April 9, Ars Technica – (International) Rise of ‘forever day’ bugs in industrial systems threatens critical infrastructure. The number of security holes that remain unpatched in software used to control refineries, factories, and other critical infrastructure is growing. These holes are becoming so common that security researchers have coined the term “forever days” to refer to the unfixed vulnerabilities, Ars Technica reported April 9. The latest forever day vulnerability was disclosed in robotics software marketed by ABB, a maker of industrial control systems for utilities - 17 - and factories. According to an advisory issued the week of April 2 by the U.S. Cyber Emergency Response Team, the flaw in ABB WebWare Server will not be fixed even though it provides the means to remotely execute malicious code on computers that run the application. “Because these are legacy products nearing the end of their life cycle, ABB does not intend to patch these vulnerable components,” the advisory stated. The notice said the development of a working exploit would require only a medium skill level on the part of the attacker. Forever day is a play on “zero day,” a phrase used to classify vulnerabilities that come under attack before the responsible manufacturer has issued a patch. Also called iDays, or “infinite days” by some researchers, forever days refer to bugs that never get fixed — even when they are acknowledged by the company that developed the software. In some cases, rather than issuing a patch that plugs the hole, the software maker simply adds advice to user manuals showing how to work around the threat.
Ali Loney, on April 09, 2012