If you are using an Nvidia graphics card, chances are that you have also installed the 'GeForce Experience' suite, a utility that helps you stay up-to-date with the latest driver releases, read gaming and hardware news, capture gameplay videos, and more. The versions of the utility from 3.18 and earlier are plagued by two severe vulnerabilities that Nvidia just fixed, so you are urged to update it immediately.
The first vulnerability is given the identifier 'CVE-2019-5678,' and concerns a weakness in the Web Helper component. An attacker with local system access could craft an improperly validated input that can lead to code execution, denial of service, or the disclosure of sensitive information. The second vulnerability is identified as 'CVE-2019-5676,' and is based on the incorrect loading of a Windows system DLL by overriding signature and path validation. This can lead to privilege escalation through arbitrary code execution. This second vulnerability also requires local system access, which can be achieved either across the network or right on the target system. The first vulnerability is given the CVSS v3 standard score of 7.8, while the second got 7.2, which means that both are of high severity.
The particular vulnerabilities were discovered by multiple researchers working for Rhino Security Labs, FortiGuard Labs, and Nvidia employees. This is the second time within the last 20 days that Nvidia had to patch severe vulnerabilities. Earlier this month, the Windows GPU driver was found to be vulnerable to denial of service and privilege escalation attacks, with the problem being located in the kernel mode layer handler. This time, it’s not the driver but the utility, which highlights the importance of keeping all your tools updated, as anything that’s vulnerable can serve as an open door to attackers.
For those of you who want to update the 'GeForce Experience' suite, make sure that you are downloading it via the official Nvidia website, and not from anywhere else. Moreover, you may update the tool right from its interface, so there’s no need to download it if it’s already installed on your system. Finally, if you want to completely take this risk potential out of the equation, you may simply download and install your GPU drivers from Nvidia’s website and get rid of the utility by uninstalling it. While it is useful in pushing notifications when a new GPU driver update is available, it also constitutes an individual safety risk.
Are you using Nvidia’s GeForce Experience tool, or do you just download and install your drivers manually? Let us know where you stand in the comments down below, and also on our socials, on Facebook and Twitter.