Earlier today the DHS ICS-CERT published an updated version of their advisory from December that reported mitigations in response to the original ICS-CERT alert from August and an update of that alert in September. If that seems confusing, try this; today’s update notes that “ROS Update V3.12 has been produced to mitigate these issues” but the Ruggedcom web site reports that V3.12 became available on December 7th, 2012; eleven days before the original advisory was published. It looks like this update should have been included in the original advisory.
BTW: There is still no word on a more permanent fix for the HTTPS/SSL service beyond disabling the service that is still being reported in this updated advisory.
BTW Again: There is no mention in this updated advisory that Justin Clarke, the researcher who reported the vulnerability in the first place, has had a chance to review the V3.12 update to verify that it mitigates the reported vulnerabilities.