NVIDIA display driver has multiple kernel vulnerabilities

Topic

New Reply

Just when you thought it couldn’t get any crazier… Günter Born just posted a warning that NVIDIA graphics drivers contain kernel-mode vulnerabilitie
[See the full post at: NVIDIA display driver has multiple kernel vulnerabilities]

3 users thanked author for this post.

JDeC, GoneToPlaid, Kirsty

Reply | Quote

Replies

The driver version 382.05 is shown in the security announcement linked from the warning to be the first Windows Geforce driver to have a fix incorporated in it, but the Nvidia forums suggest it’s not a particularly stable driver.

I’m one of those users who only updates drivers when there’s a real reason to do so – if every game and application runs smoothly then I don’t fix what isn’t broken. Although security is obviously a real reason to install a new driver I have no particular wish to create instability or deteriorated performance especially if as in this case according to Nvidia it is a theoretical security flaw only with no evidence of any exploits having taken place. As so often in these situations, it’s difficult to know what to do for the best!

Reply | Quote

Good gawd, what is with these vulnerabilities? Besides the mictray and this, all these vulnerabilities have been targeting unpatched windows os… Ironically after m$ stated they didn’t like unpatched, non-‘all patches’ systems. Sure they fix the vulnerabilities, but it’s kinda suspicious how they are finding them so incredibly fast, like not even a day after the vulnerability is found. It’s also suspicious how these vulnerabilities are only on non-win10 computers.

I’m not saying m$ is the one behind the problems, but you have to wonder why only ‘certain’ os and configurations are being nailed by these vulnerabilities.

Reply | Quote

MMM, is it the actual video driver its self or the bloat that Nvidia ship with it, like the utility to stream content that uses the internet, or it’s update checking service,? If like me you only have the video and audio drivers installed then how can it be exploited?

Reply | Quote

It’s the video driver itself. The NVIDIA Security Bulletin refers to “the kernel mode layer (nvlddmkm.sys) handler”. You can check for the file in C:\\Windows\System32\Drivers.

1 user thanked author for this post.

Schnarph

Reply | Quote

One of my computers is using an older 9400GT card. The latest driver for that card is 342.01, released 12/14/2016. Am I supposed to uninstall the drivers and buy a new card just to plug a vulnerability? If so, shame on NVIDIA for not releasing new drivers for old cards.

 

Reply | Quote

Well how old is your card?

Reply | Quote

It is not “EOL” yet. The 9400GT is older than Windows 10, yet NVIDIA does have Windows 10 drivers for it. The problem is that the latest drivers for older cards are from December of 2016, and NVIDIA is saying that the only safe driver version is the most recent 382.05.

Looking through the geforce drivers at https://www.nvidia.com/Download/index.aspx?lang=en-us anything lower than the 400 series is stuck with driver 342.01. Retailers are still selling many of these cards.

Reply | Quote

In security vulnerability cases like this, nvidia tends to release an updated driver for those legacy cards as well. at least it’s happened before a few times, so we can hope it will happen now too.

Reply | Quote

The 9400GT is not considered a “legacy” card according to NVIDIA drivers, neither is the 240 GT I have in another machine stuck with old drivers. I do hope NVIDIA will release a fix/updated driver for these cards and I’m sure many others will as well. Many of these old cards might be nearly worthless for gaming, but they have ports not available on many motherboards, use little power, and free the built in GPU from the CPU.

NVIDIA has two options, either update the drivers for older non-legacy cards or add them to their legacy list and warn users that the older cards are not supported and thus the drivers are a vulnerability regardless of MS OS version.

Reply | Quote

If it’s not supported by current drivers, then it’s legacy.

Also here’s a list of GPUs in legacy status:
http://nvidia.custhelp.com/app/answers/detail/a_id/3473

1 user thanked author for this post.

Schnarph

Reply | Quote

I stand corrected, thank you. My mistake was following the link on the ‘Download Drivers’ page http://www.nvidia.com/Download/LegacyLinks.aspx?Lang=en-us . Usually, I download drivers on the Download Drivers page. I didn’t think I would need to look under Customer Help. Thanks for clearing that up.

