Latest Nvidia Drivers Patch Security Vulnerabilities

AlphaAtlas

[H]ard|Gawd
Staff member
Joined
Mar 3, 2018
Messages
1,713
Nvidia released the 419.17 drivers a few days ago, and as we noted, they featured a number of new SLI profiles, GPU video encoding improvements, and the usual round of bug fixes and enhancements. But yesterday, BleepingComputer found that the new drivers also came with fixes to a number of security vulnerabilities, with CVVS V3 scores ranging from 8.8 (High/Serious) to 2.2 (Low). Nvidia claims that all of the most serious vulnerabilities should be fixed by simply installing the 419.17 drivers, and at least some of them were already patched in older Quadro and Tesla driver releases, but one vulnerability in particular requires manual intervention. CVE‑2018‑6260, which appears to be related to the performance counter exploit researchers published last November, requires manual user intervention to patch. The 419.17 release notes describe the fix, which I've quoted below.

The NVIDIA graphics driver contains a vulnerability (CVE-2018-6260) that may allow access to application data processed on the GPU through a side channel exposed by the GPU performance counters. GPU performance counters are needed by developers in order to use NVIDIA developer tools such as CUPTI, Nsight Graphics, and Nsight Compute. In order to address CVE-2018-6260 the driver needs to be updated and additional steps listed below are needed to disable access to non-admin users. For more information about CVE-2018-6260 visit the NVIDIA Security Bulletin 4772. Access to GPU performance counters should be disabled for non-admin users who do not need to use NVIDIA developer tools. Restricting access to GPU performance counters can be accomplished through the NVIDIA Control Panel->Developer->Manage GPU Performance Counters page (NV Control Panel v8.1.950). Refer to the Developer->Manage GPU Performance Counters section of the NVIDIA Control Panel Help for instructions.

Those release notes suggest the fix may not even be necessary for users who don't have the "developer settings" checkbox enabled, and the vulnerability page notes that it requires "local user access" to exploit anyway.
 

Sikkyu

I Question Reality
Joined
Jan 21, 2010
Messages
2,879
well, the nvidia drivers are already data mining your computer so it doesn't seem like a big deal.
 

Grimlaking

2[H]4U
Joined
May 9, 2006
Messages
3,125
You mean that 500 megabyte driver set does things OTHER THAN VIDEO DRIVERS?! OH LORD SAY IT AINT SO!!

Sorry... I just chuckle every time I get a video driver update from them for my consumer card.

To the pro users out there.. Quadro and such. How large are your video driver sets?
 

TheOne&OnlyZeke

100% Irish
Joined
Jul 21, 2000
Messages
10,403
Latest driver seems to have fucked my Anthem game.
It won't launch since the driver update
Have to downgrade
 

IcePickFreak

[H]ard|Gawd
Joined
Dec 1, 2010
Messages
1,233
You mean that 500 megabyte driver set does things OTHER THAN VIDEO DRIVERS?! OH LORD SAY IT AINT SO!!

Sorry... I just chuckle every time I get a video driver update from them for my consumer card.

To the pro users out there.. Quadro and such. How large are your video driver sets?
IME they're around 200-300MB.
 

Axiomatic

Limp Gawd
Joined
Jun 10, 2004
Messages
451
I had a lot of problems landing this driver. Had to do a clean install to set it straight.
 

polonyc2

[H]ard as it Gets
Joined
Oct 25, 2004
Messages
17,150
I don't even have that 'Enable Developer Settings' option listed in Nvidia Control Panel
 
Top