WellinTech's vulnerability disclosure included a short paragraph about the vulnerability which was published on the Chinese version of their website and not on the English version as of December 15, 2010.
In addition, the archived patch (.rar) doesn't have any changelog or release notes, i.e., information about the security vulnerability and what issues are addressed in the patch. This is obviously not what most in the software industry would consider best practices.
In fact, the archive doesn't contain any information relating to the impact or vulnerability and there are no CNVD reference pointers, because CNVD never published anything about the vulnerability even after the patch went out. How do you explain that?
My question to WellinTech is, "Do you always issue critical software updates relating to security vulnerabilities without releasing a history of changes bundled with the patch?"
According to the response on WellinTech's website, the vulnerability was covered in about two sentences. Most of which consisted of the vendor giving all credit to the China National Vulnerability Database (CNVD), without any mention of my discovery, disclosure, and the trigger they received back in September 2010.
Even though WellinTech would rather not acknowledge that an independent security researcher discovered a critical flaw in their product, they still have a certain amount of responsibility to respond to all parties involved.
By disclosing the vulnerability to WellinTech, CN-CERT and US-CERT I am confident that I have done the right thing. I was only trying to help and assist with the issue affecting KingView. I might have prevented a catastrophic event from taking place. As an example, one need not look too far into the past to reflect on what happened with Stuxnet, which was essentially a bundle of zero-day exploits inside a worm.
In fact, just for the record, this is not the first SCADA software vulnerability I have disclosed. Sometime between 2009 and 2010, I reported a vulnerability involving a product by the software company SIELCO SISTEMI. I reported a vulnerability in the product Winlog Lite which was subsequently patched within a short period of time. The vendor responded within 10-15 days and promptly issued a patch along with a very pleasant email thanking me for reporting the bug.
I am very suspicious as to why WellinTech kept the disclosure so quiet. I believe the public will eventually start asking questions about why CN-CERT, CNVD and WellinTech were so illusive.
The vulnerability information WellinTech provided is only available in Chinese, even though they have a version in English.
Pay close attention to the path in the URL.
The Chinese version of the patch:
Where is the English version?
If the Chinese version of the patch works with the English version of KingView 6.53, then why not update the English web site?
I'm not going to let the actions of one vendor in China keep me from disclosing other vulnerabilities in the future relating to Chinese software.
When people deserve reward, this should be duly noted even if you personally detest them. When people deserve punishment, this should not be forgone even if they are close to you...Mei Yaochen
10:52 PM CST 1/12/2011
As of 1/12/2011 China's National Vulnerability Database has disclosed an advisory for WellinTech's KingView 6.53 HistorySvr heap buffer overflow vulnerability.
I am very pleased to see the information is now available to the general public.