Manufacturer declares death of bugs Stuxnet used to sabotage Iran nukes

[InfoSec News <alerts () infosecnews org>]

http://arstechnica.com/security/2012/07/industial-bugs-exploited-by-stuxnet-fixed/

By Dan Goodin
Ars Technica
July 23 2012

German conglomerate Siemens on Monday said it has fixed vulnerabilities 
in its software products that appeared to be identical to those that 
allowed the Stuxnet computer worm to disrupt Iran's nuclear program.

In advisories published here and here, Siemens said it updated its 
Simatic Step7 and Simatic WinCC software applications to "address 
vulnerabilities first discovered in 2010." That was the same year the 
Stuxnet worm was discovered burrowing into industrial control systems in 
Iran and other countries throughout the world.

According to Siemens, the Step7 update fixes a loading mechanism for 
Windows Dynamic Link Library files that can be hacked to force systems 
into executing malicious code.

"An attacker can place arbitrary library files into Step7 project 
folders which will be loaded on Step7 at start-up without validation," 
one of the Siemens advisories stated. "The code will be executed with 
the permissions of the Step7 application."

[...]


--
Learn how to be a Pen Tester, CISSP, ISSMP, or ISSAP with Expanding Security online.
Come to a free class and see how good and fun the program really is.
http://www.expandingsecurity.com/PainPill