Intel has released security updates addressing two high-severity vulnerabilities in its Intel Media Software Development Kit (SDK) and Intel NUC mini PC.
Overall, the chip giant on Tuesday patched four flaws across its products; the most severe of these vulnerabilities exist in Intel’s Media Software Development Kit (SDK) and could enable an authenticated attacker to gain escalated privileges.
Intel’s Media SDK is a software development package equipping developers with media acceleration capabilities on Intel platforms, including video and photo processing. The vulnerability ( CVE-2018-18094) has a CVSS score of 7.8, making it high-severity.
The glitch stems from improper directory permissions in the installer for Intel’s Media SDK (before version 2018 R2.1). These improper permissions “may allow an authenticated user to potentially enable escalation of privilege via local access,” said Intel. The chip company urged Intel Media SDK users to update to version 2018 R2.1 or later (updates are available for download here).
Meanwhile, another high-severity vulnerability also exists in the Intel NUC (short for Next Unit of Computing), a mini PC kit that offers processing, memory and storage capabilities for applications like digital signage, media centers and kiosks.
Intel NUC has a vulnerability (CVE-2019-0163) with a CVSS score of 7.5, making it high severity. The flaw stems from insufficient input validation in the system firmware of the product, which could enable escalation of privilege, denial of service, and information disclosure for impacted systems, said Intel.
“A potential security vulnerability in system firmware for Intel NUC may allow escalation of privilege, denial of service, and/or information disclosure,” according to Intel’s release. “Intel is releasing firmware updates to mitigate this potential vulnerability.
Specifically, Intel NUCs that are powered by Intel Broadwell U i5 vPro chips (before version MYBDWi5v.86A) are impacted.
Intel also urged users to update and mitigate against a medium-severity escalation of privilege vulnerability in its Graphics Performance Analyzer for Linux, and a low-severity information disclosure flaw in “some microprocessors” with virtual memory mapping.
In March, Intel patched 19 vulnerabilities across its popular graphics drivers for Windows 10, including two high-severity flaws. CVE-2018-12216 and CVE-2018-12214 could both allow a privileged user to execute arbitrary code via local access, according to an Intel advisory.
It’s only the most recent set of patches to be released on Patch Tuesday: Adobe also fixed 24 critical arbitrary code execution vulnerabilities across multiple products, including Acrobat Reader, Adobe Flash, and Adobe Shockwave Player.