The IntelliShield Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The Cyber Risk Reports are a result of collaborative efforts, information sharing, and collective security expertise of senior analysts from Cisco security services that include the IntelliShield team (IntelliShield Alert Manager, Applied Intelligence, and IPS), ROS, PSIRT, the Corporate Security Programs Organization, and Legal Support.

Vulnerability

Microsoft released 11 of their 12 scheduled bulletins during the monthly security update on February 12, 2008. IntelliShield analysts identified 17 of the vulnerabilities as previously undisclosed. A vulnerability in the Microsoft Works file converter could help an attacker to distribute malicious code. This vulnerability is described in IntelliShield alert 15063. Exploit code that demonstrates remote code execution is available. Given the recent trend of using vulnerabilities in office productivity applications to distribute malicious code, administrators should consider applying the updates for these vulnerabilities a priority.

Apple released a security update and an updated version of the Mac OS X operating system to address several vulnerabilities. IntelliShield analysts identified seven new and three previously undisclosed vulnerabilities addressed by this update. A vulnerability in the NFS component of Apple Mac OS X and Mac OS X Server could allow a remote attacker to cause a targeted system to crash or to execute arbitrary code. This vulnerability is described in IntelliShield alert 15129.  

Independent security researchers released the details of several vulnerabilities that were addressed by Adobe in a security advisory. This advisory is detailed in IntelliShield alert 15115. At least one of these vulnerabilities has been used to deliver malicious code. Administrators should consider updating Adobe products a priority because of increased attention to vulnerabilities in Office productivity software.

Technical details and patches were also released to address a variety of other vulnerabilities; many of which have been used to conduct malicious activities. Kernel.org released updated software to address a pair of privilege escalation vulnerabilities in the Linux Kernel. The vulnerabilities are described in IntelliShield alerts 15127 and 15128. Independent security researchers released details of a cross-site request forgery vulnerability in the web management interface of F5 Networks BIG-IP. This vulnerability is detailed in IntelliShield alert 15150. Proof-of-concept exploit code demonstrates the capability to create additional administrative accounts within the affected application. Under certain circumstances, an attacker could leverage this ability to take complete control over the affected system. Sources indicate that this vulnerability is being actively exploited. Proof-of-concept code is also available to demonstrate a buffer overflow vulnerability, which is described in IntelliShield alert 15159, in an Apple QuickTime for Windows ActiveX control.

During this time period, another Valentine's Day Storm worm was widely distributed. The Storm worm, as documented in IntelliShield Alert 14009, was circulating as Valentine's Day themed e-mails that contain a link to a website displaying an ecard. If users remain at this site for several seconds, they are prompted to download a copy of the worm. Users should always verify the authenticity of unexpected links within e-mail.

The recent exposure of the Adobe Acrobat and Reader vulnerabilities has prompted another variant of Trojan.Pidief, as documented in IntelliShield Alert 14388. This trojan is known to exploit buffer overflows in multiple JavaScript methods used by Adobe Acrobat and Reader. This vulnerability is described in IntelliShield Alert 15118. An update released by Adobe, which is described in IntelliShield Alert 15115, may address Other Adobe vulnerabilities that this trojan could exploit. Trojan.Pidief.C arrives on the system as a PDF document and attempts to execute attacker-specified code on a system. The trojan may also attempt to download additional malicious code. PDF documents are considered to be trusted files and typically are not blocked at the e-mail gateway. Administrators are advised to warn users about the danger of opening file attachments from unknown or unexpected users.

IntelliShield published 206 events last week: 89 new events and 117 updated events. Of the 206 events, 180 were Vulnerability Alerts, nine were Security Issue Alerts, five were Malicious Code Alerts, four were Security Activity Bulletins, four were Applied Mitigation Bulletins, three were Daily Malicious Code Summaries, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day	Date	New	Updated	Total
Friday	02/15/2008	8	43	51
Thursday	02/14/2008	15	30	45
Wednesday	02/13/2008	21	21	42
Tuesday	02/12/2008	29	9	38
Monday	02/11/2008	16	14	30
Weekly Total	—	89	117	206

 

Significant Alerts for February 11-17, 2008

Microsoft Works File Converter Section Length Header Code Execution Vulnerability
IntelliShield Vulnerability Alert 15063, Version 3, February 14, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2007-0216

Microsoft Works File Converter contains a vulnerability when handling legacy formatted Microsoft Works files that could allow a remote attacker to execute arbitrary code. To exploit this vulnerability, the attacker must convince a user to open a malicious .wps document with a vulnerable product. Exploit code that demonstrates the remote execution of arbitrary code is available. Microsoft has confirmed the vulnerability in a security bulletin and released software updates.

