US-CERT Warns of Serious Hole In ActiveX Control From Iconics 87
Trailrunner7 writes "The US's Computer Emergency Response Team (CERT) issued a warning (PDF) to critical infrastructure firms on Wednesday about a serious security hole in products from Massachusetts firm Iconics that could leave critical systems vulnerable to remote attacks. US companies in the electricity, oil and gas, manufacturing and water treatment sectors have been warned about a flaw in an ActiveX control used in two products by Iconics. The software, Genesis32 and BizViz, are Human-Machine Interface (HMI) products that provide a graphical user interface to various types of industrial control systems. The software can control industrial systems used for a variety of purposes including manufacturing, building automation, oil and gas, water and waste water treatment, among other applications."
This brings up the question (Score:5, Insightful)
Re:This brings up the question (Score:5, Insightful)
Why are computer systems that control critical infrastructure accessible from the Internet? And even if it has access to the Internet, why is someone using it to go to web pages that are not on the company Intranet?
These systems don't have to be on the "internet" in order to be vulnerable. These activex controls are likely deployed internally, probably with adequate security. But networks are porous, and as Stuxnet proved, complex malware can be executed to effect. The issue is that security isn't treated as a process but as a response or feature. Good security takes into account all possible vectors (humans being the biggest).
Re:Really? (Score:5, Insightful)
Security wholes in active-x, whodathunkit.
Perhaps I am mistaken but I think the newsworthiness of this story is not that ActiveX has issues, rather it is that there are a bunch of people out there who decided to use ActiveX to provide remote graphical interfaces to industrial controls. ;-)