November 12–18, 2007The IntelliShield Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The Cyber Risk Reports are a result of collaborative efforts, information sharing, and collective security expertise of senior analysts from Cisco security services that include the IntelliShield team (IntelliShield Alert Manager, Applied Intelligence, and IPS), ROS, PSIRT, the Corporate Security Programs Organization, and Legal Support. VulnerabilityVulnerability and threat activity levels rose sharply during the time period. Multiple vendors released patches to address vulnerabilities in their products. Many of these vulnerabilities were disclosed as a part of a coordinated effort with independent security researchers. IntelliShield analysts expect more technical details that are associated with these vulnerabilities to be released in the coming weeks. Apple released bulletins and patches to address over 40 vulnerabilities in multiple components in the Leopard, Tiger, and Panther releases of the Mac OS X operating system. IBM released a Fix Pack to address multiple vulnerabilities in the DB2 Database Server. Microsoft released security bulletins and patches to address two vulnerabilities one of which was previously disclosed. Multiple vendors released updated software to address vulnerabilities in products such as Wireshark, Rails, xpdf, Samba, and VMware. IntelliShield published 147 events last week: 54 new events and 93 updated events. Of the 147 events, 130 were Vulnerability Alerts, nine were Malicious Code Alerts, seven were Security Issue Alerts, four were Daily Malicious Code Summaries, two were Security Activity Bulletins, two were Applied Mitigation Bulletins, one was a Malicious Code Alert, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for November 12-18, 2007Samba WINS Server Daemon Buffer Overflow Vulnerability Samba contains a vulnerability that could allow an attacker to cause a denial of service condition or execute arbitrary code. Only systems configured as WINS server daemons are vulnerable; however, this is a common configuration in environments that use Samba to perform domain authentication. Due to the large number of potential targets, this type of vulnerability could be used to produce malicious code that propagates in an automated manner. Previous Alerts That Still Represent Significant RiskMicrosoft Internet Explorer Script Error Handling Memory Corruption Vulnerability Microsoft Internet Explorer contains a vulnerability that could allow an attacker to execute arbitrary code. Attackers cannot exploit this vulnerability directly and instead must convince a user to visit a malicious website. The Cisco Remote Operations Services organization has detected activity that indicates public attempts to exploit this vulnerability. Microsoft has confirmed this vulnerability in a security bulletin and released updates. IntelliShield Vulnerability Alert 13688, Version 17, November 19, 2007 Microsoft Internet Explorer contains a vulnerability that may allow an attacker to execute arbitrary commands with the privileges of the user. If the user possesses sufficient privileges, an exploit could allow the attacker to gain full control over the affected system. This vulnerability was originally disclosed in July 2007. Exploit code is now publicly available, and attackers are actively exploiting this vulnerability in the wild. Microsoft has confirmed this vulnerability in a security advisory, and third-party vendor updates are available. RealNetworks RealPlayer ierpplug.dll ActiveX Control Arbitrary Code Execution Vulnerability RealPlayer contains a vulnerability that could allow an attacker to execute arbitrary code with the privileges of the user. Exploit code is publicly available, and reports indicate that active exploitation is currently ongoing. RealNetworks has confirmed this vulnerability and released updates. Microsoft Word Memory Corruption Vulnerability Microsoft Word and Office for Mac contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. Malicious code that exploits this vulnerability is circulating in the wild. IntelliShield reported this malicious code as a variant of the Mdropper trojan in Alert 12562. An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary code with the privileges of the user that started the affected application. Depending on the privileges of the user, the attacker could create new accounts, install programs, or view, change, or delete data. Security Activity Bulletin: Oracle Critical Patch Update October 2007 Oracle released the October 2007 Critical Patch Update to address 51 vulnerabilities across Oracle products. Oracle does not publicly release technical details that concern specific vulnerabilities. IntelliShield expects independent security researchers to release details regarding individual vulnerabilities as researchers test and verify the Oracle patches. MIT Kerberos and librpcsecgss RPC Library RPCSEC_GSS Authentication Buffer Overflow Vulnerability MIT Kerberos 5 contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition or execute arbitrary code. An exploit may result in a full system compromise. Many operating systems and third-party applications use Kerberos and will likely release updated software to address this vulnerability. PhysicalGAO Bypasses Airport SecurityGovernment Accountability Office (GAO) investigators posing as terrorists smuggled explosive devices past security checkpoints at approximately 19 United States (U.S.) airports. Officials at the GAO reported that Transportation Security Administration (TSA) guards were following correct procedures; however, the GAO investigators were still able to pass through security checkpoints with the explosive devices. Read more IntelliShield Analysis: The TSA continues to test and improve on vulnerabilities in airport security systems. With each improvement in the TSA security checkpoint process, alternate ways to circumvent the process arise. Fundamental review and restructuring of priorities may be required for the TSA to properly and effectively reduce risk to airlines and passengers. LegalGlobal Online Freedom ActThe Foreign Affairs Committee of the U.S. House of Representatives has approved unanimously the Global Online Freedom Act of 2007, a bill intended to criminalize U.S. Internet companies' sharing of user data with some foreign governments. The draft bill, currently being reviewed by the House Committee on Energy and Commerce, would prohibit U.S. companies from providing user information to foreign governments and would establish an Office of Global Internet Freedom. The new agency would monitor search terms that could identify foreign dissidents. U.S. Internet companies