Nvidia has advised gamers to update after fixing two high-severity flaws in its GeForce Experience software. CVE-2019-5678 and 5676 can both lead to code execution, with the latter enabling privilege escalation.
“This update addresses issues that may lead to information disclosure, escalation of privileges, denial of service, or code execution. To protect your system, download and install this software update through the GeForce Experience Downloads page,” said Nvidia in a bulletin.
It’s worth noting that both attacks require local system access. The vulnerability of 5678 is found in the Web Helper component and lets attackers craft input that may be not be validated properly for DoS attacks, code execution, or information disclosure.
Meanwhile, 5678 is found in the installer of GeForce Experience itself. A flaw was causing it to load Windows system DLLs in an insecure way that attackers could exploit with a binary planting attack.
At WinBuzzer, our machines with Nvidia’s software updated automatically. However, this may not be the case for all users. You’ll want to make sure you’re on 3.19 or higher by opening your account profile and selecting ‘General’.
Nvidia credit David Yesland of Rhino Security Labs for reporting CVE-2019-5678, and multiple reporters fro 5676. The reports come shortly after the company patched 8 high-severity flaws in its Tegra flaws, and follow another GeForce Experience vulnerability from March.
In May, a GeForce driver update for GTX 1060 graphics card caused PCs to restart loop until Nvidia rolled out an emergency hotfix. Issues are clearly not uncommon for this type of software, and users should consider subscribing to security bulletins to ensure they can act fast.