IMO, the pages http://nvidia.custhelp.com/app/answers/detail/a_id/3473 and especially http://www.nvidia.com/object/product-security.html are tucked away where the average user won’t notice them. Why would one even click the link at the bottom of the support page labeled Corporate Security to find the information that started this thread?

Reply | Quote

Yes.  I’m worried about this too.

https://nvidia.custhelp.com/app/answers/detail/a_id/3473/~/eol-windows-driver-support-for-legacy-products

I swapped in Quadro 600s for NVS 300s on a couple of critical machines and
updated the drivers to 377.35. But what do to with the dozens of others?

Cheers.

Reply | Quote

? says:

i’m running GeForce 6200’s on olden time Dell Dimensions circa 2002  and 2004 (AGP). I added them so I could run win7. Don’t laugh they run faster than i can type! (hyper threaded 3.06 the 533 buss on the 865G board, and 2.8ed the 845).

I just looked at Nvidia drivers and the last win 7 is 309.08 WHQL 02/24/2015 and the XP is 307.83 WHQL 02/26/2013. So, what’s a brother to do?

Reply | Quote

Woody, when you write “GeForce drivers should be at 10.18.13.8205 or later.”, it might be necessary to explain how to decode NVIDIA’s non-intuitive versioning. In this case, it’s the last five digits that are important (10.18.13.8205). My driver, for example, is 22.21.13.8205.

The NVIDIA bulletin says “The driver version can be deciphered as shown in the following examples: 10.18.13.6472 is 364.72 and 10.18.13.472 is 304.72”

2 users thanked author for this post.

GoneToPlaid, jelson

Reply | Quote

DavidL wrote:

Woody, when you write “GeForce drivers should be at 10.18.13.8205 or later.”, it might be necessary to explain how to decode NVIDIA’s non-intuitive versioning. In this case, it’s the last five digits that are important (10.18.13.8205). The NVIDIA bulletin says “The driver version can be deciphered as shown in the following examples: 10.18.13.6472 is 364.72 and 10.18.13.472 is 304.72” My driver, for example, is 22.21.13.8205.

Agreed. Woody, I think it is better to just say that you need the 382.05 (the latest version at this point) driver or later to be protected from these vulnerabilities.

But well, it is Nvidia’s turn now?

Personally, I do not update video drivers unless I consider it necessary (e.g. when upgrading to a newer video card) as changing video drivers can cause instabilities and other hard-to-diagnose problems. But with the revealing of these security problems, it seems that I have no choice but to update the video drivers in each of my systems using Nvidia video cards eventually, which will be a big job as I have several systems using Nvidia video cards (750/750Ti/760/960/1060).

Hope for the best. Prepare for the worst.

Reply | Quote

Luckily for you, it is the same driver for all those cards, provided the machines are all running Win7. IIRC, Windows 10 has different drivers.

Reply | Quote

woody wrote:

Just when you thought it couldn’t get any crazier…

I don’t know… how about a keylogger in your audio driver?  https://www.bleepingcomputer.com/news/security/keylogger-found-in-audio-driver-of-hp-laptops/

(update available now, see bottom of article)

Reply | Quote

CVE-2017-6250

NVIDIA GeForce Experience contains a vulnerability in NVIDIA Web Helper.exe, where untrusted script execution may lead to violation of application execution policy and local code execution.

 
SO the actual driver isn’t vunerable  it’s the bloat  that you can uninstall or choose not to install

 
https://www.cvedetails.com/vulnerability-list/vendor_id-5264/Nvidia.html

1 user thanked author for this post.

Schnarph

Reply | Quote

I consider the GeForce Experience to be bloat as well, but I know some that like it very much and most users will just install everything. Those that peruse sites like this are the few, most don’t know or even care to know how their machines run.

Edit: I don’t know who said that the “bloat” (GFE) is the problem, but according to NVIDIA it is the driver itself. Those with cards lower than the 400 series are out of luck and stuck with old drivers.

