Written by Staff Writer, CNN
The US government warned Saturday that “thousands” of US critical infrastructure organizations face potential disruption from a newly revealed vulnerability in operating systems used by hundreds of millions of devices.
In a statement, the US Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team warned that devices with embedded operating systems, known as IOS, were at risk from the critical vulnerability CVE-2017-12003.
The vulnerability was revealed Friday by researcher Artem Russakovskii, who released a software patch to mitigate the risk.
The White House issued its own security warning Saturday, saying that vulnerabilities in IOS were found in only a fraction of US devices that could be affected.
DHS said that 700 million IOS devices — including tens of millions of servers — are currently shipped with OSs that are affected by the vulnerability, which can be exploited to steal user credentials or conduct denial of service attacks, among other reasons. It said that 160 million of those devices were protected by software patches available Saturday morning.
Significant attack surface
But the department’s statement added that a significant attack surface exists “that could be exploited” for exploitation. It said that up to 1.6 billion Internet-connected devices — which include home routers, cellphones, and industrial equipment — have embedded IOSs.
Norton CTO Sean Sullivan said the vulnerabilities in embedded software create a “more difficult environment to defend than your own systems.”
“Companies with embedded applications should regularly update OSes and patch their applications, particularly as new OS versions are released,” Sullivan said.
Russakovskii’s research did not breach the security of individual Web browsers or platforms, he said. It was intended to let operators at industrial facilities who operate massive computer networks evaluate whether their systems are vulnerable.
Specifically, the researcher discovered a design issue with a set of code from Microsoft’s Internet Explorer browser that could allow hackers to take control of critical business devices such as energy stations, robotics systems and telecom networks.
The issues used by Russakovskii in his research are no longer available for use in internet browsers, Microsoft said in a statement.
“Due to this reporting, we have taken action to remove the impacted portion of the publicly disclosed vulnerability, so that no such vulnerabilities remain in the IE ecosystem,” Microsoft said.
McAfee released a statement Saturday on what they called a “cobweb” — a security ecosystem tied to the Internet Explorer software.
“The cobweb represents a security village that includes a wide variety of software and operating system providers, such as Microsoft, Adobe Systems, and Symantec,” McAfee said. “Today, McAfee is still working to understand the full scope of the issue and the extent to which both third-party and internal applications from the impacted products were running on servers in environments vulnerable to exploitation.”
A great deal is known about the issue, which was reported by CNN and first surfaced by Russian security firm Kaspersky Labs.
Russakovskii, who was funded by Google, was providing patch information to a legitimate anti-virus vendor, said Kaspersky researcher Costin Raiu, and the FBI was in discussions with him for weeks about the issue.
According to the FBI, Russakovskii had “intentionally misled the FBI in an effort to create an international incident.”
CNN has reached out to Russakovskii but has not received a response.