NVIDIA fixed a serious vulnerability in the program GeForce Experience, designed to quickly update video card drivers, optimize settings and stream gameplay.
The vulnerability allows an attacker to expand privileges on Windows or cause a computer malfunction.
The problem occurs when the GameStream function is enabled, which broadcasts the game to TV set-top boxes, tablets and PCs. In this case, an attacker with local access to a computer can damage one of the system files and cause a denial of service condition or obtain permissions that are outside of his set of rights”, – is reported in the vendor’s bulletin.
The vulnerability is registered as CVE-2019-5702 and is rated by the vendor at 8.4 points on the CVSS scale. Such high rating explained by fact that the operation does not require interaction with the user of the system, as well as special knowledge or skills.
Fortunately, the vulnerability cannot be exploited remotely, and an attack requires access to the vulnerable host. This means that, for example, the machine must be pre-infected with malware. However, it should be noted that the attack requires very low privileges in the system, and also does not require user interaction and is very easy to execute”, – note IS researchers.
The disadvantage is present in all previous versions of GeForce Experience; the patch is included in release 3.20.2, which can be downloaded from the geforce.com downloads page or retrieved automatically when the client is opened. The vendor thanked the Japanese researcher RyotaK, who discovered the vulnerability and reported about it to the manufacturer.
In November this year, NVIDIA has already patched bugs in the GeForce Experience. One of the drawbacks, like CVE-2019-5702, was related to the GameStream service. The error, which received 7.8 points on the CVSS scale, allowed escalation of privileges through the launch of third-party code. The result of the attack could be a leak of confidential information, as well as a system failure. The problem arose because of the possibility of loading a third-party DLL that was not signed by a legitimate developer.
Representatives of NVIDIA recommend all users of the program to upgrade it to a safe version.
To protect your system, download and install this software update through the GeForce Experience Downloads page, or open the client to automatically apply the security update”, — advice NVIDIA developers.
Please, always update software to the latest version. However, you can already buy a computer with vulnerabilities. As we already reported, experts found vulnerabilities in preinstalled software on Acer and Asus computers.
