LabVIEW

NI Security Update Tool Q2 2013. fixes all current NI software.

Just run the update service.  the patches usually don't break things

Running the update tool is fine and good for my development machines and future deployed machines (no-brainer there), but what about deployed LabVIEW systems already in the field?  

Aside from the oddly specific reference to some guy named "rgod", the KB is pretty vague--is there any information out there regarding the specifics of the vulnerability itself?  Under what circumstances can it be exploited, and what harm can the attacker inflict due to this vulnerability?  If the issue does not apply to me or the risk is inconsequential given my application then I wouldn't want to bother/alarm my all of my customers with a mandatory security update.  Maybe another way to phrase this... "how important is it for me to ensure that my customers apply the patch to their deployed systems?"

EDIT:  I probably should have made another thread... but I figure if all of the discussion on this patch is in one place maybe it wouldn't be so bad, no?

Best Regards,

deployment update discussion is here.

 Under what circumstances can it be exploited, and what harm can the attacker inflict due to this vulnerability? is not really something I want to see in a public discussion. Wouldn't that be a "how-to" manual for hackers?

A tech notice to your customers may be nice if you use a lot of active x components but.  <From a forty thousand foot level> its not important to you at all if they fail to apply the patch and it bites them. 

Yeah, that's a good point about the "how to".

For liability reasons I suppose a notice will be a good idea along with a software update that includes the fixes (up to the customer if they want to install it or not).

Best Regards,

Wondering which versions this update is for...would it be required on legacy installions or deployments of version 7.1 for example?  Is there any specification on which software versions we need to worry about or is it just ALL versions? And, yes, we have MANY deployments and devel systems at legacy versions.  Looks like the update script examines what is installed and decides what is needed, but I would hate to have to run the script on everything just to find that it was not required on a number of them.

Thanks in advance for any suggestions...

It looks like its actually a patch to Active X itself using Windows Registry flags.  So, in theory it patches any Active X component installed by any NI Product that is vulnerable (Or that's how I read the KBs)

I have much the same questions as John P, but I understand you don't want the "how-to" info on a public forum.  How about a vulnerability discussion.  I plan to update all internal development versions, but updaing all of our customers deployed solutions could be a large undertaking.  If we're not using any ActiveX controls in any of our deployed LabVIEW solutions, would our customers still be vulnerable?  i.e. ... is this only if we're using ActiveX? or could something bad happen just by having the components on the system?  Thanks.

Hi Harvster,

The vulnerability is exposed through Microsoft Internet Explorer and Microsoft Office. Although NI recommends the security patches for all NI customers, customers with highly controlled systems do not need to update their systems immediately if they are confident that IE and Office will not be used to open documents or web pages with malicious content. However, NI recommends that such customers eventually update their systems in case they redistribute applications from those systems.

Basically if your users visit a website that tries to load the NI ActiveX component and knows how to exploit it's vulnerability then they can be compromised. So it is completely irrelevant if your applications make use of any ActiveX component at all.

It does require a malicious web page though, that tries explicitedly to load one of the NI ActiveX components and knows how to exploit its vulnerability. It also requires a webbrowser with rather lenient ActiveX execution permissions. By default IE will at least ask the user for permission to allow a request to load an ActiveX component, but older IE systems might have less stringent default settings. And if the user disabled this warning, or happens to view a compromised webpage which is in a trusted domain (eg. Intranet) then he is vulnerable. But in the last case he has much bigger problems if webpages in his trusted domain are compromised.

Rolf Kalbermatter
My Blog