Yesterday DHS ICS-CERT published an advisory for the Emerson DeltaV service based upon a coordinated disclosure by Kuang-Chun Hung of the Security Research and Service Institute-Information and Communication Security Technology Center (ICST). The advisory concerns a buffer overflow vulnerability that could allow a relatively low skilled attacker to send a specially crafted string to a specific (but unnamed) port that could crash the system.
Emerson has crafted a hot fix for the problem that has been verified to be effective by ICST. According to the advisory (which was published earlier on the US-CERT restricted portal) Emerson contacted system owners with a notification about the problem and solution. This is the first time that I have seen an advisory note that the vendor directly communicated a vulnerability to system owners; I would like to think that ICS-CERT has simply overlooked mentioning this fact in other cases. If that is not the case, Emerson deserves special kudos for this action and hopefully this starts a trend.