Nvidia's latest drivers help to mitigate CPU flaws, but GPU hardware is not vulnerable

G

Greg S

Posts: 1,607   +442

As many tech companies are working together to patch Spectre and Meltdown vulnerabilities, Nvidia joins the list of businesses to offer a patched update. Initially, only Intel, ARM and AMD were known to be affected by some of the latest exploits. Now, Nvidia has quietly shown that its GPU drivers were potentially insecure as well.

Update: Nvidia has reached out to clarify that their GPUs are not impacted by Spectre. According to their updated notes, GPU hardware is immune to the reported security issues (Meltdown and Spectre) however their latest driver software release includes updates to help mitigate the CPU security issue.

Here's how Nvidia believes their products are affected (or not at all):

  • Variant 1 (CVE-2017-5753): CPU mitigations are provided with the security update included in this bulletin. NVIDIA expects to work together with its ecosystem partners on future updates to further strengthen mitigations for affected CPUs.
  • Variant 2 (CVE-2017-5715): NVIDIA’s initial analysis indicates that NVIDIA software running on affected CPUs may require further updates. NVIDIA expects to work together with its ecosystem partners on this variant.
  • Variant 3 (CVE-2017-5754): At this time, NVIDIA has no reason to believe that NVIDIA software is vulnerable to this variant when running on affected CPUs.

The original story follows below (with corrections):

Meltdown appears to have no effect on Quadro, NVS, GeForce, Tesla and GRID models. The second variant of Spectre could potentially affect graphics cards and is not fully patched yet but Nvidia is exploring options to enhance security. The first variant of Spectre is completely patched for GeForce, Quadro and NVS series. GRID and Tesla card owners will have to wait until the end of January to receive fixes.

There is no mention of whether the latest driver updates will affect performance. Given that updated UEFI firmware and Windows updates are causing reduced SSD performance and marginal slowdowns in other cases, it would be highly unlikely for new drivers to provide better performance.

It is advised to update to the latest Nvidia driver version available for your graphics card. For GeForce owners, version 390.12 on Linux or version 390.65 on Windows will provide the needed patches. No announcements have been made by AMD to disclose whether the RX and RX Vega series are affected as well.

On a more positive note, the latest driver updates also add ShadowPlay Highlights support for Fortnite in Battle Royale mode. SLI profiles were updated for DIRT 4, Total War: WARHAMMER II and X-Morph: Defense. Notifications for attachment or removal of eGPUs were also added.

Permalink to story.

https://www.techspot.com/news/72691-nvidia-gpus-arent-immune-spectre-security-flaw.html

 
stewi0001 said:
Nobina said:
I got f***** by Intel now by Nvidia too? :(
Click to expand...

You already were by their prices. ;)
Click to expand...

People make conscious decisions to buy the best at their price levels, just happens that lately Intel and Nvidia occupy those slots. Also has to do with mining killing AMD GPU price for performance. The 470 and 480 were king for a while when companies were nearly giving them away with rebates this time last year
 
Can someone explain to me just what sort of applications that run on a GPU that could remotely have security implication? Seriously why should I care to slow down my GPU for security reasons that is applicable to say rendering frames higher FPS for Overwatch, Destiny 2, Rocket League, GTA5, etc.? It is not like it the GPU is just going to run any old javascript download from suspicious website and it would snooping for my banking password in the video card memory think (GDDR5/HBM/GDDR5X etc.) on the GPU.

BTW if javascript (or any of evil variants, clones, alternatives), generic execution of code downloaded from remote unsafe sites, did not exist or never allowed to become thing, the spectre attacks will never have gotten off the ground. Spectre is a thing now, because javascript provides the vector and insertion point/point of entry for remote malicious code to run and subsequently search a process's private memory space.
 
FreeBetaTester said:
Can someone explain to me just what sort of applications that run on a GPU that could remotely have security implication? Seriously why should I care to slow down my GPU for security reasons that is applicable to say rendering frames higher FPS for Overwatch, Destiny 2, Rocket League, GTA5, etc.? It is not like it the GPU is just going to run any old javascript download from suspicious website and it would snooping for my banking password in the video card memory think (GDDR5/HBM/GDDR5X etc.) on the GPU.

