It’s a busier day than usual in regards to network security, and a couple of those events are worth noting here.

For starters it looks like some malware delivery website(s) are targeting industrial control software.  An older vulnerability in an ActiveX control included with ICONICS OPC-enabled visualization tools is being actively exploited by at least one website, and in the malware “business” if one is doing it then 100 others probably are as well.  The good news is that there has been a patch available for a while, and you can always killbit the specific control, 9d6bd878-b8eb-47e5-ab1c-87d74173baa, if patching isn’t feasible.  At first glance it would seem like an exploit for this is being targeted at an awfully small group of people, but perhaps the distribution of this ActiveX control is a lot bigger than we think?  Hard to know why this bug was chosen to go along with the others they target, but maybe since these components are free to download the malware guys are banking on it being installed with a lot of other software.  Unless its these pages are going to be used as part of a spam campaign they don’t seem to be very targeted and  normally attacks like that are going to be a lot more precise and not just serving malware from a site that’s well known enough that Google warns you that its dangerous.  On a side note, the affentiy that SCADA developers seem to have for ActiveX controls combined with with web interfaces into control systems being more and more common makes for a sitation thats difficult to secure in a proactive way.

The second interesting event is that Microsoft released an out of cycle patch today in response to some active exploitation around a bug in their RPC interface.  This is the first MS bug patched in a while that is exploitable with default configurations and pre-authorization, and that means its possible to result in someone writing a worm to attack it.  I know some researchers have already got proof of concepts written, and the bad guys normally aren’t far behind.  This shouldn’t affect the control system space too much, as most of the time firewalls and such are in place to block the ports necessary for this to be exploited, but now is as good a time as any to make sure the right firewall rules are in place protecting your HMIs and such.  Worms are nasty business, and require a lot of time to eradicate even in the best of circumstances.  More specific information and a very useful chart are on the SVRD blog.

Update: Yep, worm in the wild.