The DHS ICS-CERT just released their second alert in less than a week, for another ActiveX control, this time in the Mitsubishi MC-WorkX Suite; another SCADA/HMI application. Further pushing the similarities with the previous alert, ICS-CERT again failed to give Blake credit for the discovery of this vulnerability (two thumbs down). ICS-CERT does get credit for publishing faster, this uncoordinated disclosure was made yesterday on Exploit-DB.com (one thumb up).
ICS-CERT notes that this vulnerability is reportedly remotely exploitable and could result in arbitrary code execution.
Looking at Blake’s history on Exploit-DB it looks like he has come back to hackery after a hiatus of some sort. He seems to have a penchant for ActiveX vulnerabilities, though he is certainly more versatile that just that. It does seem that he has just started targeting control systems. I wonder how many more ActiveX vulnerabilities he will be reporting?
BTW: Can someone answer a question about ActiveX controls for me? Is it possible that we could see the same control in multiple applications? And, if it is vulnerable in one, will it be vulnerable in the others?