Reply | Quote

I expect that users of older cards (like my laptop’s GT220M) will be provided with a fixed driver soon.  The 340 series drivers (including 342) have been updated several times recently for security issues, with the last in December 2016, or five months ago.  These cards have been in legacy status for some time, but so far the security updates have still been coming.

This is in contrast to how it was with my AMD (ATI, at the time) Mobility HD3650 (about the same age as the GT220M), which had its last driver released in 2013.  That was before Windows 8.1 or 10 were released.

Since they do not offer a downloadable driver for anything later than 8 (not 8.1), AMD suggests allowing Windows Update to install its driver (which means the driver does exist, but for some reason, you can’t get it from AMD… perhaps it isn’t a full-featured Catalyst driver), staying with the last Windows that fully supported the card in question, or buying a new AMD card that has a driver for the Windows version in question.  I’m sure their favorite is the last option, though that’s not really an option for my laptop.  Moving to nVidia was, though, and while I’ve never taken a side in the AMD vs. nVidia war, having owned both, this is something I won’t be forgetting soon.  I keep my hardware as long as it is still useful, and I don’t much appreciate vendors cutting off updates while the item still has useful life in it.

Digression:

Intel, also, is on my list, as it cut off drivers for the 4965AGN MiniPCIE wifi card not only while it still had useful life in it, but before they’d even fixed a long-standing driver bug (presumably; if it was a premature hardware failure issue like the SATA3 ports on the Cougar Point chipset’s first revision, they never said so) that a bunch of users had complained about on their official forum.

Years later, Intel was still selling MiniPCIE AGN wifi cards, so they can’t really say the 4965AGN was obsolete in any sense other than that they wanted to sell something else now.  I migrated to Atheros’ 9382, an AGN card about the same age as the 4965, and it’s still getting updates today.  Performance was identical in my tests (while the Intel was working as it should); I top out at about 25MB/sec sustained actual transfer speed (one way) over 5 GHz.

I did move back to Intel wifi (reluctantly) after I migrated from 7 to 8.1 (7260HMW NB, also an AGN card), only to get their excellent “enterprise” wifi management software (because only enterprise customers would want any information about APs other than signal strength and SSID, of course!), which I didn’t really need with Windows 7, as its networking UI is so much better than 8.1’s.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

1 user thanked author for this post.

Pim

Reply | Quote

CVE-2017-6250 is a separate issue. This is about CVE-2017-0341 thru -0355, which does affect the driver itself.

Reply | Quote

I have been running driver 382.05 since the first day of release with no problems on a 660Ti w/3GB.

That said, I ONLY install using the custom setting and install the video driver and if it is a newer version the PhysX driver. I have never installed or used G-Force experience or any of the other modules like VR or HD sound parts, or stuff for the Shield hand held, as I do not have the hardware that needs them. Besides the G-Force experience contains telemetry.

NVidia drivers have had serious bloat. Driver 275.33 was 137,862KB in size. Version 340.52 had jumped to 280,122KB, and the current 382.05 has jumped to 388.737KB. The later versions do add Vulkan support.

Now, even if you do as I do, the entire file is expanded and loaded into the folder on the HDD, but the functionality is not installed. That way you can add features if you update hardware of desire certain features.

Video drivers are a file I do save on a backup drive. I have all of them from 275.33 to the current one as sometimes a newer driver may not give the same frames per second or may introduce ‘tearing’ and it can be fixed by using an older driver, especially if you are running older games. On my old Dell XPS Pentium 4 WinXP-SP3 offline gaming box the 275.33 is still one of the best ever with the GTX8800 card.

So now, what is missing from the nVidia notice is WHEN the flaw was introduced since the kernel driver ((nvlddmkm.sys) changes in number with each release. However I do not know if there is actually any difference in the driver itself in EVERY release.

Reply | Quote

Thanks!

Downloading latest driver right now.

