NVIDIA node.js could allow attackers to bypass Windows security whitelisting

Posted on Tuesday, April 25 2017 @ 17:02 CEST by Thomas De Maesschalck
Security researcher René Freingruber discovered that malware creators could abuse the node.js server of the Web Helper Service that gets installed by NVIDIA's GeForce drivers to bypass the Windows application whitelisting security feature.

Attackers could use the NVIDIA Web Helper Service as a vector to directly interact with Windows APIs or to load executable code into the node.js process to run malicious code:
From attacker perspective, this opens two possibilities. Either use node.js to directly interact with the Windows API (e.g. to disable application whitelisting or reflectively load an executable into the node.js process to run the malicious binary on behalf of the signed process) or to write the complete malware with node.js. Both options have the advantage, that the running process is signed and therefore bypasses anti-virus systems (reputation-based algorithms) per default.
A bit more information about how this works can be read at GHack, they also explain how you can resolve the issue. Since the Web Helper Service is a non-essential part of the GeForce software, you can safely disable it until a more permanent fix arrives.

In a statement on its website, NVIDIA says it's investigating its software to determine the extent of the vulnerability.

Loading Comments