New
#1
So this is only for Windows 7 versions?
Thought I might say something before anyone panicsAffected Products:
Intel® USB 3.0 eXtensible Host Controller Driver for Microsoft Windows® 7 before version 5.0.4.43v2.
Intel ID: INTEL-SA-00200 Advisory Category: Software Impact of vulnerability: Escalation of Privilege Severity rating: MEDIUM Original release: 02/12/2019 Last revised: 02/12/2019
Summary:
A potential security vulnerability in the Intel® USB 3.0 eXtensible Host Controller Driver may allow escalation of privilege. Intel is releasing software updates to mitigate this potential vulnerability.
Vulnerability Details:
CVEID: CVE-2018-3700
Description: Code injection vulnerability in the installer for Intel(R) USB 3.0 eXtensible Host Controller Driver for Microsoft Windows 7 before version 5.0.4.43v2 may allow a user to potentially enable escalation of privilege via local access.
CVSS Base Score: 5.8 Medium
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:H
Affected Products:
Intel® USB 3.0 eXtensible Host Controller Driver for Microsoft Windows® 7 before version 5.0.4.43v2.
Recommendation:
Intel recommends updating Intel® USB 3.0 eXtensible Host Controller Driver to 5.0.4.43v2 or later.
Updates are available for download at this location:
https://downloadcenter.intel.com/pro...troller-Driver
Acknowledgements:
Intel would like to thank Marius Gabriel Mihai for reporting this issue and working with us on coordinated disclosure.
Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are deployed.
Revision History
Revision Date Description 1.0 02/12/2019 Initial Release
Source: INTEL-SA-00200
So this is only for Windows 7 versions?
Thought I might say something before anyone panicsAffected Products:
Intel® USB 3.0 eXtensible Host Controller Driver for Microsoft Windows® 7 before version 5.0.4.43v2.
From the description the vulnerability is in the driver installer, not the driver itself.
I don't believe Windows Update installs drivers using the installer from the manufacturer so this should only be relevant if you (or some 3rd party utility) manually run the .EXE. But there's no details on the vulnerability yet so that's just speculation.