Mike In Texas

Reply | Quote

I do not know I if got this one right, so please correct me if I’m wrong… In a very simplifyied way, the implication of those vulnerabilities is that the bad driver may lead to the reading of rigged content to execute any code that may lead to escalation of privileges, is this correct?

That would, even if we have not seen yet actual proof of it being actively exploited, be concerning. But I wonder what would happen in a notebook running nVidia Optimus in which most of the content would be read by the onboard VGA, hence ran by the onboard chip drivers, and the discrete VGA would sit “sleeping” until required for more demanding tasks, such as gaming… In a system like this, would some kind of exploit less likely to take place?

Reply | Quote

I personally am not that worried about this if you look back through the list of vulnerabilities in the Nvidia drivers releases, there are many, my driver is over 12mths old o have no need to update it, but i do use a paid for security solution So less likely to be affected by this

Reply | Quote

You raise an interesting point – we know that Nvidia has stated there are no known actual exploits related to this current vulnerability, but do we know if there is any documented evidence of any computer ever having been compromised through its graphics card?

Reply | Quote

Hi Woody,

Could you please explain in detail how to look for this driver? Is this a driver that would automatically be on an “out of the box” laptop using Windows 7? I have only whatever graphics card that came with the computer – nothing special for gaming.

Thx – Gail

Reply | Quote

Control Panel\Device Manager\Display Adapter
This should give you the device name.
Double click on the device – on the “Driver tab” you will find the version and date.

Find the manufacturer, model #, and S/N of your computer. Know which version of Windows and it’s bittedness (32-bit or 64-bit)

Go to the PC manufacturer’s website and see it they offer an update.
Go to the NVIDIA website and see if they have an update.

1 user thanked author for this post.

jburk07

Reply | Quote

The easiest way to determine an nVidia graphics driver is to right click on the desktop. That will launch the nVidia Control Panel (if you have enabled desktop context menus). Otherwise go to Windows Control Panel and launch it. You can enable Desktop Context Menu under Desktop in the menu bar of the nVidia Control Panel.

In the lower left corner of the applet, you will see a hyperlink and button saying ‘System Information’. Launch it, and under Display Tab, the first item will be the driver version. If you select components, you will see the version number of all the files. All the files versions (last 5 digits 3.8205 – see post above for long driver number vs. shorter version number) – except for the PhysX and the nVidia Control Panel files should match the driver number.

Reply | Quote

I updated to 382.05 on my nVidia GTX 950 running on Windows 7-SP1 Pro x64.  Running fine so far, but haven’t tried any 3D game stuff yet.  Just watching recorded shows on my PVR.  This is a home theater PC that I occasionally do some light gaming on.

For the driver install you really can skip the express install which loads the bloat, and use the custom install.  I just select the graphics driver and the PhysX system, and uncheck everything else, such as the GeForce Experience, 3D vision, and HD audio.

Windows 10 Pro 22H2

Reply | Quote

simple question… WHERE in the Device Manager should/would these drivers be listed?  Are these drivers on every PC, or only on some with special graphics cards installed?

I seem to only have Intel HD Graphics Family drivers under Display Adapters.  I also searched my entire C:\ drive for “nvidia” and came up with nothing.

Reply | Quote

There’s advice just above your post on where to find the driver information.

However, it sounds to me like you probably have integrated graphics within the motherboard rather than a separate plug-in graphics card, such that you have Intel drivers rather than either Nvidia or AMD which are the two manufacturers of separate graphics cards (which may then be licenced for supply by sundry other companies under their own brand name whilst retaining the core Nvidia or AMD name).

Reply | Quote

Simple!  Just open Windows Device Manager.  Expand the category “Display adapters”.

You will see a list of all display adapters in your system.  If it says “Intel HD graphics”, or something like that you have nothing to worry about.

Since nVidia graphics (GPU) are a premium option, usually found in performance/enthusiast  level PC systems, you would have paid extra for this feature.  Or in the case of some desktops, you may have spent $$$ for a separate card and plugged it in yourself.

