February 4–10, 2008The IntelliShield Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The Cyber Risk Reports are a result of collaborative efforts, information sharing, and collective security expertise of senior analysts from Cisco security services that include the IntelliShield team (IntelliShield Alert Manager, Applied Intelligence, and IPS), ROS, PSIRT, the Corporate Security Programs Organization, and Legal Support. VulnerabilityDuring the time period, Microsoft released the Microsoft Security Bulletin Advance Notification for February 2008. Of the 12 bulletins that are scheduled for release on February 12, 2008, Microsoft scored seven with a maximum severity rating of Critical and five with a maximum severity rating of Important. Seven of these bulletins address vulnerabilities that affect the Microsoft Windows operating system or its components. The remaining bulletins cover vulnerabilities in Internet Explorer or the Microsoft Office suite of applications. Mozilla released security advisories and updated software to address 10 new and one previously disclosed vulnerability in the Firefox web browser, SeaMonkey web suite, and Thunderbird mail client. A remote attacker could exploit these vulnerabilities to prevent the browser from opening certain file types on the local system, modify the browser's configuration, gain access to sensitive information, or execute arbitrary code on the local system or in a browser session. Users should update their systems accordingly. If a user is unable to apply the updated software, an alternate web browser should be used to view the Internet. A phony Microsoft Update site that is distributing malware has been active during the time period. The siteappears to be a legitimate Microsoft Update site that contains a critical update for Windows. The web page contains an 'Urgent Install' button that, if clicked, downloads a variant of the Agent family of trojans. The web page also contains the text URGENT: Please intall critical Windows XP/2000/2003/Vista update!. Scam websites commonly contain spelling and grammatical errors, both of which may indicate to users that the website could be malicious. Users should contact the system administrator before installing any update. Microsoft updates are delivered on the system via Windows Update. The URL of a malicious website could closely resemble the URL of the legitimate website, but may use a variation in spelling or a different domain. IntelliShield published 135 events last week: 43 new events and 92 updated events. Of the 135 events, 118 were Vulnerability Alerts, seven were Security Issue Alerts, four were Daily Malicious Code Summaries, four were Security Activity Bulletins, one was a Malicious Code Alert, and one was the Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Previous Alerts That Still Represent Significant RiskMicrosoft Office Excel Malformed Header Handling Arbitrary Code Execution Vulnerability Microsoft Office Excel and Office Excel Viewer contain a vulnerability that could allow an attacker to execute arbitrary code. Reports indicate that attackers are leveraging this vulnerability in targeted, ongoing attacks. No public examples of exploit code have been observed. Attacks against this vulnerability are not likely widespread, as details of this vulnerability are still not well known. Microsoft has confirmed the vulnerability in a security advisory; however, no updates are available. Oracle Critical Patch Update January 2008 Oracle has released the Critical Patch Update Advisory for January 2008. The update provides patches for a total of 26 vulnerabilities spread across Oracle Database products, the Oracle Application Server, the Oracle Collaboration Suite, the Oracle E-Business Suite, and Oracle PeopleSoft Enterprise. Additional IntelliShield alerts detailing individual vulnerabilities will be released in the near future as technical details become available. ClamAV popen() Function Arbitrary Code Execution Vulnerability ClamAV contains a vulnerability that could allow a remote attacker to execute arbitrary code. Exploit code, which is similar to other, much older attacks against other types of systems, is available. An attacker may be able to easily modify the code to conduct multiple attacks. ClamAV has confirmed this vulnerability and released updated software. Microsoft Message Queuing Service Remote Code Execution Vulnerability Microsoft Message Queuing Service contains a vulnerability that can allow an attacker to execute arbitrary code. Exploit code is available that demonstrates this vulnerability on Windows 2000 machines. This exploit code is more automated than the previously disclosed proof-of-concept code that was released. The new exploit code requires only minor modifications by an attacker for each targeted host system. The exploit automatically extracts the FQDN of the host from its Netbios name, making it easier for an attacker to exploit this vulnerability. Microsoft has confirmed the vulnerability in a security bulletin and released software updates. Microsoft Jet Database Engine msjet40.dll MDB Parsing Buffer Overflow Vulnerability Microsoft