Live: 300+ Best Black Friday Deals Live: Black Friday TV Deals BF Deals Under $25 BF Deals Under $50 5 BF Splurges 8 BF Must-Haves 15 Weird Amazon BF Deals BF Cheat Sheet
Want CNET to notify you of price drops and the latest stories?
No, thank you

Serious hole in critical-infrastructure software, says U.S.

U.S. government warns critical-infrastructure operators of serious hole in "SCADA" software used in oil and gas; water; electric utilities; and manufacturing plants around world.

The U.S. government is warning critical-infrastructure operators of a serious hole in software used in oil and gas; water; electric utilities; and manufacturing plants around the world.

The stack overflow vulnerability affects the Genesis32 supervisory control and data acquisition (SCADA) and BizViz software sold by ICONICS, according to an advisory (PDF) released yesterday by the Department of Homeland Security's ICS-CERT (Industrial Control Systems Cyber Emergency Response Team). ICONICS has issued a patch to close the hole, which could allow an attacker to remotely execute code and take control of the computer.

Meanwhile, an exploit targeting the vulnerability was publicly available, the advisory said. To be successful, an attacker would need to use social engineering to lure a user with the "GenVersion.dll" (dynamic-link library) ActiveX control installed to visit a Web page that hosts malicious JavaScript. The dynamic-link library is a component of WebHMI (human machine interface) used in the ICONICS software, according to the advisory, which cited a report (PDF) by researchers at

"This vulnerability requires moderate skill to exploit," the warning said.

Fifty-five percent of the Genesis32 installations are in the U.S., 45 percent are in Europe, and 5 percent are in Asia, according to Foxborough, Mass.-based ICONICS.

The advisory comes less than two months after the ISC-CERT and several researchers warned of a handful of holes in different SCADA software.

Security issues with software used to monitor and control critical-infrastructure systems are cropping up more and more as those systems adopt Web-based technologies that provide channels into previously isolated networks.