreputable merchants will never be eliminated, but government, consumers, and businesses can work together to make it less profitable for scammers to conduct business. To protect consumers from potential fraud, reputable merchants should take extreme care when choosing a payment processor, designing websites, communicating via e-mail, or pursuing other marketing and sales activities. TrustRogue DNS Servers Point Traffic to Malicious SitesA recent study conducted by researchers from Google and the Georgia Institute of Technology in the United States (U.S.) explores a new trend in Domain Name System (DNS) hijacking. The study identified approximately 17 million open recursive DNS servers, and of those, found .4 percent, or 68,000, servers that were maliciously redirecting names to improper sites. While DNS hijacking has been a long-time tactic for malware authors and Internet attackers, the attack vector to overwrite client DNS settings has moved toward browser-based exploits. By subverting a client system's DNS settings, attackers can redirect requests for common Internet names, such as www.google.com, to a malicious IP address. Read More IntelliShield Analysis: The research of Google and the Georgia Institute of Technology highlights the benefits of implementing proactive, fundamental security controls. Attackers have shifted away from using malware and network vulnerabilities and toward using web browser attacks that trick users into completing an exploit. Protecting host configurations from unauthorized changes, restricting DNS traffic to only permit queries against trusted servers, and properly configuring organizational DNS infrastructure to restrict recursive queries wherever possible can provide long-lived protection against the most common DNS attacks. If appropriate controls are not in place to protect key technical infrastructure, many controls that trust DNS resolution may experience cascading failures. IdentityNorthern Ireland Driver and Vehicle Agency Loses More Than 7,000 RecordsTo assist vehicle manufacturers with the delivery to consumers of notices on vehicle faults or potential faults, the Driver and Vehicle Agency (DVA) in Coleraine, Northern Ireland sent information on discs to the Driver and Vehicle Licensing office in Swansea, Wales via two postal deliveries. The discs were not encrypted and contained the names, addresses, and vehicle information of more than 7,000 vehicle owners. The unprotected discs went missing at a sorting facility in Coventry, England. A police investigation is underway. Read more IntelliShield Analysis: Representatives for the DVA have been very forthright regarding this data loss, which comes only weeks after the revelation of the catastrophic data loss by HM Revenue and Customs of the United Kingdom (U.K.). Both agencies failed to perform basic and essential safeguarding of the important data they transported. As a result, vehicle owners may be at risk of fraudulent schemes benefiting from the lost personal information. Organizations are quick to adopt encrypted VPN technology to protect day-to-day network transmissions but often neglect to take the same level of care for data that is transported physically. This most recent loss of data may receive increased attention or put additional social pressure on other agencies. HumanSurvey Indicates Employees are Careless with Corporate DataIn the United Kingdom (U.K.), a recent survey conducted by Databarracks, a provider of data backup services, found that users rely upon corporate data for daily operations but do little to safeguard that data. Of the 100 U.K. office employees surveyed, 57 percent claimed to have lost a corporate laptop, Blackberry device, or portable drive, often in public locations. Data had been accidentally deleted from corporate networks by 63 percent of those participating in the survey, and 69 percent admitted that they did not regularly backup data on their devices. Read more IntelliShield Analysis: The results of the Databarracks survey are disconcerting but not surprising. Most incidents involving the loss of corporate data occur by accident or through ignorance. Users tend to follow data protection policies if instructed in what those policies are, and if the policies and technology involved are as unobtrusive as possible. Automating data backup services and encryption technology, and ensuring that employees know the appropriate response to the loss of data, will help minimize the risks and effects of losing corporate data. GeopoliticalChina and United States Dialogue on Trade IssuesAt bilateral trade meetings held in Beijing, China and the United States (U.S.) agreed to a set of guidelines for promotion of U.S. civilian high technology exports to China. At the same time, Chinese negotiators warned against allowing trade issues to be politicized, referring to several issues being discussed by the U.S. Congress. In particular, the Chinese negotiators asked for clarification of the new Foreign Investment and National Security Act of 2007 (FINSA), which is expected to intensify U.S. government scrutiny of foreign investment in high technology and critical infrastructure. IntelliShield Analysis: The meetings in Beijing were referred to as "Strategic Economic Dialogue," and the sessions appeared to focus solely on conversation. Treasury Secretary Henry Paulson brought back to the U.S. little more than an agreement to keep talking. China is unlikely to make major trade concessions to what it may perceive as the U.S. lame-duck administration, preferring to save more hard-hitting concessions for the U.S. government administration to be elected in 2008. Moreover, China's senior official at the event, Vice Premier Wu Yi, is set to retire midway through 2008. Overall, technology companies can likely interpret these trade discussions as a harbinger of forthcoming high-technology export frictions. Upcoming Security ActivityFinancial Cryptography and Data Security Conference: January 28–31, 2008 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: Eid al-Adha: December 20–23, 2007
Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free, 30-day trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
