The number of security holes that remain unpatched in software used to control refineries, factories, and other critical infrastructure is growing. It's becoming so common that security researchers have coined the term "forever days" to refer to the unfixed vulnerabilities.

The latest forever day vulnerability was disclosed in robotics software marketed by ABB, a maker of ICS (industrial control systems) for utilities and factories. According to an advisory (PDF) issued last week by the US Cyber Emergency Response Team, the flaw in ABB WebWare Server won't be fixed even though it provides the means to remotely execute malicious code on computers that run the application.

"Because these are legacy products nearing the end of their life cycle, ABB does not intend to patch these vulnerable components," the advisory stated. The notice went on to say that the development of a working exploit would require only a medium skill level on the part of the attacker.

Representatives of ABB didn't respond to requests to comment for this article.

Forever day is a play on "zero day," a phrase used to classify vulnerabilities that come under attack before the responsible manufacturer has issued a patch. Also called iDays, or "infinite days" by some researchers, forever days refer to bugs that never get fixed—even when they're acknowledged by the company that developed the software. In some cases, rather than issuing a patch that plugs the hole, the software maker simply adds advice to user manuals showing how to work around the threat.

"They're just not going to get patched," said Terry McCorkle, an independent security researcher who specializes in ICS devices used to control equipment on factory floors, dams, and in other industrial settings. "The big question is how many of their clients are actually set up to take those advisories and take action upon them?"

Engineers use ABB WebWare Server to control giant robotic arms used in factories that make cars and other goods. A buffer overflow flaw affecting several COM and ActiveX components gives attackers the means to shut down or take control of PCs that run the software by sending them specially manipulated data. Because the flaws reside in ActiveX controls, the attack code could be included and scripted in webpages residing on remote servers.

McCorkle, who along with security researcher Billy Rios discovered and reported the flaw to ABB, said it could be exploited by attackers who want to get their hands on blueprints and other proprietary data stored on an engineer's computer. He said the vulnerability might also be targeted by people who want to sabotage a factory's operations.

Enter GE, Siemens, Schneider

ABB is hardly the only ICS provider to foster forever day bugs in software that connects to critical infrastructure. In November, the US CERT issued an advisory (PDF) warning of cross-site scripting bugs in Proficy Historian. That's a set of software components General Electric sells to help engineers collect and archive product information used in SCADA, or supervisory control and data acquisition, systems.

Even though the bug was remotely exploitable and required only low to moderate skill on the part of the attacker, GE said it wouldn't fix it. The software was considered a "legacy component." Instead, GE issued instructions for uninstalling it.

GE public relations manager Eli Holman defended the decision not to issue an update fixing the bug.

"We advised our customers that the 'Administrative Website' option will be removed as an installation option in the next release of Proficy Historian and that an updated alternative will be re-introduced in a future version of the product," Holman wrote in an e-mail. "In the interim, we recommended that customers uninstall the Web administrator and instead use the fully-supported Historian Administrator thick client."

Other forever day vulnerabilities date back as far as six years. A plugin added to the Nessus security scanner in 2006, for example, targets an FTP server that ships with the Modicon Quantum, a programmable logic controller made by Schneider-Electric. More than six years later, the backdoor accounts hardcoded into the device remain.

Another buggy PLC that won't be fixed anytime soon is the Siemens's SIMATIC controller used in plants in the water, wastewater, oil, gas, and chemical industries. According to an advisory issued in September, "Siemens currently has no plans to patch this vulnerability," which stemmed from an overflow that could allow attackers to execute arbitrary code on the targeted human-machine interface system.

Earlier this year, researchers discovered a series of additional vulnerabilities in the same product. Some of them, including default administrator passwords that are easy to recover, remain unfixed. Instead, "Siemens has changed the documentation to encourage users to change the password at first login."

Exception that proves the rule

Not all ICS manufacturers are criticized as being reluctant to patch their wares. After McCorkle alerted Invensys to vulnerabilities in its Wonderware Information Server, the company engineers engaged him in hours of meetings so they could better understand the threat.

"They actually had us go sit in on Webex sessions with them and they'd ask us, 'Is this a good way to fix this bug?' They spent a lot of time trying to fix the problems."

The CERT advisory for the patch is here.

But researchers interviewed for this article said such anecdotes are the exception. More typical, they say, are experiences of Dillon Beresford, who last year uncovered a slew of vulnerabilities in the same Siemens PLCs targeted by the Stuxnet worm. More than eight months later, the former researcher for NSS Labs said many of the weaknesses affecting the S7-300 and S7-1200 remain unaddressed. He told Ars he ultimately curtailed research on the devices after growing tired of waiting for fixes.

"I did my part and I'm waiting for them to do their part in terms of patching the vulnerabilities," he said. Siemens representatives didn't respond to emails requesting comment for this article.

Beresford went on to condemn the practice of allowing known vulnerabilities to remain in software that's often used to manage plants and factories that some say could be targeted in terrorist or cyberwar attacks.

"It just doesn't seem very viable in terms of a defense in depth posture," he added. "It seems like an excuse to me, and a poor one at that, to claim these vulnerabilities can't be patched."

Story updated to remove "ICS" from the headline.