« Back

New Term Describes Unpatched Critical Infrastructure Vulnerabilities

Security researchers have created a new term to describe the increasingly common unpatched vulnerabilities in critical infrastructure software: forever days. The term derives from the related “zero day” – used to describe software vulnerabilities attacked before a manufacturer has issued a patch. The new term acknowledges that these bugs never get fixed. Although they might be acknowledged by the company, experts report that the developers issue workarounds rather than an actual patch for the vulnerability. The problem is that these types of industrial control systems are designed for use by utilities, and major industrial manufacturers and processors, such as refineries. The latest forever day vulnerability -- a buffer overflow -- was discovered in ABB’s robotics control software. The US Cyber Emergency Response Team deemed it worthy of an advisory. In that alert, the agency noted that ABB does not intend to issue patches, which concerns security researchers who fear that end users will not be able to act on the information. Some companies have issued patches for their industrial control products, but, according to Ars Technica, they remain the exception. (Ars Technica)(Wired)(US-CERT)

Comments
Trackback URL: