Siemens this week announced patches for vulnerabilities in two of its software products.
"Two advisories issued by the company 'address vulnerabilities first discovered in 2010' and says that software updates in 2010 and 2011 addressed both vulnerabilities," The H Security reports. "Although not referring to Stuxnet by name, the 2010 date makes Siemens reported discovery date contemporaneous with the appearance of Stuxnet. The worm was later discovered to be specifically targeted at SCADA equipment and is reported to have been a creation of US and Israel intelligence operations designed to stop or slow Iran's nuclear fuel refinement projects."
"If left unpatched, vulnerabilities in the company’s Simatic STEP 7 and Simatic PCS 7 software could have allowed the loading of malicious Microsoft Dynamic-link Library files," writes Threatpost's Christopher Brook. "This in turn could lead to an attack against systems that use STEP 7, a la Stuxnet. 'An attacker can place arbitrary library files into STEP 7 project folders that will be loaded on STEP 7 startup without validation,' reads one part of a advisory issued by the Industrial Control Systems Cyber Emergency Response Team (ISC-CERT). The new patch updates a mechanism that will reject DLLs in the Step 7 folder, in turn 'preventing unintended execution of unchecked code.'"
"The other advisory published on Monday outlined updates made to Siemens WinCC to fix a vulnerability that gave hackers remote access to a database server with full administrative privileges," writes Ars Technica's Dan Goodin. "Both vulnerabilities were 'addressed by a Siemens software update in 2011,' the advisories stated. The notices, which strongly advised customers install the patches as soon as possible, didn't explain why it took more than 12 months to issue the warnings."