![]() ![]() They said the product is just a “toolbox”, and it is impossible for them to control how customers use the product. They mentioned customers with support contracts could upgrade to 9.0. The whitepaper did not address the vulnerability. They sent out a very large whitepaper “Securing Industrial Control Systems” and implied that customers needed to read this to fix the vulnerability. Given the long lifecycle of control system devices and applications there will likely be 8.0 systems for at least another five years. ![]() What was Wonderware going to do to notify InTouch 8.0 customers of the vulnerability and the fix?Īfter all, InTouch 8.0 is still being sold to existing users through the end of the year. A solution to remove the vulnerability and a reasonably prompt vendor response by disclosure standards. After some back and forth, Wonderware indicated in June that the vulnerability was not present in InTouch 9.0 and Xavi was able to verify this. On April 17th Xavier Panadero of Neutralbit contacted Wonderware about the InTouch 8.0 vulnerability. Our approach is to let a coordination center, US-CERT in this case, determine what disclosure is appropriate. ![]() Saga may be overstated since the process did not take that long, but it was a classic example of why we don’t agree with leaving disclosure decisions up to the vendor – – or the researcher. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |