When installing the service software, a NodeJS-based web server is launched on the user’s computer, which is responsible for communicating with the manufacturer’s infrastructure. It automatically loads the required libraries. In one case, the location of this component is under the control of a potential attacker, who can replace it with malicious code. Vulnerability CVE-2020-5977 scored 8.2 on the CvSS scale and can lead to both denial of service and arbitrary code execution with elevated privileges.
The second vulnerability, CVE-2020-5990, fixes a bug in the NVIDIA ShadowPlay system for capturing and streaming game video, but may lead to local privilege escalation and arbitrary code execution. An update for GeForce Experience can be download on the company’s website, or wait for the automatic download of the new version.
A similar problem shut down at GeForce Experience last year. Then the researcher also found a way to replace one of the system files that the utility accesses.
Such software is periodically used for mass or targeted attacks. Vulnerabilities in the programs themselves can be exploited, and in rare cases the entire chain of software delivery to the user is under attack. The most famous case of such an attack is the campaign Shadowhammer, during which a modified utility for ASUS computers was distributed from compromised servers for some time.
What else happened:
Analysts from Nokia shared report on the detection of malicious software in computer networks that use the company’s protection tools. Experts noted a significant increase in the number of infected IoT devices: their share among all compromised devices amounted to 32.72% (a year earlier – 16.17%). Most often, malware is caught on Windows systems. IoT devices are in second place – smartphones and gadgets based on Android have moved them to third place.
Linux kernel 5.10 release removed the setfs () function, which allows you to control writing to RAM. According to some sources, it was present in the OS kernel starting from version 0.10 of 1991 – then it was introduced to support systems based on 80386 processors that were outdated even at that time. In 2010 It revealedthat the function can be used to overwrite data that the user should not normally have access to. A similar bug in LG smartphones based on Android discovered in 2016.
In Yandex Browser, as well as in Opera and Safari shut down a bug that allowed spoofing the contents of the address bar. Meanwhile in Google Chrome found an error that prevents the deletion of user data for Google’s own services (e.g. YouTube), even if there is no exception for them. In theory, this makes it possible to identify a user who does not want to give himself away, deleting all previously stored information. Google admitted the mistake and promised to fix it.
In Check Point Research approvedthat phishing emails most often exploit Microsoft services. In 19% of cases, phishing attack operators fake messages to make them look like the correspondence of this company. The second and third places are taken by phishing on behalf of DHL and Google, 9% each.