http://www.theregister.co.uk/2011/05/12/critical_iconics_scada_bug/ By Dan Goodin in San Francisco The Register 12th May 2011 The US Computer Emergency Readiness Team is warning oil refineries, power plants, and other industrial facilities of a bug in a popular piece of software that could allow attackers to take control of their computer systems. The vulnerability in the Genesis32 and BizViz products made by Massachusetts-based Iconics could allow attackers to remotely execute malicious code on machines that run these SCADA, or supervisory control and data acquisition, programs, the US CERT warned (PDF) on Wednesday. The programs are used to control equipment used in factories, water, wastewater and electric utilities, and oil and gas refineries. The vulnerability stems from a stack-overflow bug found in an ActiveX control used by the SCADA programs and can be exploited to gain command-execution capability, researchers from Australasia-based Security-Assessment.com warned (PDF). “By passing a specially crafted string to the 'SetActiveXGUID' method, it is possible to overflow a static buffer and execute arbitrary code on the user's machine with the privileges of the logged on user,” the researchers warned. They included a proof-of-concept exploit written in JavaScript. [...] ___________________________________________________________ Tegatai Managed Colocation: Four Provider Blended Tier-1 Bandwidth, Fortinet Universal Threat Management, Natural Disaster Avoidance, Always-On Power Delivery Network, Cisco Switches, SAS 70 Type II Datacenter. Find peace of mind, Defend your Critical Infrastructure. http://www.tegataiphoenix.com/Received on Thu May 12 2011 - 00:14:25 PDT
This archive was generated by hypermail 2.2.0 : Thu May 12 2011 - 00:21:19 PDT