digg

Facebook Connect Join Digg About

NVIDIA Binary Graphics Driver Exploit

kerneltrap.org A recent security advisory announced today by Rapid7 explains, "the NVIDIA Binary Graphics Driver for Linux is vulnerable to a buffer overflow that allows an attacker to run arbitrary code as root. This bug can be exploited both locally or remotely."

Who dugg this? Made popular Oct 17, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

47 Comments

show profanity settings
expand all
  • shrewduser, on 10/12/2007, -2/+28unfortunately the alternative for most users is unacceptable...

    ie. a driver thats slow, can't get an fps above 15 in even old games, and is basically horrid...

    i'd be happy if everyone open sourced their drivers too, but we can't rely on that eventuating.... people have a right to choose, and while i don't understand what "speaking out" against binary drivers means exactly, you shouldn't condemn people for making a decision.
  • Mejogid, on 10/12/2007, -0/+23The real issue with this is that distros mandated to provide security updates for old or ageing releases will be unable to make a minor patch themselves, and will have to update to the latest nVidia graphics driver. This in itself brings in a significant chance of new bugs and incompatability.

    This is a really tricky situation - on the one hand, we have the open source community who would benefit hugely from FOSS nVidia drivers (and would most likely bolster their sales as a result), but on the other hand nVidia is in possession of others' proporietry code in their drivers which they can not legally release under an open lisence.
  • Mejogid, on 10/12/2007, -2/+21Unfourtunately it's more illegal for nVidia to open up a driver with code that doesn't belong to them. nVidia has maintained - logically enough - that they have lisenced code from other companies for their drivers which they do not have sufficient rights to release.

    There's also the issue that much proprietry code illegally uses chunks from FOSS and competitors, and they would likely be targeted by a number of lawsuits if they open the drivers.
  • Mejogid, on 10/12/2007, -1/+15@PJBonoVox

    The argumnt of userbase size here is irrelevant. Firstly, the Linux community probably makes up closer to 8% of their userbase, since the vast majority of Linux users use nVidia over ATI or Intel, since they are educated enough not to be happy with bad intergrated graphics and most are aware of the awfull lows of ATI's drivers.

    As to why, although this 8% is a minority, they are a very vocal one that are generally respected in their views on computers, and I'd guess another 10% of people would buy an nVidia computer if they were told to.

    There's also the potential growth of Linux, which could result in much higher percentages ten years from now.

    Of course there are reasons against opening them as my post above, but that doesn't make reasons for opening them any less valid.

    --

    That is, of course, assuming that wasn't just a meaningless jab at Linux.
  • schestowitz, on 10/12/2007, -7/+19I noticed similar (only local) Linux vulnerabilities yesterday:

    WMV : proprietary 'binary blob'
    Flash : proprietary 'binary blob'

    There was also Adobe Acrobat in the past... proprietary 'binary blob'

    Say no to that binary rubbish.
  • LordBug, on 10/12/2007, -0/+11Read the Kernaltrap comment thread on that page. The latest (albeit beta) nVidia drivers, released 1 month ago, fix this exploit.
  • enochian, on 10/12/2007, -7/+17Just say NO to binary blobs! OpenBSD has been speaking out against this stuff for years.
  • bigtomrodney, on 10/12/2007, -4/+13I'd like to see nVidia open the driver. It's a great shame they haven't. Not to mention Novell's stand that it is actually illegal to use it.

    Now that AMD have ATI, I wonder if they'll set the ball rolling and open their driver, then nVidia might follow suit.
  • Philodox, on 10/12/2007, -1/+9Don't forget that the community nvidia driver can't control the fan speed so it sounds like there's a vaccum inside the case.
  • sremick, on 10/12/2007, -0/+8I'm with shrewduser on this one. While I'd love to have every aspect of my computer open-source, that's simply not possible at the moment while still giving me something usable for my needs. The nv driver, while it works, offers no acceleration. Making my fancy nVidia card about as high-tech as something made 10y ago. I use the nVidia binary driver because it does what I need it to and does it fairly well. Yes it's not ideal but the alternatives are much worse for me. I'll continue using it until something better comes along, the same way I continued to use Windows until something better came along. ;)

    I'm still optimistic as the general trend is positive and progress IS being made. More and more things are becoming open-source. nVidia got the hint and has made baby steps (hell, I can get a FREEBSD driver from them, how sweet is that?) and other companies are waking up too.
  • neko, on 10/12/2007, -1/+8Yeah, blobs are bad, but .... I can't live without my wobbly, blobby windows now!
    And the companies which release their drivers like this, well, it's a pity, but sometimes they're dependent on the legal restrictions of other bits they've acquired.

