This afternoon the DHS ICS-CERT published an advisory outlining two heap-based buffer overflow vulnerabilities discovered in the Invensys Wonderware System Platform. Celil Unuver, of SignalSec Corporation reported the vulnerabilities in a coordinated disclosure.
The two separate heap-based overflow vulnerabilities would both be exploitable by a moderately skilled attacker using a social engineering attack. There is no known exploit code publicly available for these vulnerabilities. Invensys has developed a patch to mitigate the vulnerabilities and it has been verified by Celil Unuver.