Skip to main content
May 12, 2011

Buffer Overflows in SCADA ActiveX Controls Put Critical Infrastructure at Risk

Following the industrial control system attack of Iran’s nuclear facilities dubbed Stuxnet, vulnerability researchers have intensified their scrutiny of the software that runs these industrial systems, known as SCADA systems. The results are unsettling. Given the danger of vulnerabilities in the software that controls power and water systems and industrial plants you would expect vulnerabilities to be rare. It is just the opposite. Common vulnerabilities listed in the CWE/SANS Top 25 Most Dangerous Software Errors such as SQL injection (#2), Buffer Overflow (#3), and Use of Hard Coded Credentials (#11) have been found in SCADA systems over the last few months. A visit to the ICS-CERT website shows the discouraging results. I believe these public disclosures are the tip of the iceberg as there are not as many researchers focussing on SCADA as there are focussing on common consumer and business software.


The latest revelation comes from ICS-CERT which alerts the industrial control system community to serious vulnerabilities that put them at risk. An exploitable buffer overflow has been discovered in a component of ICONICS GENESIS32 and BizViz products. This component is called an ActiveX control and is often used in cases where a web based user interface needs to interface with another piece of a software control system. ActiveX controls are commonly used in the UI for control systems built using the Microsoft Windows platform. Buffer overflows in ActiveX controls are a serious vulnerability which came to light about 10 years ago. Back in 2001 the only solution to this problem was time consuming manual code review or manual testing. But in 2011 there is a much better solution to the buffer overflow problem known as static code analysis. All software written in C or C++ needs to be tested for buffer overflows using static code analysis before it is delivered to customers. Those interested in learning more about testing for vulnerabilities in ActiveX controls can read a free chapter on Local Fault Injection from my book, The Art of Software Security Testing. For the safety of our critical infrastructure I hope the software engineers at Iconics will read this and consider security testing of their code. The purchasers of industrial control systems and other business critical systems should begin to ask their vendors if they have performed security testing before software is delivered to them. Since static analysis can find the majority of the vulnerabilities in the CWE/SANS Top 25 Dangerous Software Errors there is no excuse for important software not to be tested.

Veracode Security Solutions
Security Threat Guides

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.