This afternoon the DHS ICS-CERT published an advisory for a stack-based buffer overflow vulnerability in the MICROSYS PROMOTIC application. The vulnerability was discovered by an anonymous researcher and it was coordinated through the HP Zero Day Initiative. MICROSYS produced a new version that mitigates the vulnerability though there is no indication that the anonymous researcher was given the opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability if the demonstration application is running. A successful exploit could lead to a denial of service situation or provide data leakage.
The MICROSYS description of the new version does not contain any discussion of the vulnerability or its fix.