Jet Database Engine contains a buffer overflow vulnerability that could allow an attacker to cause a denial of service condition or execute arbitrary code. Proof-of-concept code that demonstrates the possibility of code execution on Microsoft Access 2003 SP3 is available. Public reports indicate that this vulnerability is actively being exploited. Microsoft has not confirmed this vulnerability, and updates are unavailable. Cisco Security Agent Windows System Driver Buffer Overflow Vulnerability Cisco Security Agent contains a vulnerability that could allow an attacker to cause a denial of service or execute arbitrary code. Such remotely exploitable vulnerabilities that likely affect a large number of highly sensitive systems are very attractive targets and may garner significant interest from agencies or individuals perpetrating attacks. Public knowledge of the details of this vulnerability may place these sensitive systems at increased risk. Cisco has confirmed this vulnerability and released updated software. Apple QuickTime RTSP Response Content-Type Header Buffer Overflow Vulnerability Apple QuickTime Player contains a buffer overflow vulnerability that could allow an attacker to cause a denial of service condition or execute arbitrary code. With the release of functional exploit code, this vulnerability will likely be exploited in the wild. The vulnerability is triggered during the initial handshake of the RTSP negotiation via a malformed Content-Type header. An attacker is required to send less than 2000 bytes of data to compromise an affected host. Because of the nature of the vulnerability, attackers have a large payload window to leverage. Apple has confirmed this vulnerability in a security bulletin and released updated software. PhysicalThere was no significant activity in this category during the time period. LegalUnited States Courts to Hear Challenges on Border SearchesThe Electronic Frontier Foundation and the Asian Law Caucus have filed federal lawsuits challenging the legality of several recent searches performed by United States (U.S.) Customs and Border Protection officers. The lawsuits seek to discover the policies that border enforcement agents use to search and confiscate electronic devices and to question individuals. A number of air travelers have reported that officers ordered them to divulge login credentials, reveal browser history, or even hand over devices. Confiscated devices allegedly had data copied or deleted before being returned. IntelliShield Analysis: Personal possessions are routinely subject to search and seizure by border agents in the U.S. and elsewhere. With these lawsuits, the U.S. courts may rule that documents found on electronic devices can be inspected. Organizations might consider adopting foreign travel policies designed to facilitate border crossings and prevent data loss or theft in a foreign jurisdiction. Keeping sensitive information encrypted or offdevices entirely may be the most effective ways to prevent disclosure. A VPN could be used to retrieve information while traveling abroad, but security policies and procedures may need to be enforced to prevent data from being retrieved and then brought back through customs. Companies need to be aware of the risks and understand that, until a ruling is reached, employees may have to decide between handing over information or being denied entry at the border. TrustState of Security for Telecommunications, Media, and Entertainment IndustriesDeloitte released a report on the state of security and privacy for the technology, media, and entertainment industries based on a survey of over 100 organizations. The survey data is based on interviews with security executives, managers, and teams, and the respondents represented a nearly equal percentage of organizations from across the three industries. The results indicate that telecommunications, media, and entertainment organizations, regardless of size, generally have a security posture of reacting to threats, vulnerabilities, and incidents, but widely lack the fundamental security policies, procedures, and practices that are common across more security-conscious industries. Over half of the organizations responded that privacy programs were still being created and organized, and more than a third reported that they do not track customers sensitive information or report data breaches. IntelliShield Analysis: The results of this survey reflect the innovative and competitive nature of these industries. With the focus on innovation, speed to market, and implementation of the latest technologies, security and privacy concerns are often an afterthought. These industries are also challenged by the implementation of constantly evolving Digital Rights Management (DRM) technology. With the growing adoption by consumers of the products from these industries, the security of the products and the protection of the customers privacy and sensitive information stored by these organizations will continue to be a growing concern.Many businesses are still developing security policies and practices around these products, which are often installed by