This afternoon the DHS ICS-CERT published a control system advisory for the Tibbo AggreGate SCADA/HMI package. The twin unrestricted upload of file with dangerous type vulnerabilities were reported through the Zero Day Initiative by Andrea Micalizzi (rgod). Tibbo has produced a new version to mitigate the vulnerability, but there is no indication that Micalizzi has been provided the opportunity to verify the efficacy of the fix.
ICS-CERT reports that at least one of the vulnerabilities can be remotely exploited by a relatively unskilled attacker. A successful exploit if either vulnerability could allow the attacker to execute arbitrary code and commands.
There seems to be an irregularity between the version number of the updated version reported in the advisory and the updates available on the Tibbo web site. ICS-CERT reports that owners should upgrade to 5.30.06. The Tibbo web site indicates that 5.30.06 is a pre-release version of the program. I suspect that that is because Tibbo has not updated their web site to account for people needing to upgrade due to the vulnerabilities reported in this advisory. Certainly there is nothing on their web site about the problem.