Yesterday the DHS ICS-CERT published in its first control system alert in three months. It identifies two ActiveX vulnerabilities in the WellinTech KingView SCADA/HMI interface. While not credited in the Alert, the vulnerabilities were reported by Blake in twin reports (here and here) on Exploit-DB.com on September 4th in an uncoordinated disclosure.
There is also news about an ICS certification program being developed.
The ICS-CERT alert notes that the reports state that the twin vulnerabilities (KChartXY and SuperGrid) are both remotely exploitable with exploit code publicly available and would apparently allow for overrighting arbitrary code. The alert also notes that the researcher provided mitigation measures (setting the kill-bits on the controls) but does not provide links for those claims (here and here).
I am disappointed that ICS-CERT has reverted to their old policy of not identifying researchers responsible for uncoordinated disclosures. While ICS-CERT would certainly prefer that disclosures are coordinated with vendors so that fixes could be put into place before the vulnerabilities are publicly disclosed, they must be aware that independent researchers rely on either public accolades or on selling their discovered vulnerabilities for the reward for their work. I would much rather see them get public accolades for uncoordinated disclosure than have them sell the vulnerabilities on the black market.
This is not the first ActiveX control vulnerability found in the KingView product. An earlier ICS-CERT Alert was released in 2011 and the subsequent Advisory was released later that year.
BTW: ICS-CERT now provides sorting of Advisories and Alerts by vendor.
Control System Certification