Paul found this out when he noticed a console window popping up unbidden in his new gaming PC. Hell hath no fury as that of a researcher scorned, so he quickly tracked said window to AMD's auto-updater, and in his own words, chose to "punish [the] software by decompiling it." That quickly yielded the link where the software pulls the list of available updates from, oddly named the "Devlpment" link [sic].
The said list is delivered via an HTTPS link, thus securely, but to Paul's dismay, the actual driver packages themselves use standard HTTP links. That means they're bereft of the two main benefits of HTTPS: the identity of the remote server (in this case, ati.com), and the integrity of the transmitted data against modification.
If all this is true, one can but hope that AMD realizes the mistake and fixes the issue immediately, and grants Paul a bounty for his sleuthing.
Follow Tom's Hardware on Google News , or add us as a preferred source , to get our latest news, analysis, & reviews in your feeds.
Bruno Ferreira is a contributing writer for Tom's Hardware. He has decades of experience with PC hardware and assorted sundries, alongside a career as a developer. He's obsessed with detail and has a tendency to ramble on the topics he loves. When not doing that, he's usually playing games, or at live music shows and festivals. ","collapsible":{"enabled":true,"maxHeight":250,"readMoreText":"Read more","readLessText":"Read less"}}), "https://slice.vanilla.futurecdn.net/13-4-13/js/authorBio.js"); } else { console.error('%c FTE ','background: #9306F9; color: #ffffff','no lazy slice hydration function available'); } Bruno Ferreira Contributor Bruno Ferreira is a contributing writer for Tom's Hardware. He has decades of experience with PC hardware and assorted sundries, alongside a career as a developer. He's obsessed with detail and has a tendency to ramble on the topics he loves. When not doing that, he's usually playing games, or at live music shows and festivals.
Blastomonas Forgive my ignorance, but how easy would this be to exploit? I could see how this might be easy by using a dodgy WiFi access point, but not so sure about a private internet connection. Would be grateful if someone could explain how this could be done. Reply
Key considerations
- Investor positioning can change fast
- Volatility remains possible near catalysts
- Macro rates and liquidity can dominate flows
Reference reading
- https://www.tomshardware.com/tech-industry/cyber-security/SPONSORED_LINK_URL
- https://www.tomshardware.com/tech-industry/cyber-security/security-researcher-says-amd-auto-updater-downloads-software-insecurely-enabling-remote-code-execution-company-rep-reportedly-said-man-in-the-middle-attacks-are-out-of-scope-ignored-bug#main
- https://www.tomshardware.com
- NVIDIA Unveils Multi-Agent Intelligent Warehouse and Catalog Enrichment AI Blueprints to Power the Retail Pipeline
- AMD's 96-core beast with watercooling engraved into CPU joins car and industrial parts in a 2,000W direct die cooling setup — $12,000 CPU runs at 5.3 GHz, devou
- Flight Controls Are Cleared for Takeoff on GeForce NOW
- One-third of consumers reject AI on their devices, with most saying they simply don’t need it — latest report highlights privacy fears and potential costs among
- Jim Keller's Tenstorrent is downgrading Blackhole p150 cards from 140 to 120 tensor cores via firmware update — will ship cards with 120 tensor cores going forw
Informational only. No financial advice. Do your own research.