It’s a nasty thing: Nvidia ships a Node.js server with its driver update function. But this Node.js server may be used to inject and execute malware on Windows systems.
Nvidia tries to expand its driver updater with many new features. We have a separate user account under Windows and it’s mandatory to have a Nvidia user account to receive some drivers.
Security experts from Sec Consult found out, that Nvidia driver updater comes with a Node.js server. It’s the Web Helper Services (see screenshot above), that simply has been renamed. In Windows the graphics driver will be updated via node.js server – the process may be whitelisted and signed, to assure, that only legal drivers are updated.
Unfortunately the Node.js-Server may be started interactively, and may be used to executed other command. Using this, it’s possible to access also the Windows-API and disables whitelisting. This enables malware to be injected as a Node.js module and may be executed with driver updater privileges. Sec Consult’s security experts recommends, to remove the Node.js server (if possible). More details may be read here at Sec Consult blog.