What is the Nature of Software Vulnerability NI-64BG6SWQ-4?
Primary Software: Measurement Studio>>Enterprise Edition (Full Development System)
Primary Software Version: 2013
Primary Software Fixed Version: N/A
Secondary Software: N/A
I'd like to understand how severe software vulnerability NI-64BG6SWQ-4 is so that I can make an informed decision about patching the affected software.
You can use the following information to assess the security risk of vulnerability NI-64BG6SWQ-4 to your environment.
The NationalInstruments.Help2.dll ActiveX control publicly exposes two private methods for opening and closing registry keys by name.
This vulnerability allows remote attackers to discover which registry keys exist on the target machine using privleges of the current user. The targeted user must visit a malicious page using Microsoft Internet Explorer or open a malicious Microsoft Office file for an attacker to successfully exploit this vulnerability. National Instruments is not aware of ant active attempts to exploit this issue.
CVSS Severity: Medium
This vulnerability affects the following major products, but other National Instruments products and versions are affected as well. To determine if your system is affected, download and run the May 2013 Security Verification Tool.
Resolution: Affected software Version(s) Measurement Studio 2013 and previous Device Drivers with .NET support 2013.02 and previous
2013 and previous
Device Drivers with .NET support
2013.02 and previous
National Instruments has issued an update to affected products. For more information, refer to How Does NI Security Update 67L8K7QW Affect Me?
In lieu of patching, users of affected products can add “kill bits” to the registry to prevent vulnerable ActiveX controls from being loaded in Microsoft Internet Explorer and Microsoft Office. For more information, refer to How Do Microsoft “Kill Bits” Affect NI ActiveX Components?Source:
The NI Product Security Team published this advisory. You may direct questions about this advisory to security 'at' ni.com and find more information about National Instruments product security at http://www.ni.com/security.
External Link: CVE-2013-5024
KnowledgeBase 67L8N7QW: How Do The NI Q2 2013 Security Updates Affect Me?
KnowledgeBase 67L8KSQW: How Does NI Security Update 67L8KSQW for NI .NET Class Library Help Affect Me?
KnowledgeBase 67L8K7QW: How Does NI Security Update 67L8K7QW (NI General Security Patch Q2 2013) Affect Me?
KnowledgeBase 67L8LCQW: How Do Microsoft “Kill Bits” Affect NI ActiveX Components?
KnowledgeBase 68OCHKQW: How Do I Determine Which NI Q2 2013 Security Updates Are Required For A System Without NI Update Service Installed?
Report Date: 08/26/2013
Last Updated: 12/02/2013
Document ID: 6CP7OS4G