users on workplace systems without the knowledge or management of IT or security departments. IdentityFive Major Vendors Join OpenID FoundationIBM; Google, Inc., Microsoft Corp., Verisign Inc., and Yahoo, Inc., have joined the OpenID Foundation Corporate Board. The OpenID foundation is working to create a simplified and secure system in which only one username and password is required to sign into any website. According to the foundation, there are over 10,000 websites that support OpenID and the foundation wants to expand that support in 2008. Yahoo has already pledged that 248 million of its users will be able to use their current username and password in conjunction with OpenID. IntelliShield Analysis: Identity management continues to be a major problem for corporations as well as individuals. Any solution is going to require support from major players in the web sphere. The induction of these five vendors to the corporate board of the foundation is an important step in exploring the issues around password management to find a common solution that will be readily supported by the industry and adopted by the mainstream Internet user base. The foundations board serves in a supportive role to the OpenID community, but does not make decisions regarding specifications.The next actions taken by the board of OpenID may give a better clue to the level of support that may be offered in the future. Some companies may choose to function as an identity provider for only their own services instead of allowing authentication from other identity providers, a significant issue to be worked out within the OpenID network. HumanRemote Workers Lax When It Comes To SecurityCisco has released the findings from a global security study that surveyed over 2000 individuals from 10 countries to learn how remote employees conduct online business and how their security, and the security of the companies they work for, may be impacted. The report indicated that a false sense of security permeated the remote worker culture and that overall, a disciplined approach to online security had lessened. The survey also found that employees are using work resources for personal use and use personal devices for work-related activity. Part of the reason cited is that employees assume that they are much more secure as attacks become more covert.
IntelliShield Analysis: The number of workers who work remotely continues to increase worldwide as the technology to do so becomes more advanced and affordable. An expanding remote workforce increases the possibility of gaps within corporate security infrastructures. Operating on the corporate network with IT-approved hardware and software entails a certain level of risk, but introducing outside activities such as online shopping, multimedia, peer-to-peer sharing, personal e-mail, and connections to untrusted wireless devices adds a new layer of potential security hazards. A continuing program of user awareness, education, and communication that encourages remote workers to be vigilant and security-minded remains the strongest asset to ensure good security choices by remote workers. GeopoliticalGlobal Calls Intensify for Regulation of Powerful Sovereign Wealth FundsThe hostile takeover bid of London-based mining giant Rio Tinto highlighted widespread concern over the influence of sovereign wealth funds. In the takeover struggle led by an Australian company, it was rumored that China Investment Corporation (CIC), Chinas US$200 billion sovereign wealth fund, had kicked in funds to help domestic mining firm Chinalco potentially block the takeover. CIC reportedly also may assist China Shenhua Group to acquire Fortescue Metals, another major Australian mining company. At the same time, finance ministers of the G-7 countries meeting in Tokyo were expected to call for greater regulation and transparency in sovereign funds, which have alarmed many, including the United States Congress, by taking major stakes in credit-strapped banks, including Citigroup, Merrill Lynch, and UBS. IntelliShield Analysis: Sovereign wealth funds are state-run investment pools owned primarily by fast-growing emerging market countries like Singapore and oil-exporting nations like the United Arab Emirates and Qatar. These funds have been used for state-backed investment activity in the private sector, sparking concern as strategically sensitive assets become vulnerable in the global credit crunch. The takeover struggle for Rio Tinto underscores the potential geopolitical influence of sovereign wealth funds, as China considers using state-backed money to acquire scarce energy resources. For the technology sector, these funds should be watched because wealthy emerging nations, in their drive to catch up with the fast pace of technology, may try to acquire sensitive intellectual property in similar takeover bids. This would allow them to rapidly expand their influence in key technology sectors. Upcoming Security ActivityMicrosoft Security Bulletin Update for January: February 12, 2008 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free, 6-month trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