F5 Networks BIG-IP Web Management Interface Cross-Site Request Forgery Vulnerability
IntelliShield Vulnerability Alert 15150, Version 1, February 13, 2008
Urgency/Credibility/Severity Rating: 3/5/4

F5 Networks BIG-IP contains a vulnerability in the management interface that could allow a remote attacker to conduct cross-site request forgery attacks and make configuration changes to affected devices. Proof-of-concept exploit code is available that demonstrates the creation of additional administrative accounts. Sources indicate that this vulnerability is being actively exploited. F5 Networks has not confirmed this vulnerability and no updates are available.

Linux Kernel vmsplice Invalid Memory Pointer Dereference Vulnerability
IntelliShield Vulnerability Alert 15127, Version 3, February 13, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-0009, CVE-2008-0010
The Linux Kernel contains a vulnerability that could allow a local attacker to gain superuser privileges. The attacker could leverage these privileges to take complete control of the vulnerable system. Exploit code demonstrating the privilege escalation vulnerability is publicly available. Reports indicate that this vulnerability is being actively exploited.

Linux Kernel get_iovec_page_array() Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 15128, Version 2, February 13, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-0600
The Linux Kernel contains a vulnerability that could allow a local attacker to gain privileges equal to the superuser account. The attacker could leverage these privileges to take complete control of the vulnerable system. Exploit code is available. Reports indicate attackers are actively using this vulnerability to compromise affected systems.

Adobe Acrobat and Reader Multiple JavaScript Methods Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 15118, Version 1, February 11, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2007-5659

Adobe Acrobat and Reader contain a vulnerability that could allow a remote attacker to cause the application to crash or execute arbitrary code. The attacker may be able to gain elevated privileges depending on the configuration of the target system. This vulnerability is currently being exploited in the wild. The vulnerability has been identified as being used by Trojan.Pidief.C as documented in IntelliShield Alert 14388.

Adobe Reader and Acrobat Security Update 8.1.2
IntelliShield Security Activity Bulletin 15115, Version 2, February 11, 2008
Urgency/Credibility/Severity Rating: 3/5/4

Adobe has released updates for Adobe Reader and Acrobat on the Mac OS X, Linux, Solaris, UNIX, and Windows platforms. The update corrects several unspecified vulnerabilities in versions of the affected applications prior to 8.1.2. Independent security researchers have released the technical details of several vulnerabilities corrected by this update. At least one has been used to distribute malicious code.

Previous Alerts That Still Represent Significant Risk

Microsoft Office Excel Malformed Header Handling Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 14951, Version 2, January 17, 2008
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2008-0081

Microsoft Office Excel and Office Excel Viewer contain a vulnerability that could allow an attacker to execute arbitrary code. Reports indicate that attackers are leveraging this vulnerability in targeted, ongoing attacks. No public examples of exploit code have been observed. Attacks against this vulnerability are not likely widespread, as details of this vulnerability are still not well known. Microsoft has confirmed the vulnerability in a security advisory; however, no updates are available.

Oracle Critical Patch Update January 2008
IntelliShield Security Activity Bulletin 14949, Version 3, January 23, 2008
Urgency/Credibility/Severity Rating: 2/5/3

Oracle has released the Critical Patch Update Advisory for January 2008. The update provides patches for a total of 26 vulnerabilities spread across Oracle Database products, the Oracle Application Server, the Oracle Collaboration Suite, the Oracle E-Business Suite, and Oracle PeopleSoft Enterprise. Additional IntelliShield alerts detailing individual vulnerabilities will be released in the near future as technical details become available.

