American Technology Company NVIDIA, designers of top graphics processing units – issued yet another security update to fix three high and medium severity security issues in the NVIDIA GPU Display Driver that could lead to code execution, denial of service, escalation of privileges, or information disclosure on vulnerable Windows machines.
Even though to abuse the patched flaws would-be attackers require local user access, they could also exploit them by remotely dropping malicious tools through various other means on computers running an unpatched NVIDIA GPU Display Driver version.
NVIDIA advises all users to update their drivers as soon as possible by applying the security update available on the NVIDIA Driver Downloads page. The fixed issues are tracked as CVE‑2019‑5675, CVE‑2019‑5676, and CVE‑2019‑5677 and come with base scores ranging from 5.6 to 7.7, with NVIDIA’s risk assessment being based on the CVSS V3 standards.
By exploiting the issues that lead to information disclosure attackers can collect valuable information about computers running an outdated version of NVIDIA GPU Display Driver.
The flaws that lead to a denial of service state, could allow potential attackers to render vulnerable computers temporarily unusable, while, by abusing unpatched code execution vulnerabilities they can run commands or code on compromised machines.
Additionally, escalation of privileges flaws in the NVIDIA GPU Display Driver make it possible to elevate user privileges, gaining permissions beyond the ones initially granted by the system.
The software issues patched by NVIDIA in their May 2019 security update are listed below, together with full descriptions and the CVSS V3 Base Score assigned to each of them. The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.
If the GPU driver is installed on Windows 7, Microsoft KB2533623 must be installed as a prerequisite to addressing this CVE. This CVE does not affect driver packages provided by your hardware vendor and applies only to driver packages that are downloaded from the NVIDIA Driver Downloads public web page.
During late-March, NVIDIA also released a security update for the NVIDIA GeForce Experience software for Windows which patched the CVE-2019-5674 high severity vulnerability that could have led to code execution, denial of service, or escalation of privileges.
Assessing risk is also one way to ensure that fraud prevention is ensured on many levels. While there are always ways for cyber criminals to exploit vulnerabilities, an end user strategizing with manufacturers on how to practice fraud prevention and detection will help prevent the risks associated with vulnerabilities and cyber attacks.