But most off-the-shelf budget PC systems are only equipped with integrated graphics …

Windows 10 Pro 22H2

Reply | Quote

Doh!  didn’t even see that.  thanks.

Follow-up… if one does NOT have NVIDIA card and drivers, doesn’t that mean the computer is not vulnerable to this issue as originally posted?  hence, if it ain’t broke, don’t fix it??

Reply | Quote

If you do not have an NVIDIA card, you should not have NVIDIA drivers.

Reply | Quote

@ anonymous#115791 (Gail?)

To enable various devices on a computer to work, they need to have device adapter cards and the respective device drivers/software, eg for the display/monitor to show images, it requires a display/graphics adapter card and its accompanying display/graphics driver.
There are 3 major suppliers of graphics card, ie Intel, Nvidia and AMD.

The same conditions apply to the other devices, eg speakers/microphones = sound, wifi transceivers, Thernet, keyboards/mouse/touchpads, DVD-drives, hard-drives, CPU, etc.

The computer industry had come together to standardize the coding for drivers and non-drivers for essential devices, ie CPU, RAM (= DDR4), hard-drives, DVD-drives, keyboard & mouse, USB-ports and display, so that most ordinary computers can be up and running/working with an OS.
The computer industry did not standardize the same for non-essential or peripheral devices, ie sound, Wifi, card-readers, external TV, USB 3G/4G Broadband/Cellular dongles, USB graphics tablets, etc. Most ordinary computers can still run without these devices.

Hence, the Win 7 Install media available from M$’s website contain most of the essential device drivers = most ordinary computers will basically work after a clean install. Any missing driver for peripheral devices will usually be auto-installed by Windows Update. If not, the users need to manually install them from the OEM’s website, in order for them to work.

Many Nvidia and AMD graphics or GPU cards are for high performance, eg computer games. They are considered as non-essential or peripheral devices. So, most OS Install media do not contain drivers for high-end Nvidia and AMD graphics/GPU cards. They may contain generic or basic drivers for them, in order for the display to still work in basic mode.
To get the high performance from the Nvidia and AMD graphics/GPU cards, the users have to manually install the specific drivers from the OEMs’ website.

2 users thanked author for this post.

Cesar, jburk07

Reply | Quote

I do not recommend installing GeForce Experience since it creates a new user account with full administrator rights on your computer. Its purpose is to allow users who are not logged in with full administrator privileges to be able to easily update their NVIDIA drivers. NVIDIA claims that they had this update method reviewed by an independent security firm which concluded that this update method is safe.

Reply | Quote

That is a fantastically stupid configuration! According to a blogger, he quoted Intel as having their Management Engine Technology security reviewed the same way from three of those companies.

Reply | Quote

GoneToPlaid wrote:

NVIDIA claims that they had this update method reviewed by an independent security firm which concluded that this update method is safe.

I wonder what the name of that “independent security firm” is? To say that such a method has been reviewed and determined to be “safe” reveals a huge amount of incompetence or dishonesty (or both).

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

nvidia adds telemetry to Latest Drivers. Here is how to remove it. https://www.reddit.com/r/nvidia/comments/647nbe/new_38165_driver_moves_telemetry_data_collection/#bottom-comments

1 user thanked author for this post.

Cesar

Reply | Quote

letting people know custom install also install’s bloat ware. the only way not to install all the bloat is to extract all the files delete everything but whats in this image https://i.imgur.com/G7m22gt.png

1 user thanked author for this post.

Cesar

Reply | Quote

Sadly Woody I seem to be in a terrible minority.

The 382.05 and 382.19 driver breaks the Nvidia Control Panel and for my laptop, it is vital for me to access it. Other reports have surfaced also, but between the latest secure driver which is non functional on my end and the older less secure fully functional driver I had the choose the 2nd option.

For now. Have submitted them the bug-report which will hopefully aid them in pinpointing the problem and fix it.