    Plus ATI and NVidia would probably have some kind of mutually-assured-destruction patent war if either of them revealed their top secret driver code....
  • phjr, on 10/12/2007, -1/+7Looks like they knew about the issue since 2004. If that's true... :-/
  • Flopy, on 10/12/2007, -2/+8@ CaptainMordecai

    I agree with you there, but be aware that OSS usually gets fixed more quickly than proprietary stuff. As ESR said, "with enough eyes, all bugs become shallow". It makes sense to think that opening a driver will help fix any issues it might have that NVIDIA wouldn't otherwise be aware of how to solve. Although it's illegal for them to do so. In that case, open some of the specs of the card, so that the community can develop at least a decent driver.
  • CaptainMordecai, on 10/12/2007, -5/+11Because no open source software has had security exploits before right? There are going to be flaws in any software. Open Source or not.
  • Ryosen, on 10/12/2007, -1/+6@moonwell,

    More than likely, you would begin to see beta releases within a month. But let's say that you're right and it's six months. That's still six months sooner than the current process.
  • gotamd, on 10/12/2007, -1/+6I agree that this is bad, but as one person previously mentioned, there are beta drivers that fix the flaw. I think it's stupid that they then go on to bash it for being binary and proprietary instead of open source and claim that the security flaw was around *because* of this. Take off the fanboy hats long enough to realize that even open source software has had major bugs in it before (and still does).
  • ungamedplayer, on 10/12/2007, -1/+6Oh, a debate.. how delicious.

    With Open Source, I can -look- at the source code and fix bugs. That's right. I can fix them. I wont deny that most users of open source probably can not, but If I need to, I can.

    With closed source software, like NVidia here, one can -not- see the source code and you are at the mercy of $vendor to fix your software problem*.

    Don't call me a zealot, because I'm right.
    Don't say Open Source is buggy, all software is made by humans, therefore imperfect.

    With Open Source, I can fix bugs (yes, I code, no I don't care if you care) and quite often do. Use what you want. I'll be the one over here being productive on my Linux system, you can go run a virus scanner, remove your spyware and update your drivers.

    Digg your own grave punks.

    * yes Some people have mad asm skills its quite possible, but I can't imagine anyone actually doing this for any significantly complicated project without financial backing.
  • wurzelgummage, on 10/12/2007, -1/+4Can't you just block all network access to and from the nvidia driver files, and for the local vulnerability, just accept that if people have physical access to the machine, it's as good as pwnd already.
  • karamba_kid, on 10/12/2007, -0/+3Will running my browser from Xnest help me from being exploited for the time being?
  • jellygraph, on 10/12/2007, -3/+6i just love getting replies from immature supporters of proprietary software on an OS operating system and graphics card fanboys

    >> Because no open source software has had security exploits
    >> before right? There are going to be flaws in any software.
    >> Open Source or not.

    Of course, there will be, but the main issue is how much longer it takes to find these exploits and how soon it is fixed (given the fact that it is jammed into the kernel). In this respect, OS software has an excellent, proven track record.

    >> Once exploit for the nVidia driver, countless others for the rest
    >> of OSS. Great metrics there, Watson. That's right, you stick to
    >> your ***** ATI drivers.

