Review – Public ICS Disclosures – Week of 8-3-24

This week we have 18 vendor disclosures from Bosch, Broadcom, B&R, Carrier, Hitachi (11), HPE (2), and SEL. There are also seven vendor updates from Broadcom (3), Cisco (2), HPE, and VMware. Finally, we have four researcher reports about vulnerabilities in products from Johnson Controls, Korenix, PLANET Technology, and Unitronics.

Advisories

Bosch Advisory - Bosch published an advisory that discusses four vulnerabilities (all with available exploits) in their DIVAR IP all-in-one Devices.

Broadcom Advisory - Broadcom published an advisory that discusses 22 vulnerabilities (11 with publicly available exploits) in their Brocade ASCG.

B&R Advisory - B&R published an advisory that discusses six vulnerabilities in their Automation Runtime product.

Carrier Advisory - Carrier published an advisory that discusses a supply chain attack that affected their LenelS2 NetBox products.

Hitachi Advisory #1 - Hitachi published an advisory that discusses an HTTP request/response smuggling vulnerability in their Cosminexus product.

Hitachi Advisory #2 - Hitachi published an advisory that discusses an incomplete cleanup vulnerability in their Automation Director, Infrastructure Analytics Advisor and Ops Center products.

Hitachi Advisory #3 - Hitachi published an advisory that describes an unquoted search path vulnerability in their Device Manager.

Hitachi Advisory #4 - Hitachi published an advisory that discusses six vulnerabilities (including three with publicly available exploits) in their Ops Center Analyzer viewpoint and Ops Center Viewpoint products.

Hitachi Advisory #5 - Hitachi published an advisory that discusses two vulnerabilities (one with publicly available exploits) in their Configuration Manager and Ops Center API Configuration Manager products.

Hitachi Advisory #6 - Hitachi published an advisory that discusses an XMM register corruption vulnerability in their Configuration Manager and Ops Center API Configuration Manager products.

Hitachi Advisory #7 - Hitachi published an advisory that discusses the Terrapin Attack vulnerability.

Hitachi Advisory #8 - Hitachi published an advisory that describes an EL injection vulnerability in their Tuning Manager product.

Hitachi Advisory #9 - Hitachi published an advisory that discusses six vulnerabilities in their Cosminexus Developer's Kit for Java and Hitachi Developer's Kit for Java products.

Hitachi Advisory #10 - Hitachi published an advisory that discusses six vulnerabilities in multiple products.

Hitachi Advisory #11 - Hitachi published an advisory that discusses 71 vulnerabilities in their Disk Array Systems.

HPE Advisory #1 - HPE published an advisory that describes a SMM lock bypass vulnerability in their ProLiant AMD Servers.

HPE Advisory #2 - HPE published an advisory that discusses the regreSSHion vulnerability. HPE reports that their Athonet products are affected.

SEL Advisory - SEL published a version update notice for their Compass product that reports that the new version includes cybersecurity enhancements.

Updates

Broadcom Update #1 - Broadcom published an update for their Privilege escalation using switch commands advisory that was originally published on September 13^th, 2022 and most recently updated on September 20^th, 2022.

Broadcom Update #2 - Broadcom published an update for their libxml2 advisory that was originally published on July 30^th, 2024.

Cisco Update #1 - Cisco published an update for their Blast-Radius advisory that was originally published on July 10^th, 2024 and most recently updated on August 2^nd, 2024.

Cisco Update #2 - Cisco published an update for their regreSSHion advisory that was originally published on July 2^nd, 2024 and most recently updated on July 26^th, 2024.

HPE Update - HPE published an update for their Fiber Channel and SAN Switches advisory that was originally published on August 1^st, 2024.

VMware Update - Broadcom published an update for their VMware Workspace ONE advisory that was originally published on April 6^th, 2024.

Researcher Reports

Johnson Controls Report - Nozomi Networks published a report describing five vulnerabilities in the Johnson Controls’ exacqVision Web Service.

Korenix Report - CyberDanube published a report that describes three vulnerabilities in the Korenix JetPort ethernet switch. An exploit was also published for the three vulnerabilities.

