BEIJING - A Chinese software maker has been ordered to notify its clients after bugs which could be exploited by hackers were discovered in two of its applications.
However, no attacks have yet been reported in connection with the bugs, which were found in applications made by Sunway Force Control Technology Co, according to the Chinese network security monitor on Friday.
"We have ordered the company to make a full list of their clients and call them one by one to notify them of the vulnerability of their product," the National Computer Network Emergency Response Technical Team (CERT) told China Daily.
The United States' Department of Homeland Security (DHS) issued an advisory note on Thursday warning of defects in Sunway's software applications that could be used by hackers to launch attacks on crucial infrastructures.
The DHS began an inquiry into the company after bugs were discovered by Dillon Beresford, an independent researcher with a US private security company NSS Labs Inc.
The company had put two patches online for download within two weeks of being notified of the bugs.
"Users can download and install the patches within seconds," said Lin Hanwei, CEO of the Beijing-based company.
The majority of Sunway's clients are domestic companies, including some involved in major projects such as the Three Gorges Dam and the Daqing oil field, and its products are also used in the Chinese space program, according to its website.
The company has only a small number of clients in Europe and even fewer in United States, Lin said, while adding that some domestic clients are also using Sunway software on their overseas projects.
Established in 1993, Sunway is one of China's few major suppliers of industrial control systems. It has annual income of less than 40 million yuan ($6.1 million), according to Lin.
In July 2010, computers at Iran's Bushehr nuclear reactor were attacked by Stuxnet, a worm which targeted the reactor's industrial control systems manufactured by Siemens AG.
There has been widespread speculation that Stuxnet actually damaged the plant, according to reports from Reuters.
"Industrial control systems used to run in a closed network environment, but attacks can be made by hacking into the intranet," said He Shiping, a network security specialist with CERT.
A growing number of bugs will be discovered in the future as the security of industrial control systems comes under increasing scrutiny following the incident in Iran, he said.
The DHS said Sunway's actions were efficient, and full mitigation was achieved very quickly.
(China Daily 06/18/2011 page9)