14 DAY TRIAL // The control panel that comes with Nvidia GPU drivers is affected by a security bug that allows attackers to launch malicious applications with escalated system-level privileges.
The security flaw is not in the GPU driver, but in the control panel, and more specifically, in the Smart Maximize Helper, a feature that enhances fullscreen support on Windows operating systems with multi-screen setups.
According to Julien Sambourg of TousLesDrivers, a basic programming error, a missing double quotation marks, is to blame, which makes it possible for attackers to attach malicious instructions via the Smart Maximize Helper feature.
Because the Smart Maximize Helper executable takes various parameters when it moves applications into fullscreen mode, hackers can attach malicious code to the nvSmartMaxapp.exe and the nvSmartMaxapp64.exe files, and have the code execute with system-level privileges.
No details have yet been released on this vulnerability (CVE-2015-7866), but Mr. Sambourg says that Nvidia's line of GeForce and Quadro GPUs are affected.
Nvidia released GeForce driver versions 341.92, 354.35 and 358.87 for its R340, R352, and R358 lines two weeks ago, aimed at fixing this issue. The company also stated that it did not detect any attacks using this vulnerability.
Just after it released the fixes above, Nvidia also solved another issue (CVE-2015-5053) in its Linux line of graphics drivers for the GeForce, Quadro, Tesla, and Tegra families. These problems lead to a DoS state and a similar privilege escalation issue that allowed attackers to extract data from affected devices.