Reply | Quote

Before updating any video driver it’s important to remove the old one(s) to avoid conflicts. For this task, I use an unofficial uninstaller, D.D.U. (Display Driver Uninstaller), which can be downloaded here:

http://www.wagnardsoft.com/

https://www.guru3d.com/files-details/display-driver-uninstaller-download.html

To use it, disconnect your device from the internet, reboot in Safe Mode and run the EXE file. As I’ve already said, it’s an unofficial software, so use it at your own risk. I run it every time I have to update my video card driver (an nVidia GeForce GTX 460) and I’ve had no issues so far. Maybe it can be of help for someone else.

César

Reply | Quote

Nvidia UDA (Universal Driver Architecture)
https://www.nvidia.com/object/feature_uda.html
Supposed to fix all this nonsense about updating drivers (legacy/current models?)
Problem: If using older graphics cards (including some that are being retailed today) (e.g. 8400GS, 210), there are no updated drivers for these, rendering the current value at about $10 per ton.
Bigger Problem: Older Quadro Graphics cards (these were expensive when new) – According to Nvidia yesterday; “The Quadro FX4800 was released in 2008 and is a very old card.” “Since this has been EOLed, there will not be any more software fixes for it.” (last was Dec 2016). This is a driver problem not a hardware problem (as far as I know)!
We have 5 CAD workstations here with those cards, two of which are SLI. These workstations function perfectly and now, through bad graphics drivers, are rendered to that $10 per ton scenario.
Cost to repair (Used parts only = approx $2800 (this to return them to the same functionality as they are now.
Able to purchase relatively inexpensive cards for the NAS’s (that’s where I saw shelves full of the earlier graphics cards (new)) that the 8205 drivers are not available for.
Cost to repair (Used parts only = approx $2800.
I don’t ever remember building drivers for these cards, I just installed ’em. Amazing how this happened all at once and with that many security problems???
jrt

Edit to remove HTML
Please convert to text (.txt) before posting

Reply | Quote

Ujujuj…I’m using a GTX970m on Windows 8.1 64-bit on a ASUS RoG G751JT, current driver I have is 375.70, what to do?

Reply | Quote

Check with ASUS for updated graphics for your notebook first, then check the full specs; if any notebook/portable uses dual GPU switching, Intel for 2D, Nvidia/ATI for 3D, the default Nvidia/ATI drivers will likely break one or the other. If your notebook has only Nvidia(/ATI) graphics, you can use the default Nvidia notebook/portable drivers.

I suspect that the vulnerability might be in the non-driver applications in the driver package, for best privacy/lowest resource usage/smallest attack surface, always try to install the minimum necessary for the functions you require.

Reply | Quote

https://forums.geforce.com/default/topic/1007101/geforce-drivers/official-382-05-game-ready-whql-display-driver-feedback-thread-released-5-4-17-/25/

Haven’t gotten many answers from here yet, and the ASUS website is down for maintenance atm, I’ve been told though not to update if everything runs fine (which from experience is sound advice), but I’m not sure what to make of that considering the issue at hand.

I’ve also been told that these kernel issues where actually introduced in a driver higher than what I have, but looking at some of the related Security Bulletins, this kernel thingy seems to have been a problem for some time already (including my current driver version), so I’m doubtful of that.

I’ve seen people say that especially with ASUS computers, one should not really use drivers for “third party” software, but almost always only use the ones listed for the relevant model of computer at their website (because different manufacturers could have different thermal limits or voltages and whatnot…or something).

(I have a paid/professional security solution for my computer, just for the record)

Also, Post #115664 would seem to suggest that this issue might be overblown, an opinion that I (after some very shallow research) am inclined to agree with.

 

Unless there are newer drivers available for my specific computer model at the ASUS website (when it finally comes alive again), maybe it would be best to not update right now, no?

 

 

Reply | Quote

I suggest that you first uninstall via the Nvidia Control Panel or Programs all the Nvidia dross that is of no use to you, installing drivers only + PhysX is all you’re likely to need on your notebook. If you can reduce the running Nvidia software to ~1x Service and 2x Processes, you’ll have reduced the attack surface and freed up some System resources.

When ASUS’ site’s back up, check what they have to offer and check their support forum for related topics.

