February 18–24, 2008The IntelliShield Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The Cyber Risk Reports are a result of collaborative efforts, information sharing, and collective security expertise of senior analysts from Cisco security services that include the IntelliShield team (IntelliShield Alert Manager, Applied Intelligence, and IPS), ROS, PSIRT, the Corporate Security Programs Organization, and Legal Support. VulnerabilityDuring the time period, independent security researchers released a proof-of-concept URL to demonstrate the directory traversal vulnerability in Oracle Enterprise Manager. A remote attacker could exploit this vulnerability to view arbitrary files on the affected system. To exploit this vulnerability, the attacker must send a malicious request to TCP port 1158; however, access to this port is typically restricted, because it is used to access the Enterprise Manager console. In addition, IBM released FixPaks for the DB2 database server to address numerous security issues and other bugs. These issues could allow both local and remote attacker to cause denial of service conditions or bypass security restrictions. BEA also released 21 security advisories to address vulnerabilities in BEA Rockit, WebLogic, AquaLogic, and Plumtree products. IntelliShield analysts produced alerts for 17 new and ten previously disclosed vulnerabilities that are addressed by these advisories. Exploits of these vulnerabilities could allow a remote attacker to conduct cross-site scripting attacks, bypass security restrictions, cause a denial of service condition, or gain elevated privileges. IntelliShield published 168 events last week: 48 new events and 120 updated events. Of the 168 events, 152 were Vulnerability Alerts, six were Security Issue Alerts, five were Daily Malicious Code Summaries, two were Security Activity Bulletins, one was a Malicious Code Alert, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Previous Alerts That Still Represent Significant RiskMicrosoft Works File Converter Section Length Header Code Execution Vulnerability Microsoft Works File Converter contains a vulnerability when handling legacy formatted Microsoft Works files that could allow a remote attacker to execute arbitrary code. To exploit this vulnerability, the attacker must convince a user to open a malicious .wps document with a vulnerable product. Exploit code that demonstrates the remote execution of arbitrary code is available. Microsoft has confirmed the vulnerability in a security bulletin and released software updates. F5 Networks BIG-IP Web Management Interface Cross-Site Request Forgery Vulnerability F5 Networks BIG-IP contains a vulnerability in the management interface that could allow a remote attacker to conduct cross-site request forgery attacks and make configuration changes to affected devices. Proof-of-concept exploit code is available that demonstrates the creation of additional administrative accounts. Sources indicate that this vulnerability is being actively exploited. F5 Networks has not confirmed this vulnerability and no updates are available. Linux Kernel vmsplice Invalid Memory Pointer Dereference Vulnerability The Linux Kernel contains a vulnerability that could allow a local attacker to gain superuser privileges. The attacker could leverage these privileges to take complete control of the vulnerable system. Exploit code demonstrating the privilege escalation vulnerability is publicly available. Reports indicate that this vulnerability is being actively exploited. Linux Kernel get_iovec_page_array() Privilege Escalation Vulnerability The Linux Kernel contains a vulnerability that could allow a local attacker to gain privileges equal to the superuser account. The attacker could leverage these privileges to take complete control of the vulnerable system. Exploit code is available. Reports indicate attackers are actively using this vulnerability to compromise affected systems. Adobe Acrobat and Reader Multiple JavaScript Methods Buffer Overflow Vulnerability Adobe Acrobat and Reader contain a vulnerability that could allow a remote attacker to cause the application to crash or execute arbitrary code. The attacker may be able to gain elevated privileges depending on the configuration of the target system. This vulnerability is currently being exploited in the wild. The vulnerability has been identified as being used by Trojan.Pidief.C as documented in IntelliShield Alert 14388. Adobe Reader and Acrobat Security Update 8.1.2 Adobe has released updates for Adobe Reader and Acrobat on the Mac OS X, Linux, Solaris, UNIX, and Windows platforms. The update corrects several unspecified vulnerabilities in versions of the affected applications prior to 8.1.2. Independent security researchers have released the technical details of several vulnerabilities corrected by this update. At least one has been used to distribute malicious code. Microsoft Office Excel Malformed Header Handling Arbitrary Code Execution Vulnerability Microsoft Office Excel and Office Excel Viewer contain a vulnerability that could allow an attacker to execute arbitrary code. Reports indicate that attackers are leveraging this vulnerability in targeted, ongoing attacks. No public examples of exploit code have been