Paul found this out when he noticed a console window popping up unbidden in his new gaming PC. Hell hath no fury as that of a researcher scorned, so he quickly tracked said window to AMD's auto-updater, and in his own words, chose to "punish [the] software by decompiling it." That quickly yielded the link where the software pulls the list of available updates from, oddly named the "Devlpment" link [sic].
The said list is delivered via an HTTPS link, thus securely, but to Paul's dismay, the actual driver packages themselves use standard HTTP links. That means they're bereft of the two main benefits of HTTPS: the identity of the remote server (in this case, ati.com), and the integrity of the transmitted data against modification.
If all this is true, one can but hope that AMD realizes the mistake and fixes the issue immediately, and grants Paul a bounty for his sleuthing.
Follow Tom's Hardware on Google News , or add us as a preferred source , to get our latest news, analysis, & reviews in your feeds.
Bruno Ferreira is a contributing writer for Tom's Hardware. He has decades of experience with PC hardware and assorted sundries, alongside a career as a developer. He's obsessed with detail and has a tendency to ramble on the topics he loves. When not doing that, he's usually playing games, or at live music shows and festivals. ","collapsible":{"enabled":true,"maxHeight":250,"readMoreText":"Read more","readLessText":"Read less"}}), "https://slice.vanilla.futurecdn.net/13-4-13/js/authorBio.js"); } else { console.error('%c FTE ','background: #9306F9; color: #ffffff','no lazy slice hydration function available'); } Bruno Ferreira Contributor Bruno Ferreira is a contributing writer for Tom's Hardware. He has decades of experience with PC hardware and assorted sundries, alongside a career as a developer. He's obsessed with detail and has a tendency to ramble on the topics he loves. When not doing that, he's usually playing games, or at live music shows and festivals.
Blastomonas Forgive my ignorance, but how easy would this be to exploit? I could see how this might be easy by using a dodgy WiFi access point, but not so sure about a private internet connection. Would be grateful if someone could explain how this could be done. Reply
Shiznizzle Blastomonas said: Forgive my ignorance, but how easy would this be to exploit? I could see how this might be easy by using a dodgy WiFi access point, but not so sure about a private internet connection. Would be grateful if someone could explain how this could be done. https://en.wikipedia.org/wiki/Man-in-the-middle_attack Do a test on yourself. https://www.grc.com/dns/dns.htm Easiest way is to get you to install "bad" certificates. Reply
Key considerations
- Investor positioning can change fast
- Volatility remains possible near catalysts
- Macro rates and liquidity can dominate flows
Reference reading
- https://www.tomshardware.com/tech-industry/cyber-security/SPONSORED_LINK_URL
- https://www.tomshardware.com/tech-industry/cyber-security/security-researcher-says-amd-auto-updater-downloads-software-insecurely-enabling-remote-code-execution-company-rep-reportedly-said-man-in-the-middle-attacks-are-out-of-scope-ignored-bug#main
- https://www.tomshardware.com
- AI Copilot Keeps Berkeley’s X-Ray Particle Accelerator on Track
- Russian 'Inspector' spacecraft intercepted communications from a dozen European satellites, report claims — fears Moscow could even manipulate trajectories or c
- Minisforum MS-02 Ultra mini workstation hands-on — can it replace my hulking desktop PC that is 11 times larger?
- Sandisk's rebranded Optimus SSDs now available at eye-watering $999 for 2TB, $1,799 for 4TB — Optimus brings a 5% MSRP over previous models, but WD Black predec
- Report claims Nvidia will not be releasing any new RTX gaming GPUs in 2026, RTX 60 series likely debuting in 2028
Informational only. No financial advice. Do your own research.