Home Community Discussion Forums Most Active Software Boards Measurement Studio for .NET Languages Topic

Measurement Studio for .NET Languages

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

security vulnerability in ActiveX components

security vulnerability in ActiveX components

‎06-17-2013 09:16 AM

Hi,

 

I recently received an e-mail about security vulnerabilities in ActiveX components of NI software.

 

We maintain an application written in C# using the Measurement Studio plugin (8.1.1) for Visual Studio. This application has been deployed on many (probably up to 100) machines of our customer along with the NI-DAQmx 9.2.2 driver. We do not use ActiveX components.

 

Is it absolutely necessary to update all these machines? That would obviously be an enormous task. It is not just the work itself, it also affects the image of our products. Of course, from the NI point of view, it is easy to say that all systems in the field must be updated, but what exactly are the risks of not updating these systems for my situation?

 

I hope you can explain these risks. Thanks in advance.

 

 

0 Kudos
Message 1 of 2
(5,197 Views)
Reply

Re: security vulnerability in ActiveX components

‎06-17-2013 05:04 PM

You can find details on the risks in Zero Day Initiative's publication# ZDI-13-120 (http://zerodayinitiative.com/advisories/ZDI-13-120/).

 

You can run the NI Security Verification tool on your deployed system to generate a report that indicates whether any patches are required for the system. To get the behavior you want, you need to run the tool in command line mode and specify the /LimitKillBit flag. Here is an example of all the command line arguments you likely want to use (change "MyReportDirectory" to something appropriate for your system):

NISecurityVerificationTool_Q2_2013.exe /Analyze /LimitKillBit /Location “C:\MyReportDirectory”

 

If the report indicates no patches need to be installed on the system, the system has no vulnerable components on it.

 

Alternatively, as stated in the How Do The NI Q2 2013 Security Updates Affect Me? knowledge base entry, if you have security policies that ensure that no NI ActiveX controls run in the context of Microsoft Internet Explorer or Microsoft Office, your system is not vulnerable. However, even in this case NI recommends that you install the patches when it is convenient for you to do so.

Message 2 of 2
(5,176 Views)
Reply