IDG News Service – (International) Siemens software targeted by Stuxnet still full of holes. Software made by Siemens and targeted by the Stuxnet malware is still full of other dangerous vulnerabilities, according to researchers. The CTO of Positive Technologies was scheduled to give a presentation in July at Defcon, but it was pulled after Siemens asked for more time to patch its WinCC software. WinCC is a type of supervisory control and data acquisition (SCADA) system, which is used to manage a variety of industrial processes in factories and energy utilities. The type of software underpins much of what is deemed critical infrastructure by countries. - 13 - The CTO agreed to suspend his presentation at Defcon, but presented an overview of his WinCC research at the Power of Community security conference November 8. He withheld the specific details of the vulnerabilities since Siemens has not released patches. His team has found more than 50 vulnerabilities in WinCC's latest version, he said in an interview. Most are problems that would allow an attacker to take over a WinCC system remotely. He showed how, when an industrial system operator is using the same browser to access both the open Internet and WinCC's Web interface, a vulnerability can be exploited to obtain login credentials for the back-end SCADA network.
Ali Loney, on November 08, 2012