Dale must be proud (grin); this evening DHS ICS-CERT
published their first alert for a vulnerability disclosure from Digital Bond’s
S4 conference in Miami. Appropriately enough the vulnerability was disclosed by
Luigi, the first since Luigi and his partner Donato formed ReVuln.com.
According to the alert Luigi disclosed a buffer overflow
vulnerability in the Ecava IntegraXor SCADA/HMI interface. As with past Luigi
disclosures this was accompanied by proof-of-concept code.
I think that this is the same disclosure that Dale Tweeted
about this afternoon:
@digitalbond
- Luigi & Donato demoing ICS vuln and there fix to it, without any vendor
involvement, #S4x14
A buffer overflow vulnerability is hardly worth mentioning
at a conference like S4x14. The big news was apparently that Luigi and company
had discovered a way to fix the vulnerability without getting the vendor
involved. This would certainly be good news for Luigi’s system owner clients;
they could get their systems fixed before anyone else, including the vendor,
was made aware of the vulnerability.
While some vendors are working hard at establishing a
reputation for quickly responding to vulnerability disclosures, most still have
a long way to go (for example we are still waiting for a piss pot load of
Crain-Sistrunk vulnerability disclosures by the vendors for vulnerabilities
identified last summer).
Posts
No comments:
Post a Comment