November 10, SecurityWeek – (International) Hackers can abuse iOS WebView to make phone calls. A security researcher reported that Apple mobile operating system (iOS) applications such as LinkedIn, Twitter, and others can be abused by a malicious actor to initiate phone calls to arbitrary phone numbers from a victim’s device by convincing a user to open a specially crafted Webpage via an affected app that redirects the victim to a TEL Uniform Resource Identifier (URI), which triggers the call. The researcher reported that the vulnerability can also prevent a victim from ending the call, and is related to how certain iOS applications handle the WebView component. Source
November 9, SecurityWeek – (International) Privilege escalation flaw affects several Siemens products. Siemens released updates and temporary fixes addressing a medium-severity privilege escalation vulnerability in many of its industrial products, including several Siemens SCADA systems, SOFTNET, Security Configuration Tool (SCT), and distributed control systems (DCS), among other products. Researchers warned that users with local access to the Microsoft Windows operating system running on the same device as an affected Siemens application can escalate their privileges, and reported that the flaw cannot be exploited if the affected product is installed in the default path. Source
November 8, SecurityWeek – (International) SAP patches OS command execution vulnerabilities. SAP released its November 2016 security updates resolving a total of 16 security flaws, including 2 critical flaws in the SAP Report for Terminology Exportl component and the SAP Text Conversion component that could be exploited to execute operating system (OS) commands without authorization, thereby allowing an attacker access to arbitrary files and directories located in a SAP server file system. SAP also patched a denial-of-service (DoS) flaw in SAP Message Server and an information disclosure vulnerability in SAP Software Update Manager component, which can be leveraged to reveal information about an impacted system, among other vulnerabilities. Source
Above Reprinted from the USDHS Daily Open Source Infrastructure Report