    Your logic is flawed. This is an issue with Open Source versus Proprietary methods of software development, so you will have to factor in every single flaw in Windows on the proprietary side. And guess who loses?
  • debian_, on 10/12/2007, -0/+2I think a lot of the negative response comes from not so much OSS supporters claiming the open model is perfect, but more so the general cold shoulder *nix has had from nVidia compared to Windows in the past. Combine lacking support with a bug in drivers which go against the OSS 'grain' and its gasoline on the fire.
  • sremick, on 10/12/2007, -0/+1glguy:

    I'd say that people who think that hardware-acceleration is only useful for games are part of the problem.
  • Urusai, on 10/12/2007, -1/+2Hell, the nv driver doesn't even work with my video card (6800GS). The vesa driver does, at least.
  • joffer, on 10/12/2007, -1/+1http://securitydot.org/xpl/exploits/vulnerabilities/articles/1714/exploit.html
  • Cablito, on 10/12/2007, -1/+2Sorry for saying it. Linux will be always object of perfection, no matter how many crap code gets written for it by us stupid windows programmers, it will all be roses.
  • nonsequitor, on 10/12/2007, -2/+2Horray for XGL!!! I upgraded to the Beta Driver earlier this month to run XGL with the native on card support. And yes, XGL is awesome.
  • jellygraph, on 10/12/2007, -2/+1Sure, even if you included laregly redundant operating systems that no one uses together with Windows, Open Source would still win
  • burke, on 10/12/2007, -4/+2It didn't shut you up.
  • inactive, on 10/12/2007, -5/+3Even if they open then what? I hope you consider that this driver was closed source since it exist and it's not a 2 day job to go through on that code. If they will open this driver we have to wait at least half a year until there will be some developer community who understand the code and start to do something with it.
  • knodi, on 10/12/2007, -7/+3Its a feature not a bug.
  • Cablito, on 10/12/2007, -6/+1Say its not true?!
  • Cablito, on 10/12/2007, -10/+5This is just a taste of what the future reserves for linux.

    Not everyone is going to go opensource, specially people who actually want to make money. Crappy coders that write bad code on windows will migrate to linux when the mass does; bad code will just follow them.
  • jellygraph, on 10/12/2007, -11/+7Just goes to show, Open Source is best. Proprietary is crap.

    Good thing I'm using an ATI Radeon and the OS drivers.
  • terath, on 10/12/2007, -6/+0*****, one bad company doesn't invalidate the model. Why don't you try to compare against solaris or AIX, products in the same market space as linux? Guess who loses?
  • inactive, on 10/12/2007, -9/+3"As to why, although this 8% is a minority, they are a very vocal one that are generally respected in their views on computers"

    You're kidding, right? All they ever do is crack on about how great Linux is when in fact all they do is spend 24 hours a day tweaking the OS.

    Trust me, I, for one, do not respect the average Linux users opinion.
  • inactive, on 10/12/2007, -9/+2Once exploit for the nVidia driver, countless others for the rest of OSS. Great metrics there, Watson. That's right, you stick to your ***** ATI drivers.
  • warmcat, on 10/12/2007, -11/+4Gah it goes on:

    ''... (via a remote X client or an X client which visits a malicious web page). A working proof-of-concept root exploit is attached to this advisory...''

    Happy I don't have any boxes running the nVidia binary driver!
  • ray901, on 10/12/2007, -8/+1fool
  • glguy, on 10/12/2007, -9/+1People who happily accept the binary drivers so that they can play their games today are as much a part of the problem as nVidia and ATI...

    Buy a console system for games and tell nVidia/ATI to ***** itself their collective selves unless they open up!
  • Archer1980, on 10/12/2007, -10/+1@foolfromhell

    I totally agree eh, Wonder where all the linux fan boys that are always in the windows threads commenting about how secure linux is are right now. Just goes to show that no software is secure. Will this shut up the Linux fan boys, probably not.
  • pabhinavkumar, on 10/12/2007, -9/+0datadatadata data data data data data
  • Cablito, on 10/12/2007, -12/+2oooo wasn't linux suposed to be so safe and perfect?

    What happened to "Windows sucks and its unsecure linux fanboys"

    A lot of Windows crashes and hacks are usually 3rd party drivers and softwares too. (true the root of windows IE is the main door when miss-configured)
  • lukaszb, on 10/12/2007, -15/+3mod this down
  • foolfromhell, on 10/12/2007, -15/+2Linux not so secure now eh?
    I know its not the coder's fault, its nVidia's fault...
  • inactive, on 10/12/2007, -22/+9You think nVidia would open up their driver for some 2-3% of their userbase? Why would they bother?

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.