Advantech produced a new version that mitigates the multiple buffer overflow vulnerabilities in its Studio ISSymbol ActiveX Control.
Independent researcher Dmitriy Pletnev of Secunia, who found the vulnerabilities, tested the new version and said it resolves the vulnerabilities.
With publicly available exploit code targeting the vulnerabilities, the flaw is remotely exploitable.
The following versions of Advantech Studio suffer from the issue:
• Advantech ISSymbol ActiveX Control 220.127.116.11, and
• Advantech Studio 6.1 SP6 Build 61.6.01.05.
Successful exploitation of these vulnerabilities could allow an attacker to arbitrarily execute code.
Advantech Studio is a collection of automation tools that includes components required to develop human-machine interfaces (HMIs) and supervisory control and data acquisition (SCADA) system applications that run on various Windows platforms. Advantech Studio is in nearly 2,000 installations worldwide. Advantech Studio works in a variety of applications including remote utility management, building automation, water and wastewater management, and factory automation.
An attacker can exploit boundary errors when processing any of four different properties to cause buffer overflows, which in turn can allow execution of arbitrary code. CVE-2011-0340 is the number assigned to these vulnerabilities.
Advantech recommends users of Advantech Studio Version 6.1 and earlier versions upgrade to the new version, Advantech Studio 7.0. Customers should contact their authorized Advantech distributor or their Advantech account manager to discuss the transition plan to Advantech Studio 7.0.
Advantech further recommends users read the customer notice.