BTW if javascript (or any of evil variants, clones, alternatives), generic execution of code downloaded from remote unsafe sites, did not exist or never allowed to become thing, the spectre attacks will never have gotten off the ground. Spectre is a thing now, because javascript provides the vector and insertion point/point of entry for remote malicious code to run and subsequently search a process's private memory space.
Click to expand...
The story here is a little misleading. The GPU's themselves are not affected at all, But Nvidia has found a flaw in their driver that could potentially be used for Variant 2 attack. The latest drivers already fix the vulnerability so nothing to worry about to be honest, just update your drivers.
 
  • Like
Reactions: Fluffmeister
Update: Nvidia has reached out to clarify that their GPUs are not impacted by Spectre. According to their updated notes, GPU hardware is immune to the reported security issues (Meltdown and Spectre) however their latest driver software release includes updates to help mitigate the CPU security issue.

More details on the updated story.
 
  • Like
Reactions: stewi0001, Nobina, cliffordcooley and 3 others
We will see if Huang tries to sell his NVDA shares in the coming months. I suspect some nVidia chips with ARM core are susceptible to vulnerabilities.

FYI. At 34C3 event (the 34th Chaos Communication Progress) in Leipzig, Germany
Team Xecuter doubled down by teasing a “definitive hack solution”(for Nintendo Switch) that would work with ANY firmware and, according to them, could NEVER be fixed via software updates by Nintendo.
 
Contradictory news on NVIDIA GPUs:
  • WindowsCentral.com says: NVIDIA has issued new GPU drivers to guard against the recently disclosed Spectre processor exploit. NVIDIA has released an update (via Reuters) for its GPU driver software to mitigate attacks based on speculative side channel execution, shoring up its software against the Spectre exploit that has that has rocked chipmakers like Intel, AMD, and ARM since its disclosure last week.
  • PCgamer.com says: Variants 1 and 2 are both Spectre, while Variant 3 is Meltdown (check out our FAQ on the subject for a rundown of both). Nvidia's 390.65 driver update includes a fix for Variant 1.
  • Techcrunch.com says: Nvidia also updated its security bulletin to make clear that its own hardware products are not affected by the disclosed vulnerabilities, to the best of their knowledge right now.
Nvidia.com is silent on the subject
 
Last edited by a moderator:
hahahanoobs said:
What were the MSRP's of those FE's again....?
And who said you had to buy them?

You're reaching like you're sinking in quicksand, man. ;)
Click to expand...
You're forgetting history. The FE launched at significantly higher than MSRP, and thus, so did the board partner cards.

But don't let that stop you.
 
Kotters said:
You're forgetting history. The FE launched at significantly higher than MSRP, and thus, so did the board partner cards.

But don't let that stop you.
Click to expand...

1. That isn't nVIDIA's fault. It never is.
2. History? Um.. how long ago was that?
3. For the millionth time, no one forced ANYONE to buy FE cards. In fact, regardless of price, only impatient or people looking to use water blocks buy reference cards.
4. Thanks for playing!
 
Last edited:
hahahanoobs said:
1. That isn't nVIDIA's fault. It never is.
2. History? Um.. how long ago was that?
3. For the millionth time, no one forced ANYONE to buy FE cards. In fact, regardless of price, only impatient or people looking to use water blocks buy reference cards.
4. Thanks for playing!
Click to expand...
...It is nVidia's fault. The reference card is launching at a significantly higher price than MSRP? Really? Why would you ever launch an MSRP card, then?

Or rather, why would you announce an MSRP, and then ensure that there would not be any card available at MSRP?

Also, lists make you sound like a 12 year old writing a "clever" book report, not a game show host.
 
Kotters said:
...It is nVidia's fault. The reference card is launching at a significantly higher price than MSRP? Really? Why would you ever launch an MSRP card, then?

Or rather, why would you announce an MSRP, and then ensure that there would not be any card available at MSRP?

Also, lists make you sound like a 12 year old writing a "clever" book report, not a game show host.
Click to expand...

My list is far less offensive than your knowledge of how the market works.
 
You must log in or register to reply here.

Similar threads

Daniel Sims
LG TV owners should update their firmware, webOS vulnerability found in a few models
Replies
8
Views
180
subnex
S
Jimmy2x
New HTTP/2 vulnerability leaves servers in danger of devastating DoS attacks, even from a single TCP connection
Replies
4
Views
153
bviktor
B
Daniel Sims
Unpatchable Apple Silicon vulnerability could leak encryption keys
Replies
15
Views
292
Dreadcthulhu
D

Latest posts

Back