NVIDIA fixes security vulnerability with driver update

NVIDIA has silently released a driver update (310.90 WHQL) which fixes a security vulnerability disclosed in late December. The vulnerability could be exploited by an attacker to obtain administrator privileges for Windows versions from Vista onwards. Security researcher Peter Winter-Smith discovered the vulnerability in the NVIDIA Display Driver Service (nvvsvc.exe) and posted an exploit for the vulnerability to Pastebin.

The buffer overflow vulnerability can be exploited to inject code and ultimately to obtain escalated privileges. The exploit is able to bypass both data execution prevention (DEP) and address space layout randomization (ASLR).

Winter-Smith's approach in publishing the exploit caused some commotion. He later removed the proof-of-concept posting from Pastebin – one reason for the deletion may be that, according to Tech Report, Winter-Smith did not inform NVIDIA about the security vulnerability prior to publication. The reason he gives for this omission was that the vulnerability was low risk. The vulnerability can only be exploited if file sharing is enabled and access is permitted by Windows' firewall. According to Security Week, however, HD Moore, Chief Security Officer at Rapid7, assesses the risk posed by the vulnerability as somewhat greater, describing it as a serious problem for businesses because of the potential for privilege escalation.

NVIDIA has not yet made any official comment on the publication of the exploit. The driver update is not dedicated solely to the security vulnerability. As well as fixing the odd bug, 3D vision profiles have been added and performance for games such as Far Cry 3, Call of Duty, Black Ops 2 and Assassin's Creed III has been improved.

(fab)