Planet Technology Report - IOActive published a report that describes three vulnerabilities in the PLANET IGS-4215-16T2S switch.

Unitronics Report - Claroty published a report that describes two vulnerabilities in Unitronics PLCs/HMI that have been exploited in the wild.

 

For more details about these disclosures, including links to 3rd party advisories and exploits, see my article at CFSN Detailed Analysis – https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-8-bbf - subscription  required.

Review – Public ICS Disclosures – Week of 7-13-24

This week we have three vendor disclosures on the regreSSHion vulnerability from Bosch, Broadcom, HMS  We have 14 additional vendor disclosures from ABB, Dell, Fujitsu, Hitachi, HP (4), HPE (3), Rockwell (2), and Wireshark. There are also five vendor updates from BD and HPE (4). Finally, we have four researcher reports about vulnerabilities in products from Asus, Synology, and Unitronics (2).

RegreSSHion Advisories

Bosch published an advisory that lists affected products and fixed versions.

Broadcom published an advisory that lists the products that are not affected.

HMS published an advisory that lists the affected products and announces that fixes have been applied.

Advisories

ABB Advisory - ABB published an advisory that describes an unquoted search path or element vulnerability in their Mint Workbench product.

Dell Advisory - Dell published an advisory that lists a large number (nope, I am not counting them all) of 3^rd party vulnerabilities in their ThinOS product.

Fujitsu Advisory - JP-CERT published an advisory that describes a path traversal vulnerability in the Fujitsu Network Edgiot GW1500 product.

Hitachi Advisory - Hitachi published an advisory that discusses 42 vulnerabilities in their Disc Array Systems products.

HP Advisory #1 - HP published an advisory that describes a buffer overflow vulnerability in multiple desk top computers.

HP Advisory #2 - HP published an advisory that describes two privilege escalation vulnerabilities in their display control software.

NOTE: The HP Security Bulletins page lists two additional advisories (here and here), but neither page currently opens.

HPE Advisory #1 - HPE published an advisory that describes a remote bypass of a security restriction vulnerability in their 3PAR Service Processor Software.

HPE Advisory #2 - HPE published an advisory that discusses 17 vulnerabilities (one with known exploits) in their Unified OSS Console Assurance Monitoring (UOCAM) product.

HPE Advisory #3 - HPE published an advisory that discusses two vulnerabilities in their ProLiant DL/ML/XL, Synergy, Edgeline and Alletra Servers.

Rockwell Advisory #1 - Rockwell published an advisory that describes an improper input validation vulnerability in their SequenceManager Server.

Advisory #2 - Rockwell published an advisory that describes an improper input validation vulnerability in their 5015 – AENFTXT product.

Wireshark Advisory - Wireshark published an advisory that describes a packet injection vulnerability in their SPRT dissector product.

Updates

BD Update - BD published an update for their Third-Party ESET advisory that was originally published on March 29^th, 2024.

HPE Update #1 - HPE published an update for their Intel Thunderbolt Driver advisory that was originally published on May 14^th, 2024 and most recently updated on June 17^th, 2024.

HPE Update #2 - HPE published an update for their Intel PROSet/Wireless WiFi and Bluetooth advisory that was originally published on May 14^th, 2024 and most recently updated on June 17^th, 2024.

HPE Update #3 - HPE published an update for their Intel Chipset Device Software advisory that was originally published on June 28^th, 2024.

HPE Update #4 - HPE published an update for their Intel 2024.1 IPU - Chipset Software advisory that was originally published on March 13^th, 2024 and most recently updated on April 10^th, 2024.

Researcher Reports

Asus Report - BugProve published a report describing a stack-based buffer overflow vulnerability in the Asus RT-AC87U router.

Synology Report - Claroty published a report that describes a classic buffer overflow vulnerability in the Synology BC 500 IP camera.

Unitronics Reports - Claroty published two reports about individual vulnerabilities in the Unitronics Vision Plc.

 

For more information about these disclosures, including links to 3rd party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-7-3e2 - subscription required.

Review – 1 Advisory and 2 Updates Published – 4-30-24

Today, CISA’s NCCIC-ICS published a control system security advisory for products from Delta Electronics. They also updated two advisories for products from SEW-EURODRIVE and Unitronics.

