Intel has patched 19 vulnerabilities across its popular graphics drivers for Windows 10, including two high-severity flaws.
According to an Intel advisory CVE-2018-12216 and CVE-2018-12214 allow a privileged user to execute arbitrary code via local access.
“Multiple potential security vulnerabilities in Intel Graphics Driver for Windows may allow escalation of privileges, denial-of-service or information disclosure”, Intel said in a Tuesday security advisory. “Intel is releasing Intel Graphics Driver for Windows updates to mitigate these potential vulnerabilities.”
Apparently the more serious of these (CVE-2018-12216) has a CVSS score of 8.2 and stems from insufficient input validation in the kernel mode driver within Intel Graphics Driver for Windows. The kernel mode driver of a graphics driver executes any instruction it needs on the CPU without waiting and can reference any memory address that is available.
The other high-severity vulnerability (CVE-2018-12214) has a CVSS score of 7.3 and exists due to potential memory corruption in the same kernel mode driver.
Impacted versions are those previous to 10.18.x.5059 (aka 15.33.x.5059), 10.18.x.5057 (aka 15.36.x.5057), 20.19.x.5063 (aka 15.40.x.5063) 21.20.x.5064 (aka 15.45.x.5064) and 126.96.36.19973.
Bryan Becker, application security researcher at WhiteHat Security said that this was not the first time Chipzilla has faced vulnerabilities on this scale and it probably would not be the last.
“A vulnerability in CPU architecture is one of the most insidious, as there is very little users can do to protect themselves, short of just not using it until a patch comes out”, he told Threatpost
The graphics driver patches are part of a larger set of fixes across seven Intel products, including its Matrix Storage Manager, Active Management Technology and Accelerated Storage Manager.
Five of these products included high-severity vulnerabilities. Two other of the seven flaws were rated medium in severity, including an escalation of privilege flaw (CVE-2019-0129) in Intel’s USB 3.0 creator utility that exists due to improper permissions (Intel is ultimately discontinuing the hosting and support of this tool).
The other medium-rated vulnerability is a denial of service and information disclosure flaw in Intel’s software guard extensions SDK (CVE-2019-0122).
“Double free in Intel SGX SDK for Linux before version 2.2 and Intel SGX SDK for Windows before version 2.1 may allow an authenticated user to potentially enable information disclosure or denial of service via local access”, Intel said.
To be fair, Intel said that there had been no real-world exploits from any of the vulnerabilities.
Intel told Threatpost it is not aware of any of the vulnerabilities being used in real-world exploits. So the hackers had not spotted the problems either.