Nvidia Might Be Opening Your PC to Hackers Through a Software Vulnerability
It seems Nvidia’s Geforce Experience software, installed by default with Nvidia drivers for years, has a new skeleton in its closet that hackers are dying to get their hands on.
The software, which updates graphics drivers and enables certain features on Nvidia’s GPUs, is already somewhat infamous. Geforce Experience has previously come under fire over privacy concerns, in-app advertising, mandatory social media logins, and a litany of other questionable practices. This time though, the implications are more serious.
Nvidia Geforce Experiences Some Issues
As it happens, Geforce Experience introduces a massive vulnerability over its tens-of-millions of installed devices by running a badly secured node.js server on startup, renamed “NVIDIA Web Helper.exe.”
The server can be used to gain full access to the Windows API and bypass whitelisting, or deploy malware disguised as signed code as outlined in René Freingruber’s original research:
“From attacker perspective, this opens two possibilities. Either use node.js to directly interact with the Windows API … or to write the complete malware with node.js. Both options have the advantage, that the running process is signed and therefore bypasses anti-virus systems (reputation-based algorithms) per default. “
The vulnerability opens up many, normally closed gaps in Windows security, and exposes the user to incredible risk on installation. Malicious code deployed via the outlined method won’t be recognized by most antivirus applications. Furthermore, a massive number of people have installed Geforce Experience and continue to do so — creating a staggering potential for damage.
While installing the bare (sans GFE) driver and removing the node.js server from the whitelist is probably the best course of action, Freingruber has several recommendations for those using the package in a busines environment:
“For security consultants, it’s recommended to search for node.js binaries (file size > 10 MB and binary contains Node.js strings) during client security audits to identify other vendors which ship node.js to clients.
For blue teamers, it’s recommended to remove the file from the whitelist (if possible) or at least monitor it’s invocation.”
Geforce Experience isn’t available outside the Windows operating system, so these security issues are likely isolated to Windows users. In any case, it might be time to reconsider the usefulness of hooking your facebook account into Nvidia’s game advertising platform in the first place.
Do you have Nvidia Geforce Experience installed on your PC? If so, are you worried about this vulnerability? Let us know your thoughts down below.
Images via Creative Commons