Advisories

Delta Advisory - This advisory describes a stack-based buffer overflow vulnerability in the Delta CNCSoft-G2 DOPSoft.

Updates

SEW-EURODRIVE Update - This update provides additional information on an advisory that was originally published on January 16^th, 2024.

Unitronics Update - This update provides additional information on an advisory that was originally published on April 18^th, 2024.

 

For more information on these advisories, including summaries for changes made in updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-and-2-updates-published-504 - subscription required. 

Review - 1 Advisory and 2 Updates Published – 4-18-24

Today, CISA’s NCCIC-ICS published a control systems security advisory for products from Unitronics. They also updated two advisories for products from Mitsubishi.

Advisories

Unitronics Advisory - This advisory describes a storing passwords in a recoverable format vulnerability in the Unitronics Vision Standard PLCs.

Updates

Mitsubishi Update #1 - This update provides additional information on an advisory that was originally published on October 14^th, 2021 [removed from paywall] and most recently updated on October 13^th, 2022 (not the dates reported in Section 5 of the advisory).

Mitsubishi Update #2 - This update provides additional information on an advisory that was originally published on September 7^th, 2021 and most recently updated on October 13^th, 2022.

 

For more details about these advisories, including a down-the-rabbit hole look at a missing Mitsubishi update that leads to more holes in the NVD.NIST.gov database, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-and-2-updates-published-ef9 - subscription required.

Review – Public ICS Disclosures – Week of 3-16-24

This week we have eight vendor disclosures from Belden, Bosch, Buffalo Tech, Honeywell, HP, Planet Technology, and Rockwell (2). There are five vendor updates from Eaton, HP (2), Palo Alto Networks, and QNAP. We have two researcher reports for vulnerabilities in products from FortiGuard and Unitronics. Finally, we have four exploits for products from APC and TELSAT (3).

Advisories

Belden Advisory - Belden published an advisory that discusses five vulnerabilities in multiple Hirschmann products.

Bosch Advisory - Bosch published an advisory that describes a command injection vulnerability in their Network Synchronizer.

Buffalo Advisory - JP-CERT published an advisory that describes an insufficient data validation vulnerability in the Buffalo LinkStation 200 series NAS.

Honeywell Advisory - Honeywell published an advisory that describes a cross-site scripting vulnerability in their MPA2 Web Application.

HP Advisory - HP published an advisory that describes a denial of service vulnerability in their OfficeJet Pro printers.

Planet Advisory - Incibe-CERT published an advisory that describes three vulnerabilities in the Planet IGS-4215-16T2S industrial ethernet switch.

Rockwell Advisory #1 - Rockwell published an advisory that describes an improper security protection for remote restart action vulnerability in their FactoryTalk® View ME on PanelView.

Rockwell Advisory #2 - Rockwell published an advisory that describes three vulnerabilities in their PowerFlex® 527 product.

UPDATES

Eaton Update - Eaton published an update for their User Management System advisory that was originally published on November 24^th, 2023 and most recently updated on December 20^th, 2023.

HP Update #1 - HP published an update for their Intel 2023.4 IPU advisory that was originally published on December 11^th, 2023 and most recently updated January 9^th, 2024.

HP Update #2 - HP published an update for their AMD Client UEFI firmware advisory that was originally published on December 7^th, 2023 and most recently updated on January 5^th, 2024.

Researcher Reports

FortiGuard Report - Horizon3 published a report describing an SQL injection vulnerability in the FortiGuard FortiClient EMS product.

Unitronics Report - Claroty published a report describing eight vulnerabilities in the Unitronics UniStream integrated PLC/HMI products.

Exploits

APC Exploit - Victor Garcia published an exploit for a path traversal vulnerability in the APC UPS Network Management Card.

TELSAT Exploits - LIQUIDWORM published exploits for three vulnerabilities in the TELSAT marKoni FM Transmitter.

 

For more information on these disclosures, including links to 3rd party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-3-051 - subscription required.

