Editor’s Note: This is an excerpt from the Practical SCADA Security blog at Tofino Security.
By Eric Byres
A note from another security expert has left me a bit stunned.
Like most of you, I assumed that if you are patching your Windows computers on your SCADA or ICS system (using some variation of Microsoft Windows Update), then any vulnerable services that can be patched will be patched. Well guess again. You may still have a number of open vulnerabilities that are happily being missed by the Windows update service. And scariest of all, you can’t do much about it.
To understand why this is possible, it helps to know a little about something called Windows Common Controls. Common Controls are executable routines that Microsoft supplies to give applications from different developers for a unified look and feel. For example, the Tool Tip Control creates those small rectangular windows that display help text when you place the cursor over some button or tab and wait for few milliseconds.
Shamoon Malware and SCADA Security
SCADA Security Basics: Insecure PLCs
SCADA Security Basics: Terminology
ISASecure Means More Security
Flaw in Air Gap Philosophy
ICS, SCADA Myth: Protection by Firewalls
Common Controls have been in use from the early days of Windows. Applications like Word or SQL Server use them extensively, but so do many developers of 3rd party applications. In the SCADA and ICS world, it is a fair guess that the bulk of the software developed for industrial server or client applications on Windows machines use them.
The problem started when Microsoft released the news about two serious vulnerabilities (MS12-027 and MS12-060) in the ActiveX controls contained in the file MSCOMCTL.OCX. According to the Common Vulnerabilities and Exposures (CVE) database, these flaws were being exploited as targeted attacks in April 2012 using specially crafted malicious RTF files sent via email.
Microsoft provided patches to fix these vulnerabilities in their April and August patch releases. And that is when the fun started.
It seems the Windows Update service will deliver the patches ONLY when qualifying Microsoft products, such as MS Office, are detected. If your computer isn’t running an application like MS Office, Microsoft SQL Server or Microsoft BizTalk Server, it won’t get patched. It doesn’t matter if your computer has a critical SCADA application that uses the vulnerable OCX file, you are out of luck. No patch for you.
To make matters worse, even standalone updates from Microsoft fail during installation unless the qualifying Microsoft product is detected. And tools like Microsoft Baseline Security Analyzer (MBSA) will miss this as well, because as soon as MSBA sees that you don’t have the qualifying application (e.g. MS Office) installed, it doesn’t bother to check if the MSCOMCTL.OCX file is current. It just quits.
These Windows Common Controls were extensively used in many SCADA and ICS products. Yet very few computers in industrial automation settings run applications like Microsoft Office. A few running Microsoft SQL Server will get patched, but 99% of the SCADA and ICS computers will not get this critical patch. Furthermore, by design a vulnerable common control delivered by Product X can be used by other applications and thus potentially exploited in Product Z.
According to MS12-060 FAQ, Independent Software Vendors (ISVs) that have products using the Windows Common Controls should repackage their product with the latest updates. But how many ICS vendors will do that? And how many control system users will install that update in a timely manner?
Remember, this likely won’t be an automatic update of a single file – it could be a new package to install. And, even if the patch is available, it needs to be tested and certified. My guess is the SCADA/ICS world is facing a situation where there will be a massive number of unpatched and vulnerable computers running on critical systems for the next year or two. I don’t think that is good news.
Patching is Broken
To me this is another example of how the entire strategy of patching for SCADA and ICS security is broken. Vendors are reluctant to supply patches for control products (especially legacy products), and users are reluctant to deploy patches when they get them. Furthermore, even when you think you are patching your system, you might not be.
It is time we moved beyond the dream that the continuous race to patch, that we live with on our personal computers, will work on the plant floor. Over the next few months I plan to talk about what I see as alternatives to patching.
Eric Byres is chief technology officer at Tofino Security. Click here to read the full version of the Practical SCADA Security blog.