November 16, SecurityWeek – (International) Symantec patches DLL hijacking flaw in enterprise products. Symantec released updates to resolve a dynamic-link library (DLL) flaw affecting its IT Management Suite (ITMS) 8.0, Ghost Solution Suite (GSS) 3.1, and Endpoint Virtualization (SEV) 7.x products, which could cause a rogue DLL file to be loaded by the software before the legitimate file, leading to arbitrary code execution, potentially with elevated privileges, as the affected products do not use an absolute path when loading DLL files during reboot or boot-up. Source
November 16, SecurityWeek – (International) Serious flaws found in Lynxspring SCADA product. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) published an advisory that revealed versions 1.1.8 and earlier of Lynxspring’s JENEsys building operating system, the BAS Bridge, is affected by four remotely-exploitable vulnerabilities after a security researcher discovered a flaw that could allow an attacker with read-only access to send maliciously crafted commands to the application and make changes within the app. The researcher also found a flaw that can be exploited to access a system without authentication by using a hardcoded username with no password, as well as a cross-site request forgery (CSRF) vulnerability that could allow an attacker to carry out various malicious actions if they convince a user into accessing a maliciously crafted link, among other flaws. Source
November 15, SecurityWeek – (International) Shazam for Mac keeps listening even when disabled. Synack security researchers reported that malware could silently spy on Apple Mac OS X users through the device’s Webcam and microphone by piggybacking on legitimate applications that utilize those components, such as the Shazam music discovery app, FaceTime, and Skype after finding that the Mac version of Shazam does not deactivate the device’s microphone once the user switches off the app. The researcher warned malware could leverage this flaw to capture audio from a device’s microphone without initiating a recording. Source
Above Reprinted from the USDHS Daily Open Source Infrastructure Report