Review – 2 Advisories and 1 Update Published – 1-4-23

Today, CISA’s NCCIC-ICS published control system security advisories for products from Mitsubishi Electric and Rockwell Automation. They also updated an advisory for products from Unitronics.

Advisories

Mitsubishi Advisory - This advisory discusses three vulnerabilities in the Mitsubishi Factory Automation Products.

Rockwell Advisory - This advisory discusses two vulnerabilities in the Rockwell FactoryTalk Activation Manager.

Updates

Unitronics Update - This update provides additional information on an advisory that was originally published on December 14^th, 2023.

 

For more details about these advisories and update, including links to 3^rd party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-and-1-update-published-09a - subscription required.

Review – 16 Advisories and 1 Update Published – 12-14-23

Today, CISA’s NCCIC-ICS published 16 control system security advisories for products from Unitronics, Johnson Controls, Cambium and Siemens (13). They also published a medical device security advisory update for products from Philips.

Siemens also published 15 advisory updates that CISA is no longer covering. I will look at those this weekend in my Public ICS Disclosure post.

Advisories

Unitronics Advisory - This advisory describes an initialization of a resource with insecure default vulnerability in the Unitronics Vision Series PLCs and HMIs.

Johnson Controls Advisory - This advisory describes a missing release of information after effective lifetime vulnerability in the Johnson Controls Kantech Gen1 ioSmart card reader.

Cambium Advisory - This advisory describes a code injection vulnerability in the Cambium ePMP Force 300-25 radio.

SINEC Advisory - This advisory discusses seven vulnerabilities in the Siemens SINEC INS product.

RUGGEDCOM Advisory - This advisory describes nine vulnerabilities in the Siemens RUGGEDCOM RM1224 LTE and SCALANCE M-800/S615 families of routers.

SCALANCE Advisory - This advisory describes two vulnerabilities in the Siemens RUGGEDCOM RM1224 LTE and SCALANCE M-800/S615 families of routers.

SICAM Advisory - This advisory describes two vulnerabilities in the Siemens Power Meter SICAM Q100 products.

SINUMERIK Advisory - This advisory describes a use after free vulnerability in the Siemens SINUMERIK MC and SINUMERIK ONE products.

SIMATIC Advisory #1 - This advisory discusses 404 vulnerabilities in the Siemens SIMATIC and SIPLUS S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1 products.

SIMATIC Advisory #2 - This advisory describes a use after free vulnerability in the Siemens SIMATIC and SIPLUS S7-1500 CPU family.

SIMATIC Advisory #3 - This advisory describes a clear-text storage of sensitive information vulnerability in the Siemens SIMATIC STEP 7 (TIA Portal).

SIMATIC Advisory #4 - This advisory describes two vulnerabilities in the Siemens SIMATIC and SIPLUS products.

Industrial Products Advisory - This advisory describes a missing release of memory after effective lifetime vulnerability in the Siemens SIMATIC CP, SINAMICS, and SIPLUS NET CP products.

OPC UA Implementation Advisory - This advisory describes an integer overflow or wrap around vulnerability in the Siemens SINUMERIK MC and SINUMERIK ONE products.

LOGO! Advisory - This advisory describes an improper protection against electromagnetic fault injection vulnerability in the Siemens LOGO! and SIPLUS LOGO! Products.

User Management Component Advisory - This advisory describes five vulnerabilities in the Siemens User Management Component (UMC).

Updates

Philips Update - This update provides additional information on the Philips Patient Monitoring Devices advisory that was originally published on September 10^th, 2020 and most recently updated on November 8^th, 2021.

 

For more details about these advisories, including links to third-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/16-advisories-and-1-update-published - subscription required. 

ICS-CERT Publishes Three Advisories

Earlier today the DHS ICS-CERT published three new control system security advisories for products from Meinberg, Unitronics, and Rockwell.

Meinberg Advisory

This advisory describes multiple vulnerabilities in the Meinberg NTP Time Servers Interface. The vulnerabilities were reported by Ryan Wincey. Meinberg has produced a new version that mitigates the vulnerabilities. ICS-CERT reports that Wincey has verified the efficacy of the fix.