Generally, most exploits affecting the Windows graphics subsystem are via vulnerable versions of software such as Adobe’s Flash Player, their PDF Reader, Java, etc. Reduce your 3rd party software to those you use regularly, Java is rarely used now so uninstall it (if you do use it, keep the plugin out of your main browser, don’t install it in IE/Edge), Flash can mostly be avoided by opting to use HTML5 – set Flash (and Java, if you must use it) to click to play. Get into the habit of checking your software for updates frequently.

Reply | Quote

@satrow:

“I suspect that the vulnerability might be in the non-driver applications in the driver package…”

No. The vulnerabilities are in nvlddmkm.sys, the kernel-mode layer handler, in the display driver itself, not the helper applications.

Reply | Quote

I don’t believe everything I read, I question it.

I’ve already updated my drivers, the extras still have no place on my PC.

1 user thanked author for this post.

Noel Carboni

Reply | Quote

Amen, satrow.

Are you like me, where even one extra process running bothers you big time, until you finally find the way to eliminate it?

Does your Autoruns panel have more unchecked boxes than checked?

-Noel

1 user thanked author for this post.

satrow

Reply | Quote

My machine sees a lot of beta software and I also like to checkout various alt. software from time to time so it’s almost always in a state of flux, the base install is pretty clean though. But yes, definitely more unchecked than the devs would like

On the Nvidia subject, I find it quite interesting that a 400MB download package that extracts to 1GB and installs 1.4GB of files yet only a single 14MB file is claimed to be vulnerable.

Reply | Quote

@satrow:
“I don’t believe everything I read, I question it.”

A good attitude to have. But you said you “suspect that the vulnerability might be in the non-driver applications in the driver package.” nVidia claims otherwise. If you have some reason to think that nVidia is lying, present your case. I too question what I read, but I doubt that nVidia is going to claim multiple kernel-mode vulnerabilities in its drivers if they don’t exist. Doesn’t exactly make the company look very good.

As for the helper applications, I don’t install them either.

Reply | Quote

nVidia vulnerabilities were reported by NCAS – link to search on their site.

The weekly vulnerability lists have seen nVidia mentioned recently, but mainly for Google Android issues.

1 user thanked author for this post.

satrow

Reply | Quote

For what it’s worth, a data point:

4 days ago on my Win 8.1 system I installed one of the nVidia 377.35 drivers touted to patch the vulnerabilities and it has run flawlessly since.

-Noel

Reply | Quote

“http://nvidia.custhelp.com/app/answers/detail/a_id/4462”

This would imply that 377.35 might not be enough though.

Edited for content

Reply | Quote

How does it imply 377.35 might be insufficient? It’s listed as “1st version that includes the fix” in the R375 branch from what I can see. I have no need for the latest features, just stability.

In any case, I’m still having no problems with 377.35.

-Noel

Reply | Quote

Windows Product Product Series OS Driver Branch 1st version that includes the fix GeForce All Windows R381 382.05 Quadro, NVS All Windows R381 382.05 R375 377.35 Tesla All Windows R375 377.35

Depends on the product one uses I guess.

Edit HTML to text
Please convert HTML to text (.txt) before posting

Reply | Quote

382.33 was released on May 22, 2017.

http://us.download.nvidia.com/Windows/382.33/382.33-win10-win8-win7-desktop-release-notes.pdf

Windows 10 Pro 22H2

Reply | Quote

Looks like there’s a new round of kernel vulnerabilities that have been fixed in newer drivers. Not sure if it’s worth a new blog post or not, but now it seems like you need to be on 384.94 or newer for GeForce products instead of 382.05.

https://nvidia.custhelp.com/app/answers/detail/a_id/4525

Reply | Quote

The vulnerability was mentioned in the last NCAS Weekly Vulnerability Summary (see post #128047 for details); at that stage, the vulnerability severity had not yet been assigned.

Your link contains details of the driver updates. Thks.

Reply | Quote

I just got a Nvidia  update  today.

Reply | Quote