US-CERT Warns of Serious Hole In ActiveX Control From Iconics

← Back to Stories (view on slashdot.org)

US-CERT Warns of Serious Hole In ActiveX Control From Iconics

Posted by timothy on Thursday May 12, 2011 @08:41AM from the oh-just-a-little-infrastructure-is-all dept.

Trailrunner7 writes "The US's Computer Emergency Response Team (CERT) issued a warning (PDF) to critical infrastructure firms on Wednesday about a serious security hole in products from Massachusetts firm Iconics that could leave critical systems vulnerable to remote attacks. US companies in the electricity, oil and gas, manufacturing and water treatment sectors have been warned about a flaw in an ActiveX control used in two products by Iconics. The software, Genesis32 and BizViz, are Human-Machine Interface (HMI) products that provide a graphical user interface to various types of industrial control systems. The software can control industrial systems used for a variety of purposes including manufacturing, building automation, oil and gas, water and waste water treatment, among other applications."

3 of 87 comments (clear)

Min score:

Reason:

Sort:

This brings up the question by Attila+Dimedici · 2011-05-12 08:51 · Score: 4, Insightful

Why are computer systems that control critical infrastructure accessible from the Internet? And even if it has access to the Internet, why is someone using it to go to web pages that are not on the company Intranet?

--
The truth is that all men having power ought to be mistrusted. James Madison
1. Re:This brings up the question by rsborg · 2011-05-12 09:03 · Score: 5, Insightful
  
  Why are computer systems that control critical infrastructure accessible from the Internet? And even if it has access to the Internet, why is someone using it to go to web pages that are not on the company Intranet?
  These systems don't have to be on the "internet" in order to be vulnerable. These activex controls are likely deployed internally, probably with adequate security. But networks are porous, and as Stuxnet proved, complex malware can be executed to effect. The issue is that security isn't treated as a process but as a response or feature. Good security takes into account all possible vectors (humans being the biggest).
  
  --
  Make sure everyone's vote counts: Verified Voting
Re:Really? by perpenso · 2011-05-12 09:03 · Score: 5, Insightful

Security wholes in active-x, whodathunkit.
Perhaps I am mistaken but I think the newsworthiness of this story is not that ActiveX has issues, rather it is that there are a bunch of people out there who decided to use ActiveX to provide remote graphical interfaces to industrial controls. ;-)