A new nVIDIA display driver has been released which fixes the exploit reported last week. The driver was vulnerable to a buffer overflow that allowed an attacker to run arbitrary code as root. This bug could be exploited both locally as well as remotely (via a remote X client or an X client which visits a malicious web page).
Post a Comment
Member since:
2005-12-02
Fans: 0
Member since:2005-07-24
Fans: 35
Member since:2005-07-07
Fans: 0
Driver fixed in a week, and in fact the beta of it with the exploit patched was there before the announcement of the vulnerability. Not bad for closed source eh?
Really?
From kerneltrap
"the link in the advisory is the earliest thread in which we could find an NVIDIA employee publicly acknowledging the bug, although it was reported back in 2004 and has probably existed even longer."
Meaning, there's no bug if they don't aknowledge it. And working exploit existed too. Just close your eyes.
Pisspoor job if you ask me.
Member since:2005-12-02
Fans: 0
"Really?
From kerneltrap
"the link in the advisory is the earliest thread in which we could find an NVIDIA employee publicly acknowledging the bug, although it was reported back in 2004 and has probably existed even longer.""
Actually the original bug was with XFree86/XOrg back then if you read up on it. The same situation was reported with non Nvidia cards as well.
Member since:
2006-01-11
Fans: 0
Nvidia was first alerted to this problem in 2004, and publicly acknowledged that it existed in July. Last week someone published an exploit that anyone could run, probably as a way to force nVidia to finally deal with the problem. See http://download2.rapid7.com/r7-0025/
This is not a prompt response. Often a closed source vendor denies the severity of a problem until a full exploit is published, and this head-in-the-sand attitude hurts everyone.
Member since:2006-02-05
Fans: 0
maybe you should also take a look here:
http://nvidia.custhelp.com/cgi-bin/nvidia.cfg/php/enduser/std_adp.p...
Member since:2005-07-24
Fans: 35
"""Nvidia was first alerted to this problem in 2004"""
That turned out not to be true.
http://lists.freedesktop.org/archives/xorg/2006-October/018943.html
Edited 2006-10-23 23:22
Member since:
2006-08-18
Fans: 2
Member since:
2006-07-17
Fans: 0
People will forget that this bug is not associated with the one from 2004 and some will continue to argue, months from now, that nvidia had an unsafe driver for 2 years with awareness of the security problem.
From nvidia answers:
"NVIDIA can confirm that this bug is only present in the NVIDIA UNIX Graphics drivers 1.0-8762 and 1.0-8774, and is fixed starting with 1.0-8776. Also, this bug is not present in driver versions older than 1.0-8762. For example, versions 1.0-8178 or 1.0-7184 are not affected by this bug.
There is some confusion between this NVIDIA driver bug and a previously fixed core XFree86/X.Org server bug. This confusion mistakenly led the security advisory to the conclusion that the NVIDIA driver bug was reported and known as early as 2004."
