Security News > 2011 > May > US CERT warns of critical industrial control bug

US CERT warns of critical industrial control bug
2011-05-12 07:14

http://www.theregister.co.uk/2011/05/12/critical_iconics_scada_bug/ By Dan Goodin in San Francisco The Register 12th May 2011 The US Computer Emergency Readiness Team is warning oil refineries, power plants, and other industrial facilities of a bug in a popular piece of software that could allow attackers to take control of their computer systems. The vulnerability in the Genesis32 and BizViz products made by Massachusetts-based Iconics could allow attackers to remotely execute malicious code on machines that run these SCADA, or supervisory control and data acquisition, programs, the US CERT warned (PDF) on Wednesday. The programs are used to control equipment used in factories, water, wastewater and electric utilities, and oil and gas refineries. The vulnerability stems from a stack-overflow bug found in an ActiveX control used by the SCADA programs and can be exploited to gain command-execution capability, researchers from Australasia-based Security-Assessment.com warned (PDF). “By passing a specially crafted string to the 'SetActiveXGUID' method, it is possible to overflow a static buffer and execute arbitrary code on the user's machine with the privileges of the logged on user,” the researchers warned. They included a proof-of-concept exploit written in JavaScript. [...]


News URL

http://www.theregister.co.uk/2011/05/12/critical_iconics_scada_bug/