Solution
NI has identified security vulnerabilities in
cvintdrv.sys
, a low-level support driver that implements Port I/O and Physical Memory Access functions. This driver is installed on Windows with the LabVIEW Run-Time Engine and the LabWindows/CVI Run-Time Engine, which are included in most NI software. The security vulnerability affects versions of NI software released prior to December 2011. NI recommends that all users download and install the security update from NI Update Service or from the
download page.
The security vulnerabilities could allow elevation of privilege for applications that do not have Administrator privileges. The security update provides a revised version of
cvintdrv.sys
that resolves these vulnerabilities in two ways:
- Applications that use the Port I/O VIs and functions of the low-level support driver will require Administrator privileges to run. The Port I/O VIs and functions will return run-time errors when called without Administrator privileges.
- Applications are no longer able to use the Physical Memory Access functions. The Physical Memory Access functions will return run-time errors in all cases.
What versions of LabVIEW and LabWindows/CVI Run-Time Engines are affected?The issue affects LabVIEW Run-Time Engine versions 2011 and earlier, and LabWindows/CVI Run-Time Engine versions 2010 SP1 and earlier. The LabVIEW and LabWindows/CVI Run-Time Engines are distributed with most NI software. LabVIEW 2012 and LabWindows/CVI 2012 and later include the security update.
Which Windows operating systems are affected?The low-level support driver capabilities are available only on 32-bit Windows operating systems. However, the low-level support driver can be redistributed from a 64-bit operating system to a 32-bit operating system. This can occur when you include the LabVIEW Run-Time Engine or LabWindows/CVI Run-Time Engine in an installer built for a 32-bit application. Therefore, NI recommends that the update should be applied on all Windows operating systems on which the LabVIEW Development System (version 2011 or earlier) or the LabWindows/CVI Development System (version 2010 SP1 or earlier) is installed.
How do I include the update in the installers I build after I install the update?For LabVIEW 8.2 and later, when you use LabVIEW Application Builder to create an installer that includes the LabVIEW Run-Time Engine, the update is automatically included in the installer and applied on the target machines.
For LabVIEW versions prior to 8.2, install the Security Update 5Q5FJ4QW on each target machine. You can find the update installer
here.
For LabWindows/CVI 8.0 and later, when you use the Distribution capability to create an installer that includes the LabWindows/CVI Run-Time Engine, the update is automatically included in the installer and applied on the target machines.
For LabWindows/CVI versions prior to 8.0, install the Security Update 5Q5FJ4QW on each target machine. You can find the update installer installer
here.
What about deployment-only machines?For machines with the LabVIEW or LabWindows/CVI Run-Time Engine but not the LabVIEW or LabWindows/CVI Development System, you have the following options:
- Download and install NI Security Update 5Q5FJ4QW from here to each machine. OR
- After installing the update to a development machine, rebuild an application installer that includes the LabVIEW or LabWindows/CVI Run-Time Engine and run it on each target machine.
Do I need to re-apply the update if I install additional NI software later?No. Once you install the update, you do not need to install it again. If you install other versions of LabVIEW, LabWindows/CVI, or their respective run-time engines, the update will remain in effect and will be included in future deployments built with the NI installer builder tools.
How can I tell whether the low-level driver has been updated?To determine whether the low-level driver on a machine is the updated version, run the
UpdateValidator.exe application attached to this article.
Do I need to update my application code?In LabVIEW, the Port I/O VIs are available only in a limited capacity depending on the version of LabVIEW and the operating system. If your application uses the Port I/O VIs without requiring Administrator privileges, you will receive a run-time error after applying this update. For more details, refer to
Why Do I Get Error -4850 From the Port In or Port Out VIs in LabVIEW?In LabWindows/CVI, the Port I/O and Physical Memory Access functions are in the Utility Library. If your application uses the Port I/O functions without requiring Administrator privileges or uses the Physical Memory Access functions, you will receive a run-time error after applying this update.