Slashdot Mirror

← Back to Stories (view on slashdot.org)

NVIDIA Releases Fix For Dangerous Display Driver Exploit

Posted by Soulskill on from the nothing-like-fixing-bugs-over-the-holidays dept.

wiredmikey writes "NVIDIA on Saturday quietly released a driver update (version 310.90) that fixes a recently-uncovered security vulnerability in the NVIDIA Display Driver service (nvvsvc.exe). The vulnerability was disclosed on Christmas day by Peter Winter-Smith, a researcher from the U.K. According to Rapid7's HD Moore, the vulnerability allows a remote attacker with a valid domain account to gain super-user access to any desktop or laptop running the vulnerable service, and allows an attacker (or rogue user) with a low-privileged account to gain super-access to their own system. In addition to the security fix, driver version 310.90 addresses other bugs and brings performance increases for several games and applications for a number of GPUs including the GeForce 400/500/600 Series."

14 of 84 comments (clear)

  1. Re:No 7-series support? by Anonymous Coward · · Score: 3, Informative

    Really? Try this page.
    http://www.geforce.com/drivers/results/49740
    Still plenty of support for the 7 series.

  2. Dangerous ? Nope. by lemur3 · · Score: 4, Interesting

    Not like a CRT catching fire...

    I remember hooking up an old CRT to the wrong video card.. one with way too a high resolution for that screen..

    A while later, hooked up to the correct video card, I noticed a bit of smoke coming out from where the dials were.. removed the case.. plugged it in again to see if it was OK .. it burst into 3 foot high flames.

    thankfully a fire extinguisher was about 3 feet away... mom would have been awfully mad if i had burned down the house.... scared the bejeezes out of me ... the burnt electrical smell was horrendous..

    (bonus: it was a fancy no mess extinguisher)

    lesson learned.

    1. Re:Dangerous ? Nope. by earlzdotnet · · Score: 5, Funny

      The more I learn about the past of computing the more I'm convinced they only ever considered one failure mode: catastrophic.

    2. Re:Dangerous ? Nope. by Anonymous Coward · · Score: 4, Informative

      http://en.wikipedia.org/wiki/Lp0_on_fire

    3. Re:Dangerous ? Nope. by Gaygirlie · · Score: 2

      Bullshit...

      I doubt that. I've actually seen myself an old CRT bursting into flames shortly after I noticed the plastic on its side turning brownish and starting to melt. The thing is, CRTs are a very much different kind of a beast than our LCDs and a CRT can indeed be permanently damaged just by sending a wrong kind of a signal. Sending a wrong signal enough could cause the capacitors to blow and this could result in a fire. Have you ever opened a CRT-display? Those things have huge voltages going on there. I once opened this 21" high-end CRT and the warning labels on the rails there read 17,000 volts.

    4. Re:Dangerous ? Nope. by Zero__Kelvin · · Score: 2

      "mom would have been awfully mad if i had burned down the house"

      ... until she realized that it finally got you out of her basement?

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  3. Turn your flipping auto-updater on by GodfatherofSoul · · Score: 2

    The days of trying to manually screen each update your system needs are over. Too many components are vulnerable and the turnaround time for an exploit is too short.

    --
    I swear to God...I swear to God! That is NOT how you treat your human!
    1. Re:Turn your flipping auto-updater on by DrXym · · Score: 2

      Laptop driver support can be *horrible* because manufacturers twiddle with the chipsets params so that means their drivers are machine specific and certified. I'm writing this on an old netbook with Intel IGP. The OpenGL implementation is bugged so I want to install a later driver which is up on Intel's site. Can I install this driver? No because it decides "the driver being installed is not validated for this computer". And HP don't give a fuck about providing a certified version.

  4. It's also pretty old by Sycraft-fu · · Score: 4, Insightful

    About 7.5 years old. It is reasonable that they cease supporting it with new drivers. You can still get drivers for it, they have drivers for OSes up to and including Windows 8, they just aren't keeping support in newer unified drivers.

    Sounds pretty reasonable to me. They gave you over 7 years of driver updates. It is fairly unrealistic to assume that they'll continue with new support forever, particularly given that there is little reason. The 7 series can't do WDDM 1.1 or 1.2, it can't handle DirectX 10, 10.1, 11 or 11.1, it can't do CUDA, DirectCompute or OpenCL. There is just little in the way of things to implement for it.