The vulnerabilities include:

• Twin stack-based buffer overflows - CVE-2016-3962 and CVE-2016-3988; and

• Privilege escalation - CVE-2016-3989

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to cause a buffer overflow condition that may allow escalation to root privileges.

Unitronics Advisory

This advisory describes a stack-based overflow vulnerability in the Unitronics VisiLogic product. The vulnerability was reported by Steven Seeley of Source Incite via ZDI. Unitronics has produced a new version that mitigates the vulnerability. There is no indication that Seeley has been given an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to remotely execute arbitrary code.

The Unitronics’ CERT Compliance page reports that the vulnerability is in the 'Xceed Zip Compression Library' (the XceedZip.dll), - a 3rd party component from Xceed. Unitronics upgraded to version 6.5.16068.0 in their updated version.

NOTE: Once again a vulnerability in a 3^rd party library raises the question of what other control system programs are using the vulnerable version of this .DLL?

Rockwell Advisory

This advisory describes a resource management vulnerability in the Rockwell Allen-Bradley Stratix 5400 and Allen-Bradley Stratix 5410 industrial networking switches. The vulnerability is apparently self-reported.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to impact traffic (or packets) transiting the affected device.

ICS-CERT Updates Two Advisories

This afternoon the DHS ICS-CERT published to advisory updates; one for a December advisory for vulnerabilities in Advantech’s EKI devices; the other for a November advisory for vulnerabilities in Unitronics’ VisiLogic OPLC IDE devices.

Advantech Update

This update adds a new authentication vulnerability (CVE-2015-7938) and reports that Advantech published firmware updates for all four vulnerabilities on December 31^st, 2015. Interestingly it also removes reference to this being an uncoordinated disclosure.

Unitronics Update

This update adds a new code injection vulnerability (CVE-2015-7939) and reports that an even newer update is now available that presumably addresses all three vulnerabilities.

ICS-CERT Publishes Unitronics Advisory

This afternoon DHS ICS-CERT published a control systemadvisory for two vulnerabilities reported in the Unitronics VisiLogic OPLC IDE. The vulnerabilities were reported (through ZDI) by Steven Seeley of Source Incite, Fritz Sands of ZDI, and Andrea Micalizzi. Unitronics has produced an update package but there is no indication that any of the researchers were provided the opportunity to verify the efficacy of the fix.

The two vulnerabilities were:

• Unsafe ActiveX control marked safe for scripting – CVE-2015-6478; and

• Code injection – CVE-2015-7905

ICS-CERT reports that a moderately skilled attacker could remotely exploit these vulnerabilities to execute arbitrary code.

There is nothing on the Unitronics web site or in the version documentation that describes the security vulnerabilities. There is the possibility that Unitronics directly contacted their customers during the period that this vulnerability was listed on the US CERT Secure Portal (posted November 3^rd, 2015).

Actually, looking at the vulnerability ID number assigned by ICS-CERT (ICSA-15-274-02) it would seem that the advisory was probably placed on the Secure Portal on October 1^st when the Omron advisory (ICSA-15-274-01) was published. Either that, or something happened at the last minute to cause ICS-CERT to hold the advisory for more than a month.

BTW: If you had been following the ICS-CERT notices on the Secure Portal, you would have already known about this vulnerability. If you are a critical infrastructure owner or cybersecurity officer see the bottom of the ICS-CERT landing page for instructions on how to apply for access.

ICS-CERT Updates Two Notices and Issues New Advisory

This has been a busy week for the folks at the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT); they updated a recently issued alert and an advisory and issued a new advisory. The Unitronic Advisory was updated as was the Alert for ULE-OCP; actually that alert was re-issued after ICS-CERT got names straightened out. A new advisory was issued for Honeywell’s TEMA system.

Open Automation Software

The OPC Systems Alert that was published on Monday as part of the ICS-CERT response to the latest Luigi disclosures has been superseded by a new alert that corrected some apparent system naming errors that had been included in the Luigi documentation. Amazingly the link to the superseded document still works. Unfortunately, ICS-CERT cannot blame this error on Luigi because they refuse, as a matter of policy, to disclose the names of security researchers who release vulnerability information through an uncoordinated disclosure process.

