Monday, August 9, 2010

Reader Comment 08-06-10 VxWorks Exploit

Last Friday an Anonymous reader took objection to a statement I made in my blog posting that updated people on Stuxnet and identifying a newly identified SCADA vulnerability. Anonymous objected to my comment that:
“These vulnerabilities were discovered by a security researcher and the details of the exploit have not yet been made public. No exploits in live systems ‘in the wild’ have yet been seen.”
Anonymous then pointed us at a blog posting on Metasploit.com addressing the same VxWorks vulnerability. That posting by HDM describes how the author discovered the vulnerability and enough details about the vulnerability that even a reader with my level of expertise (very low) in software engineering can see that this is a vulnerability that a large truck load of problems could be driven through. My apologies to HDM for slighting him in my comment, but I had not read his blog when I wrote my post. I based my comments on the report on this vulnerability provided by ICS-CERT. That report explained:
“Proof-of-concept code is expected to be made public by the researcher. However, at the time of this writing, no known exploits exist in the field specifically targeting these vulnerabilities.”
There is a material difference between “[p]roof-of-concept code” and “details of the exploit” that is very clear when you read the HDM blog post. HDM certainly provided enough details about the vulnerability to allow Carnegie Mellon CERT to coordinate with 100 vendors before the public announcement of the vulnerability was made.

No comments:

 
/* Use this with templates/template-twocol.html */