Nvidia driver enables malware injection

It's a nasty thing: Nvidia ships a Node.js server with its driver update function. But this Node.js server may be used to inject and execute malware on Windows systems.


Nvidia tries to expand its driver updater with many new features. We have a separate user account under Windows and it's mandatory to have a Nvidia user account to receive some drivers. 


Security experts from Sec Consult found out, that Nvidia driver updater comes with a Node.js server. It's the Web Helper Services (see screenshot above), that simply has been renamed. In Windows the graphics driver will be updated via node.js server – the process may be whitelisted and signed, to assure, that only legal drivers are updated.

Unfortunately the Node.js-Server may be started interactively, and may be used to executed other command. Using this, it's possible to access also the Windows-API and disables whitelisting. This enables malware to be injected as a Node.js module and may be executed with driver updater privileges. Sec Consult's security experts recommends, to remove the Node.js server (if possible). More details may be read here at Sec Consult blog.

Cookies helps to fund this blog: Cookie settings


This entry was posted in Security, Update, Windows and tagged , , . Bookmark the permalink.

One Response to Nvidia driver enables malware injection

  1. Alan Welsh says:

    I've also seen a decrease in GPU performance from a raw score of 188 down to 160, or about 15% decrease. End this NODE.JS process, and performance returns to normal.

Leave a Reply

Your email address will not be published. Required fields are marked *