forever days

Discussion in 'Backup and Security' started by zdreg, Apr 11, 2012.

  1. zdreg


    The number of security holes that remain unpatched in software used to control refineries, factories, and other critical infrastructure is growing. It's becoming so common that security researchers have coined the term "forever days" to refer to the unfixed vulnerabilities.

    The latest forever day vulnerability was disclosed in robotics software marketed by ABB, a maker of ICS (industrial control systems) for utilities and factories. According to an advisory (PDF) issued last week by the US Cyber Emergency Response Team, the flaw in ABB WebWare Server won't be fixed even though it provides the means to remotely execute malicious code on computers that run the application.

    "Because these are legacy products nearing the end of their life cycle, ABB does not intend to patch these vulnerable components," the advisory stated. The notice went on to say that the development of a working exploit would require only a medium skill level on the part of the attacker.

    Representatives of ABB didn't respond to requests to comment for this article.

    Forever day is a play on "zero day," a phrase used to classify vulnerabilities that come under attack before the responsible manufacturer has issued a patch. Also called iDays, or "infinite days" by some researchers, forever days refer to bugs that never get fixed—even when they're acknowledged by the company that developed the software. In some cases, rather than issuing a patch that plugs the hole, the software maker simply adds advice to user manuals showing how to work around the threat.
  2. Banjo