Microsoft Message Queuing Service Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 14720, Version 5, January 17, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2007-3039

Microsoft Message Queuing Service contains a vulnerability that can allow an attacker to execute arbitrary code. Exploit code is available that demonstrates this vulnerability on Windows 2000 machines. This exploit code is more automated than the previously disclosed proof-of-concept code that was released. The new exploit code requires only minor modifications by an attacker for each targeted host system. The exploit automatically extracts the FQDN of the host from its Netbios name, making it easier for an attacker to exploit this vulnerability. Microsoft has confirmed the vulnerability in a security bulletin and released software updates.

Cisco Security Agent Windows System Driver Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 14655, Version 2, December 24, 2007
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2007-5580

Cisco Security Agent contains a vulnerability that could allow an attacker to cause a denial of service or execute arbitrary code. Such remotely exploitable vulnerabilities that likely affect a large number of highly sensitive systems are very attractive targets and may garner significant interest from agencies or individuals perpetrating attacks. Public knowledge of the details of this vulnerability may place these sensitive systems at increased risk. Cisco has confirmed this vulnerability and released updated software.

Physical

Art Gallery Robbed in Switzerland

Three armed men robbed the E. G. Bührle Collection Museum in Zurich, Switzerland on February 10, 2008. The men entered the building near the end of the business day. Two of the men took four paintings from the walls while the other man directed his gun on the museum employees. The men loaded the stolen paintings into the trunk of a car and drove away. Although some tips have been provided to Interpol, no new information has been uncovered. Another art gallery robbing in Switzerland occurred two days prior and may be connected. Read more

IntelliShield Analysis: Although this story is not directly related to information security, it validates the need for security against common eventualities. The security of the private museum included alarms and personnel to protect the pieces when the museum was closed, but there was no protection against the possibility of armed criminals using the front door. Several security experts believe this theft was one of opportunity, and not well planned out with potential buyers, as selling stolen art is quite difficult. Many of the museums in Europe are small and attempt to utilize an open and trusting atmosphere, but this type of atmosphere has its obvious drawbacks. Smaller museums cannot accommodate newer technology such as x-ray machines and appropriate surveillance gear. Although, most businesses do not hold items such as priceless art pieces, they must be aware of any commodity of sufficient value that could be stolen by brute force.  Sensitive or personal information, financial records, expensive equipment, and money could all be targeted by armed men looking for the opportunity to make some quick cash. Putting such items out of sight with obvious safeguards will deter most people into looking elsewhere for easier targets.

Legal

United States Congress Divided Over Telecommunications Bill

The United States (U.S.) Senate has passed a bill extending powers that allow the government to perform warrantless surveillance on a limited basis. The new bill, dubbed the FISA Amendment Act of 2008, allows for surveillance to be compelled from telecommunications providers without a warrant so long as certain conditions are met. This bill would extend the Protect America Act, which otherwise would expire on February 16. The Senate bill also includes language that would retroactively provide immunity for companies that complied under the previous act, but which have recently faced civil lawsuits for violating customer privacy. Despite the Senate's passage of the bill, the U.S. House of Representatives did not vote to renew the provisions in the Protect America Act. The House had been in turmoil as the Representatives were divided over key differences in the House and Senate versions of the bill, in particular the retroactive immunity provisions. Read more

IntelliShield Analysis: Much like the claims made that German police sought to commission software to intercept communications prior to encryption on a suspect's computer system, the U.S. is struggling to balance government and national security interests against privacy rights. Although the issue of whether or not warrants are required is an important one, ultimately it is separate from whether or not an observer can intercept or monitor traffic.

Organizations that are concerned about the disclosure of information should rely on encryption or other safeguards. Regardless of the outcome of this particular legislation, tensions between the interests of private communications and monitoring will continue to escalate. Until more stability is reached, organizations may wish to regularly review various international legal requirements and concerns that could impact the confidentiality and integrity of their communications.

