NVIDIA node.js could allow attackers to bypass Windows security whitelisting

Posted on Tuesday, Apr 25 2017 @ 17:02 CEST by Thomas De Maesschalck
Security researcher René Freingruber discovered that malware creators could abuse the node.js server of the Web Helper Service that gets installed by NVIDIA's GeForce drivers to bypass the Windows application whitelisting security feature.

Attackers could use the NVIDIA Web Helper Service as a vector to directly interact with Windows APIs or to load executable code into the node.js process to run malicious code:
From attacker perspective, this opens two possibilities. Either use node.js to directly interact with the Windows API (e.g. to disable application whitelisting or reflectively load an executable into the node.js process to run the malicious binary on behalf of the signed process) or to write the complete malware with node.js. Both options have the advantage, that the running process is signed and therefore bypasses anti-virus systems (reputation-based algorithms) per default.
A bit more information about how this works can be read at GHack, they also explain how you can resolve the issue. Since the Web Helper Service is a non-essential part of the GeForce software, you can safely disable it until a more permanent fix arrives.

In a statement on its website, NVIDIA says it's investigating its software to determine the extent of the vulnerability.

About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.

Loading Comments