-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

# SSB-382508: ActiveX used in Industrial Products

Publication Date:        2020-01-14
Last Update:             2020-04-14
Current Version:         1.1


CUSTOMER INFORMATION

Multiple Siemens Industrial products (such as SIMATIC WinCC, SIMATIC
STEP 7, SIMATIC PCS 7, TIA Portal, and S7-PLCSIM Advanced as well as old
versions of SIMATIC NET PC Software) are using ActiveX components.
During the installation of these products, ActiveX components are
registered using mechanisms provided by the operating system.

These ActiveX components are designed to be executed exclusively by
software provided by Siemens, but can be executed by any software. If
Internet Explorer is used to access websites controlled by an attacker,
this could increase the overall security risk of systems where the
affected software is installed.

Siemens recommends to only visit trusted web pages using Internet
Explorer on systems where industrial software provided by Siemens is
installed. When accessing web pages not provided by Siemens software,
use a browser that does not support ActiveX.

Siemens also recommends to follow the Installation / Release Notes [1,2]
and to configure the environment according to Siemens` operational
guidelines for Industrial Security [3].


REFERENCES

- -   [1] https://support.industry.siemens.com/cs/document/37437018
- -   [2] https://support.industry.siemens.com/cs/document/109760740
- -   [3]
    https://www.siemens.com/cert/operational-guidelines-industrial-security

ADDITIONAL INFORMATION


For further inquiries on security vulnerabilities in Siemens products and 
solutions, please contact the Siemens ProductCERT:

https://www.siemens.com/cert/advisories


HISTORY DATA


V1.0 (2020-01-14): Publication Date
V1.1 (2020-04-14): Explicitly mention old versions of SIMATIC NET

TERMS OF USE


Siemens Security Bulletins are subject to the terms and conditions contained
in Siemens' underlying license terms or other applicable agreements previously
agreed to with Siemens (hereinafter "License Terms"). To the extent applicable
to information, software or documentation made available in or through a
Siemens Security Advisory, the Terms of Use of Siemens' Global Website
(https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in
particular Sections 8-10 of the Terms of Use, shall apply additionally. In case
of conflicts, the License Terms shall prevail over the Terms of Use.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJelP0AAAoJENP0geoRSq/kHroQAM80qcsGS3jNo+o2vhOoxQzL
rS3ApUPFzQ4Ctw4bLsfOuGDA/g68/Ncy3rDiZfSf/fT3Bh7tGM4GfFPo1XjQnJGY
Jp1ORKpxAdF6zLt0wIGiUfRAnfsIqC38JOJ5RWGOsfExNGx60L+auFuvDUC2GiLZ
B2VCpLAlibJzfEz9XCCDijlQBt6Alfs0564L7M54OB93ARj7mWQeXNVWPZQzEUu7
uf2U4+OnkkC827+o92wHRQRVWpYCU8VVX5AdqpjEO99qmO0XceFQ/kP7hKAcHheT
x64b0k7Jgm6/ZD3Njo0B2+737rxxQIuD5jugMswRqorzAl0Qtz1Xx9RUpa701sym
LbgSeEbTeL1J/j6v7QKF4yOu23i5uWF9P2ZQbpZMNW30MkzW43+rp9BIZ66OaVoz
aRKHbB4e/GjF3ex9P1hQiEeB6Fdtd7FGd2YCSXmBPZKby2NvTxDelvU1o2wQhZqQ
zSV6mU0eWnjAYGJjJdAXOJ5vKJMW3NyQogrm0iNyxNzb8P9081znCwFjpIlRtZev
YNNX49+ozmrbRb4zKIheFERJeDWfhykucDv7BsoAXw6xOErRwKByTjlVlMzRRfo9
54ymtRiW82J5bznGJDPXXgA0IKbWIUDxNyWXmRjlXymkbhNj4cZpnCUHYlXhdHvi
KYTl5uqDTMYYf5sV1lKX
=WiNj
-----END PGP SIGNATURE-----