Terminal velocity

Gamers and streamers who lean on Nvidia tech for their setups have been urged to update to the latest version of GeForce Experience, which includes fixes for two midweight security vulnerabilities.

In a recent security advisory, California-based Nvidia said v3.19 of GeForce Experience addresses vulnerabilities that could lead to information disclosure, privilege escalation, denial of service, or code execution.

GeForce Experience is companion software for GeForce graphics cards, keeping drivers up to date and optimizing users’ gaming and livestream settings.

First up, CVE-2019-5676 is a DLL preloading vulnerability that could allow an attacker with local access to gain administrative privileges.

The more serious CVE‑2019‑5678 relates to a vulnerability in the software’s Web Helper component, which could result in denial of service, information disclosure, or code execution.

This second flaw was discovered by researchers at Rhino Security Labs, who provided technical analysis of the vulnerability in a blog post over the weekend.

According to the firm, the exploit can be achieved by convincing a victim to visit a malicious site and make a few key presses.

“Although this does require some user interaction, it is minimal enough that tricking a user into performing the actions which are required to achieve this would be trivial,” said Rhino Security’s David Yesland.

“The real issue here seems to be that the API allows Cross Origin Resource Sharing from any Origin, which means it is possible to perform an XHR request to any of the endpoints through the browser if the secret token were obtained through any method.”

RELATED Zero-day in EA’s Origin exposes gamers to yet more RCE pwnage