observed. Attacks against this vulnerability are not likely widespread, as details of this vulnerability are still not well known. Microsoft has confirmed the vulnerability in a security advisory; however, no updates are available. Oracle Critical Patch Update January 2008 Oracle has released the Critical Patch Update Advisory for January 2008. The update provides patches for a total of 26 vulnerabilities spread across Oracle Database products, the Oracle Application Server, the Oracle Collaboration Suite, the Oracle E-Business Suite, and Oracle PeopleSoft Enterprise. Additional IntelliShield alerts detailing individual vulnerabilities will be released in the near future as technical details become available. Microsoft Message Queuing Service Remote Code Execution Vulnerability Microsoft Message Queuing Service contains a vulnerability that can allow an attacker to execute arbitrary code. Exploit code is available that demonstrates this vulnerability on Windows 2000 machines. This exploit code is more automated than the previously disclosed proof-of-concept code that was released. The new exploit code requires only minor modifications by an attacker for each targeted host system. The exploit automatically extracts the FQDN of the host from its Netbios name, making it easier for an attacker to exploit this vulnerability. Microsoft has confirmed the vulnerability in a security bulletin and released software updates. Cisco Security Agent Windows System Driver Buffer Overflow Vulnerability Cisco Security Agent contains a vulnerability that could allow an attacker to cause a denial of service or execute arbitrary code. Such remotely exploitable vulnerabilities that likely affect a large number of highly sensitive systems are very attractive targets and may garner significant interest from agencies or individuals perpetrating attacks. Public knowledge of the details of this vulnerability may place these sensitive systems at increased risk. Cisco has confirmed this vulnerability and released updated software. PhysicalAmtrak to Increase Security and Begin Random Luggage ScreeningAmtrak, the United State's federally subsidized passenger rail system, has implemented increased security measures in the form of Mobile Security Teams and random bag inspections. The Mobile Security Teams include heavily armed police, police dog units, and random screening checkpoints. Only certain individuals that are selected by the security teams will be required to undergo additional screening. Increased security will begin in the most heavily-used region, the Northeast United States, and will eventually be deployed nationwide. Amtrak officials indicated that increased measures are appropriate but are not in response to a new or specific security threat. Read more IntelliShield Analysis: Random rail system security checkpoints offer the advantage of unpredictability, but they only screen a sample of passengers. The associated increase in police presence may offer a sense of security to passengers and could improve security conditions on the rail lines, but even with fundamental differences between this program and those used in airline security, there is no clear benefit that can be derived from station security. Most security will be concentrated at stations, which could deter or prevent attacks among crowds at the train platforms or coordinated attacks across multiple trains, such as the attacks that targeted the Madrid rail system in 2004. However, the train system is tied to predefined land routes by nature, and these long stretches of rail are difficult to secure and subject to sabotage. Organizations must always make trade-offs when implementing security, but as long as the risks and the benefits are well understood, security can still have a net positive effect. LegalChinese Telecommunication Company Huawei and 3Com Merger FailsChina's Huawei Technologies announced that it was no longer seeking the acquisition of the American 3Com technology company, citing acquisition complexities and rising costs. The announcement was the first comment by Huawei after the deal encountered difficulties when the Committee on Foreign Investment in the United States (CFIUS) voiced its disapproval, likely over Huawei Technologies's close ties with the Chinese military. The purchase was initiated by Bain Capital, a private equity firm, which bid US$2.2 billion and promised a 16.5 percent stake to Huawei. The plan limited Huawei's access to 3Com's technology and did not permit operational control of the acquired entity. Read more IntelliShield Analysis: 3Com's plight and the potential acquisition demonstrates one of the issues involved in an uncertain global economy. Larger enterprises may find it increasingly difficult to attract foreign investors if those investors view the United States government as placing a larger emphasis on protectionism. With Huawei being a major customer of 3Com, damage to the relationship could hinder 3Com's current business as well as ward off any future buyers. A spokesperson for China's foreign ministry commented that the situation is being taken very seriously and may play an important part in determining whether a "fair and favorable environment" exists for Chinese companies in the United States, but this assertion may reflect a rhetoric of posturing. 