BTW: I had an error in my blog posting on Monday’s three Alerts. Fortunately, Dan, a sharp eyed reader, caught the error and notified me of the problem. When I went to correct the problem this new version of the alert was already published and I put the link to the corrected document in that post. If anyone is interested that original Alert can be found here, at least for the time being. [NOTE: As of 1-12-12 this old alert is no longer available via this link. I'm not sure when it went dead]

Unitronics UniOPC

If this revision was not written by a lawyer is had to have at least been directed by a lawyer, probably the vendor’s lawyer. This is a three part change that you have to be very alert to track. The first change adds a footnote to a link to the web site of the third party vendor that provided the offending component. The second changes “other applications that support OLE for Personal Computers (OPC)” to read “other OPC applications”. The final revision changes “resides in the https.ocx component of ‘IP*Works! SSL’” to read “resides in the https50.ocx component of “IP*Works! SSL” and removes the footnote link to the third party vendor web site. This is a highly consequential change [Sarcasm Warning].

Honeywell Temaline Access Control

This new Advisory for the Honeywell Enterprise Buildings Integrator (EBI) system is based upon a coordinated disclosure by Billy Rios and Terry McCorkle. If you haven’t heard about this dynamic duo you certainly will; they discovered 665 vulnerabilities in 75 HMI applications in 100 days (see the Digital Bond posting for more details; make sure to read the Reader Comments) and coordinated them all through ICS-CERT. In any case this doesn’t look like it belongs in the list of 665 vulnerabilities and it isn’t really about an industrial control system as chemical engineers think about such systems, but it is potentially important to chemical facility security none-the-less.

It does involve a component of Honeywell’s Enterprise EBI called Temaline. According to the Honeywell web site:

“Honeywell Temaline offers handling and monitoring of electronic access control, visitor/contractor management, time and attendance and mustering. Integration with security management, enterprise resource planning (ERP) and closed-circuit television (CCTV) systems provides one-window access to and control over the cardholder database to determine who is allowed access to what places and at what times.”

The vulnerability occurs in the Tema Remote Installer that includes an ActiveX function that is “configured to ignore file authentication”. A moderately skilled attacker could remotely exploit this vulnerability to craft, download and install an MSI file that could allow execution of arbitrary code. It would seem to me that that code could include allowing an attacker physical access through the security system by any number of means.

Honeywell developed a patch for this vulnerability; unfortunately that patch also kills legitimate uses of the offending MSI file. Work-around instructions for that issue are included in the patch directions.

ICS-CERT Publishes Two Advisories

This afternoon the DHS Industrial Control System Emergency Response Team (ICS-CERT) published two advisories for vulnerabilities in control systems. The first was an update of the Rockwell response to the latest round of Luigi disclosures. The second is a new vulnerability in the Unitronics UniOPC.

Rockwell

This revision of the Rockwell advisory published last week brings to a close the vulnerabilities disclosed by Luigi in Rockwell’s  RSLogix 5000 and FactoryTalk products. Patches are now available for all of the affected products and versions. I don’t know how hard it was to patch these problems, but Rockwell was certainly prompt in their response to this disclosure.

Unitronics

The vulnerability identified in the UniOPC Server points out an issue that I have discussed previously, flaws in a third-party component of a control system. In this case the security researchers, Billy Rios and Terry McCorkle, identified the flaw in the control system, improper handling of input, that was traced back to a component of IP*Works! SSL. Nothing in this advisory explains if this problem is restricted to just the version of the component used in UniOPC Server or whether this vulnerability could be expected to be found in all products using this version of IP*Works! SSL.

ICS-CERT reports that a low to moderately skilled  attacker could remotely exploit this vulnerability potentially causing a system crash or executing arbitrary code.

Unitronics has provided an updated version of the product for download and recommends that all users install the new version. The new version does not include the offending IP*Works! SSL component. Unfortunately, ICS-CERT reports that installing the new version of UniOPC Server does not actually mitigate the problem as it does not remove the problem file. The security researchers have provided ICS-CERT (and it is included in the Advisory) with a suggested method for removing the problem file after the new version has been installed.

It is a shame that Unitronics did not include the removal of https.ocx in their install process.