NVIDIA GeForce Experience
Nvidia Warns Gamers of Severe GeForce Experience Flaws
A high-severity bug in Nvidia GeForce Experience for Windows prior to version 3.20.5.70 could lead to code execution, denial of service, and other issues.
NVIDIA GeForce Experience - Nvidia, a manufacturer of graphics processing units (GPUs) for gaming, has released patches for two critical bugs in its GeForce Experience programme for Windows.
GeForce Experience is a software add-on for GeForce GTX graphics cards that holds drivers up to date, optimizes game settings automatically, and more. NVIDIA GeForce products, Nvidia's brand of GPUs, come with GeForce Experience pre-installed.
The more critical of the two vulnerabilities (CVE-2020-5977) will lead to code execution, denial of service, privilege escalation, and information disclosure on affected systems. It earns an 8.2 out of 10 on the CVSS scale, suggesting that it is of high intensity.
According to a security advisory released by the graphics giant on Thursday, users can "download the updates from the GeForce Experience Downloads page or open the client to automatically apply the security update."
The Nvidia Web Helper NodeJS Web Server is to blame for the problem. Node.js starts automatically when users install GeForce Experience and links to Nvidia's webserver. The issue is that a node module is being loaded using an unregulated search route. When an application uses fixed search paths to find resources, but one or more of the paths is controlled by a malicious user, this occurs. Attackers can use techniques like DLL preloading, binary planting, and unstable library loading to exploit this vulnerability.
Despite the fact that Nvidia provided no additional details about this bug, it did say that attackers might use it to execute code, launch a DoS assault, escalate privileges, or display sensitive data. The mistake was discovered by Decathlon's Xavier DANEST.
Nvidia also patched a high-severity bug in GeForce Experience's Shadow Play function (CVE20205990) on Thursday, which could lead to local privilege escalation, code execution, DoS, or knowledge disclosure. Hashim Jawad of ACTIVELabs was credited with discovering the mistake.
Nvidia GeForce Experience for Windows versions prior to 3.20.5.70 was affected; users could update as soon as possible to version 3.20.5.70.
Nvidia has previously released security advisories for its GeForce brand, including one in 2019 about GeForce Experience that could lead to code execution or product denial of service if exploited.
In June, Nvidia fixed two high-severity bugs in its Windows and Linux drivers, impacting users of Nvidia's GeForce, Quadro, and Tesla products. Nvidia released display drivers for GeForce (as well as Quadro and Tesla-branded) GPUs for Windows in March, along with fixes for high-severity bugs in its graphics driver that could be used by a local attacker to launch DoS or code-execution attacks.














