[ISN] US CERT warns of critical industrial control bug

From: InfoSec News <alerts_at_private>
Date: Thu, 12 May 2011 02:14:25 -0500 (CDT)

By Dan Goodin in San Francisco 
The Register
12th May 2011 

The US Computer Emergency Readiness Team is warning oil refineries, 
power plants, and other industrial facilities of a bug in a popular 
piece of software that could allow attackers to take control of their 
computer systems.

The vulnerability in the Genesis32 and BizViz products made by 
Massachusetts-based Iconics could allow attackers to remotely execute 
malicious code on machines that run these SCADA, or supervisory control 
and data acquisition, programs, the US CERT warned (PDF) on Wednesday. 
The programs are used to control equipment used in factories, water, 
wastewater and electric utilities, and oil and gas refineries.

The vulnerability stems from a stack-overflow bug found in an ActiveX 
control used by the SCADA programs and can be exploited to gain 
command-execution capability, researchers from Australasia-based 
Security-Assessment.com warned (PDF).

“By passing a specially crafted string to the 'SetActiveXGUID' method, 
it is possible to overflow a static buffer and execute arbitrary code on 
the user's machine with the privileges of the logged on user,” the 
researchers warned. They included a proof-of-concept exploit written in 


Tegatai Managed Colocation: Four Provider Blended
Tier-1 Bandwidth, Fortinet Universal Threat Management,
Natural Disaster Avoidance, Always-On Power Delivery 
Network, Cisco Switches, SAS 70 Type II Datacenter. 
Find peace of mind, Defend your Critical Infrastructure.
Received on Thu May 12 2011 - 00:14:25 PDT

This archive was generated by hypermail 2.2.0 : Thu May 12 2011 - 00:21:19 PDT