Trust

Antivirus Website Infects Visiting Machines

AvSoft Technologies, an antivirus vendor located in India, has apparently been compromised to spread malicious code. A page that offered users to download the SmartCOP antivirus product contained an invisible iFrame that redirected a visitor's browser to another server that was hosting the malicious code. The virus was part of the Virut family, reported in IntelliShield alert 13162. It has not been announced if the malicious code has been removed from the website. Read more

IntelliShield Analysis: An antivirus vendor website that is altered to deliver malicious code is a perfect illustration of irony as well as demonstrating the importance of keeping systems patched and updated. The vector used to infect visiting machines uses a well known vulnerability that has been patched some time ago. AvSoft Technologies may not have been targeted specifically, as criminals commonly scan the Internet for web sites with code errors that allow them to automatically compromise a web site in order to infect visitors. Companies should ensure their web servers are secure and regularly patched as well as monitored for suspicious activities such as redirecting traffic when there is no need. User cannot rely on only one method of protection as even trusted sites may become compromised.

Identity

There was no significant activity in this category during the time period.

Human

E-mail Gaffe Leads to New York Times Article

An email pertaining to a US$1 billion negotiation between pharmaceutical company Eli Lilly and the United States Government was accidentally sent to a reporter for the New York Times. A Pepper Hamilton lawyer working for Eli Lilly wishing to discuss the negotiations sent a confidential document to New York Times reporter Alex Berenson instead of Sidley Austin lawyer Bradford Berenson. Alex Berenson published an article based on what was found in the email. The mistake happened when the Pepper Hamilton lawyer used the first email address that was autocompleted by her email client, which was the wrong Berenson. Read more

IntelliShield Analysis: The New York Times has clarified that Alex Berenson denies that the errant email was his initial source and that he was already aware of the confidential negotiations. In any case, the email mistake is a common issue that has plagued many. As easy as it would be to blame the technology, the responsibility rests on the users. Vigilance is required when daily activity involves confidential documents. Plain text emails should never be used when handling potentially sensitive information. There is some question as to why the reporter's email address was in the address book to begin with, and this should signal others to be cautious about what email addresses are included within address books. The email sent contained a confidentiality disclaimer, but such warnings have only been effective between lawyers and not the general population.

Geopolitical

Arrests Point to Data Vulnerabilities

The U.S. Federal Bureau of Investigation made a string of arrests over the past week pertaining to the illegal sale of military information to foreign state actors.

• A Texas woman is being held for illegally selling commercial aircraft parts, through an offshore intermediary company, to Iran. Her husband remains at large. The couple exported aircraft parts, including Chinook military helicopter components, to their Singapore-based company, Monarch Aviation. They did so without obtaining an export license.
• A Department of Defense analyst was arrested for selling classified U.S. defense information to a furniture salesman in New Orleans, naturalized U.S. citizen Tai Shen Kuo. The information pertained to Foreign Military Sales (FMS) to Taiwan of military communications, intelligence, and surveillance equipment. Kuo then sold the information to an unnamed member of the government of the People's Republic of China.
• A 30-year veteran of Rockwell and Boeing was charged with passing classified manuals and other technical data pertaining to the U.S. Space Shuttle program, including the Delta-IV booster rocket and the Delta IV umbilical release system. The suspect had also traveled to the People's Republic of China on several occasions and made presentations on these subjects to Chinese aerospace industry experts. Some of the charges relate to information passed close to 30 years ago.

Read more
Additional information 1
Additional information 2

IntelliShield Analysis: These arrests highlight the vulnerability of technical intellectual property in the face of state actors bent on acquiring it. A close look at the cases also reveals clues into the methods employed by these individuals to perpetrate their alleged crimes. For example, they used intermediaries to mask their tracks, including a foreign company in a friendly third country, family members, friends, and formal intermediaries. Also to elude detection, the individuals used PGP encryption software, an off-shore ISP, numerous different telephones and e-mail accounts, and stored data or equipment in their homes prior to transshipment. As details of these cases become public, further clues may become apparent as to red flags that might have been recognized by the employers of those who had access to sensitive information.

Upcoming Security Activity

North American Network Operators' Group (NANOG): February 17–20, 2008
Black Hat DC: February 18–21, 2008
Messaging Anti-Abuse Working Group (MAAWG): February 18–20, 2008
Asia Pacific Regional Internet Conference on Operational Technologies (APRICOT): February 20–29, 2008
Internet Engineering Task Force Conference: March 9–14, 2008

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

Pakistan Elections: February 18, 2008
Iran President Ahmadinejad to Visit Iraq: March 2, 2008

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free, six-month of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

---

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top