doing business with countries deemed repressive would be required to hand over to the Office such identifying information. Businesses in violation of the law could be fined up to US$2 million. Read more IntelliShield Analysis: The recent case of Internet company Yahoo, accused of providing information to the Chinese government that lead to the incarceration of at least two Chinese political activists, has focused renewed attention on the Global Online Freedom Act. Yahoo's Congressional testimony and subsequent settlements of the legal cases brought by families of those arrested set a precedent that other U.S. Internet technology companies will want to avoid. The draft bill would provide protection to democracy activists and create problems for U.S. Internet technology companies with global business interests. Such companies would likely alienate foreign governments if sensitive information, such as the foreign host countries Internet monitoring criteria, is required to be given to a U.S. government office. Foreign governments would be more likely to award Internet infrastructure contracts to non-U.S. companies. More such cases can be expected in the run-up to the U.S. presidential elections in 2008 as issues such as trade with China become politically charged. TrustControversial Constants in Government Random Number StandardEarlier this year, the U.S. National Institute of Standards and Technology (NIST) released a revised version of Special Publication 800-90, a document that specifies four methods for generating random numbers using Deterministic Random Bit Generators (DRBGs). One of the DRBGs, an elliptic curve method known as Dual_EC_DRBG, is facing scrutiny over the mathematical constants that are contained in the specification. Cryptographers have speculated that these constants would allow someone in possession of a corresponding set of unknown numbers to predict the output of the DRBG. Cryptographic algorithms relying on a compromised DRBG could be more easily attacked and likely broken. Read more IntelliShield Analysis: Further cryptanalysis or a confirmation from the DRBG designers will be required before scrutiny of the Dual_EC_DRBG is dispelled. It is not clear whether the unexplained constants were chosen to strengthen the specification, much like the rearranged S-boxes provided by the National Security Agency during the development of the Data Encryption Standard, or if the constants were chosen to create a backdoor to predict the DRBG output. Because the elliptic curve DRBG is one of four options listed in Special Publication 800-90, other options exist to implement a standards-compliant random number algorithm without using the suspicious method. Before implementing cryptography that is based on Special Publication 800-90, especially in light of this discovery, proper risk analysis should be undertaken. IdentitySwedish Hacker Arrested for Tor Embassy StuntDan Egerstad, a Swedish hacker also known as DEranged, gained notoriety for his disclosure of 100 embassy and government e-mail accounts in September 2007. The Swedish authorities recently raided Egerstad's home searching for information related to the September incident. Police officials did not formally charge Egerstad with a crime, and he was released after being questioned. Read more IntelliShield Analysis: Although no charges have been filed against Egerstad, it is likely that Swedish authorities will continue to investigate Egerstad's confiscated computer equipment to determine if any crimes were committed. When Egerstad revealed the details of his hack, he insisted that the computers used for the effort had been completely sanitized and no longer contained any information that was acquired through the hack. Organizations that implement Tor without applying independent, end-to-end encryption before transiting the anonymizing network should give as much attention to what comes out of this case as to ensuring that their network usage policies are corrected. HumanMicrosoft Publishes Guide to Secure Office ApplicationsMicrosoft has released a security guide as well as software to assist in securing the Microsoft Office Suite of applications. Microsoft Office Technical Product Manager, Joshua Edwards, indicated that the growing shift to attacks on applications and away from attacks on operating systems was a major reason for developing the guide. Read more IntelliShield Analysis: Collaboration in the workplace among business units continues to grow as users become dependant on collaborative tools such as instant messaging, file sharing, and multiple authoring applications. Attackers have learned that they can exploit user dependence on such applications, causing users to open attachments that host malicious code. The guide released by Microsoft is intended to serve as another layer of defense in addition to antivirus software, firewalls, and corporate e-mail policies. If implemented correctly, the policies and tools should greatly assist in securing business networks against hidden threats and the actions of unsuspecting users. GeopoliticalRussian Cyber Crime Host on the RunDuring the time period, Russian Business Network (RBN), the notorious cyber-crime host, suddenly went dark but resurfaced hours later in China. According to VeriSign analysts tracking the host's movements, RBN briefly controlled over 5,000 IP addresses assigned to Chinese service providers. However, the intense press coverage and possibly quick action on the part of Chinese authorities brought RBN down again within 48 hours. Read more IntelliShield Analysis: It is unclear why RBN operated for only a brief period in China, after years of successful existence in Russia. RBN's short-lived operation in China may be a direct result of the media scrutiny RBN received from the international network security community following a Washington Post article published in October. If RBN's brief appearance in China was based on media and industry scrutiny, this situation bodes well for the power of virtual communities to shut down troublemakers when cross-border law enforcement is unable to do the job. At the same time, this incident could be an indication of the differing regulatory environments in Russia and China for cyber crime. Russian authorities have been viewed as uncooperative and lax in their enforcement of laws regarding Internet crimes, allowing RBN to operate with impunity. Unlike Russia, China is believed to monitor the Internet closely and move quickly to take down troublemakers. Upcoming Security ActivityDeepSec IDSC: November 22–23, 2007 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free, 30-day trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