    If you wish to continue using the card, no problem (though be aware that an Intel 4000 series GPU found in Ivy Bridge processors is likely to be faster, and certainly has far more features) just use the 306 series drivers. It will continue to operate with those no problem.

    If the security issues is what you are worried about, it looks like it only affected the 310 drivers, so no issues there.

    1. Re:It's also pretty old by Billly+Gates · · Score: 4, Insightful

      Nvidia and ATI have great cheap $49 cards if you want aero. That can cream the gaming 7800 series easily. No meed to get a new system.

      If it is on XP you have a lot more security issues than this card though.

      --
      http://saveie6.com/
    2. Re:It's also pretty old by qwertphobia · · Score: 2

      Yes, it's reasonable, that doesn't mean I like it. I won't gracefully give up my right to complain on the Internet.

      Frankly it's linux kernel compatibility I'm most concerned about. If Fedora 18 comes out next week with an updated kernel which breaks compatibility with the current 7-series driver, what are the chances it's going to get fixed?

      In the other hand, things are moving along in the Nouveau open source driver so there are alternatives.

      --
      Never ask for directions from a two-headed tourist! -Big Bird
    3. Re:It's also pretty old by hairyfeet · · Score: 2

      Ya know, I never understood why folks have a fit when Nvidia and AMD drop support, as you pointed out they are several years old now and simply can't do WDDM 1.2 which is required for all the features of Win 8. MSFT has always had legacy drivers built in so you probably won't need a driver at all for an Nvidia 7 or 8, and on the AMD side 2, 3, and 4, so what is there to complain about?

      Hell my HD4850 has had support dropped for nearly a year but Win 7 and all my games run fine so why should I care? Its not like these cards are gonna magically have more performance squeezed out of them via software, all the bugs are pretty much worked out by now, so what good would new drivers do? Considering the fact you can buy an Nvidia 210 for like $20 that will run rings around the old 7 series if he really wants to run win 8 he'd be better off just getting a new card and if he is on XP-7 it should run just fine with the drivers he has.

      The only place i could see it being a problem is Linux but until Torvalds joins the rest of the world and has a stable ABI so older drivers can work on the latest kernel its either the hacked together FOSS drivers or you're SOL. Neither Nvidia nor AMD will ever be able to fully open their drivers thanks to HDCP, AMD were able to give around 65% but that's it and with Nvidia you run a supported card or give it up. But you can't blame the GPU companies for that, when its no longer supported that's it and if the old drivers won't run tough luck, you can't expect them to pay a team of devs to support cards they aren't even selling anymore.

      --
      ACs don't waste your time replying, your posts are never seen by me.
  5. ATI had an exploit too by Billly+Gates · · Score: 5, Insightful

    Do we as geeks and IT professionals need to worry about this?

    First it was the OS that got you owned. Then when Linux, Macosx, and NT/XP came it was about IE. IE 5.5 and 6 were instant targets. Then as that died off it was flash, java, and ODF addons.

    Are video drivers next? Which never gets updated? The video drivers. Which has its own cpu, ram, and is never checked by AV? The video card. A reflash would be a nightmate.

    --
    http://saveie6.com/
    1. Re:ATI had an exploit too by DrXym · · Score: 4, Interesting

      Do we as geeks and IT professionals need to worry about this?

      Absolutely. WebGL allows any random website to tap your hardware through the browser. WebGL is essentially OpenGL ES 2.0 give or take a few APIs and is supported by just about every modern browser except IE. Some enable WebGL by default on suitable hardware, some have it disabled by default. When it is enabled a page has carte blanche to abuse the chipset six ways to sunday. The only protection afforded by browsers is the driver has to implement a GL extension called GL_EXT_robustness which says the driver promises, fingers crossed to be really good about checking and recovering from errors.

      ActiveX had something similar called the "safe for scripting" bit. IE wouldn't load a page unless the control said it was safe and look what happened there. While there are less graphics drivers than activeX controls, it's easy to imagine a driver version claiming it's robust when in fact it isn't. It's easy to imagine a malicious site using that fact to break a lot of machines. I assume browsers could implement a whitelist of "good" drivers and update the list in addition to checking for the extension but it's obviously imperfect and offers additional browser exploits where none existed before.