3Com will likely continue seeking a buyer and may specifically tailor its negotiations to silencing arguments of the concerned. TrustGoogle to Store Health RecordsGoogle plans to begin testing a newly-developed health service that will store health profiles. Access to the health records, which will be accessible through Google but not to the general public, will require a password, much like other Google services. Google hopes the service will aid patients in maintaining updated health records, even as they switch between providers. Privacy experts who are already concerned that Google collects too much user information are wary of the new service, as it would add further information to Google databases. Google is working with the Cleveland Clinic, who hopes the cooperation could establish a more efficient national health care system, to test this service. Read more IntelliShield Analysis: With the introduction of an online component, as well as its Google-conducted management, the health service will concentrate vast amounts of sensitive information under a high-profile target with a user-accessible interface. Although integrating this service into Google's search capabilities may allow patients to find pertinent information faster, privacy concerns may raise about the type of information disclosed during searches. In the United States, third-party services that are related to the medical industry are not covered by the Health Insurance Portability and Accountability Act (HIPAA). Thus, other third-party companies could theoretically access the information, which may allow marketing firms to target patients. Third-party services are also not required to inform patients of a release of information to governmental or legal entities. Patients and health care providers may be attracted to the new Google system, but the service will likely need to address privacy and security concerns before many advocates will be convinced to try it. IdentityThere was no significant activity in this category during the time period. HumanMalicious Code Spread through Supposed Political E-mailE-mail spammers have begun to leverage interest in the United States presidential primaries to spread malicious code, but there has yet to be an extensive exploitation of the events. One worm that promises a video of Democratic candidate Hillary Clinton actually propagates a trojan and converts an infected system into a spam-perpetrating bot. Only one other form of malicious code, which was tied to Republican contender Ron Paul, attempted to take advantage of the primary process in October 2007. Read more IntelliShield Analysis: It is unclear why spammers have not targeted current United States political events more heavily; however, with so many campaigns making use of online fundraising, spammers may eventually decide to make a concerted effort to profit from the upcoming election. An increase in targeted political phishing and spam attacks will likely occur after the Democratic and Republican national conventions select their presidential candidates. Even if a significant spam effort does not develop around the United States elections, users should still remain vigilant and refuse to be enticed by suspicious e-mail messages. GeopoliticalKosovo Independence Declaration Causes Global EffectProtests, violence, and diplomatic tension followed Kosovo's recent declaration of independence from Serbia. At least 150,000 Serbs demonstrated in Belgrade, and the United States embassy was also attacked by rioters. The biggest players in the European Union and the United States support Kosovo's independence, but a split emerged in the United Nations (UN) Security Council based on Russian opposition. Countries that have expressed alarm and opposition, most of which are dealing with their own separatist movements, include China, Spain, Romania, Cyprus, Georgia, Slovakia, Sri Lanka, Vietnam, and others. A senior aide to Palestinian President Mahmud Abbas drew comparisons with Kosovo, claiming it could become a model for the Palestinian people if peace talks with Israel fail. Kosovo has been under UN administration since 1991 and will continue to be governed by an international presence for the foreseeable future. IntelliShield Analysis: Kosovo's independence declaration threatens to initiate instability in countries that grapple with separatist movements. Russia issued a warning that the declaration threatened regional peace, and rumors indicate that Russia may take retaliatory steps, such as offering more support to Georgian separatist movements. China, who is concerned in particular about Taiwan, has also expressed alarm. Security experts in the information technology industry may consider assessing whether critical infrastructure, property, or employees are located along any of these global lines, and if so, keep these developments in mind. Upcoming Security ActivityAsia Pacific Regional Internet Conference on Operational Technologies (APRICOT): February 20-29, 2008 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following events: Jeddah Economic Forum: February 23-26, 2008
Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free, 30-day trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
