Paul found this out when he noticed a console window popping up unbidden in his new gaming PC. Hell hath no fury as that of a researcher scorned, so he quickly tracked said window to AMD's auto-updater, and in his own words, chose to "punish [the] software by decompiling it." That quickly yielded the link where the software pulls the list of available updates from, oddly named the "Devlpment" link [sic].
The said list is delivered via an HTTPS link, thus securely, but to Paul's dismay, the actual driver packages themselves use standard HTTP links. That means they're bereft of the two main benefits of HTTPS: the identity of the remote server (in this case, ati.com), and the integrity of the transmitted data against modification.
If all this is true, one can but hope that AMD realizes the mistake and fixes the issue immediately, and grants Paul a bounty for his sleuthing.
Follow Tom's Hardware on Google News , or add us as a preferred source , to get our latest news, analysis, & reviews in your feeds.
Bruno Ferreira is a contributing writer for Tom's Hardware. He has decades of experience with PC hardware and assorted sundries, alongside a career as a developer. He's obsessed with detail and has a tendency to ramble on the topics he loves. When not doing that, he's usually playing games, or at live music shows and festivals. ","collapsible":{"enabled":true,"maxHeight":250,"readMoreText":"Read more","readLessText":"Read less"}}), "https://slice.vanilla.futurecdn.net/13-4-13/js/authorBio.js"); } else { console.error('%c FTE ','background: #9306F9; color: #ffffff','no lazy slice hydration function available'); } Bruno Ferreira Contributor Bruno Ferreira is a contributing writer for Tom's Hardware. He has decades of experience with PC hardware and assorted sundries, alongside a career as a developer. He's obsessed with detail and has a tendency to ramble on the topics he loves. When not doing that, he's usually playing games, or at live music shows and festivals.
Blastomonas Forgive my ignorance, but how easy would this be to exploit? I could see how this might be easy by using a dodgy WiFi access point, but not so sure about a private internet connection. Would be grateful if someone could explain how this could be done. Reply
Shiznizzle Blastomonas said: Forgive my ignorance, but how easy would this be to exploit? I could see how this might be easy by using a dodgy WiFi access point, but not so sure about a private internet connection. Would be grateful if someone could explain how this could be done. https://en.wikipedia.org/wiki/Man-in-the-middle_attack Do a test on yourself. https://www.grc.com/dns/dns.htm Easiest way is to get you to install "bad" certificates. Reply
Key considerations
- Investor positioning can change fast
- Volatility remains possible near catalysts
- Macro rates and liquidity can dominate flows
Reference reading
- https://www.tomshardware.com/tech-industry/cyber-security/SPONSORED_LINK_URL
- https://www.tomshardware.com/tech-industry/cyber-security/security-researcher-says-amd-auto-updater-downloads-software-insecurely-enabling-remote-code-execution-company-rep-reportedly-said-man-in-the-middle-attacks-are-out-of-scope-ignored-bug#main
- https://www.tomshardware.com
- Intel's Arrow Lake Refresh judgment day is reportedly on March 23 — missing Core Ultra 9 290K Plus from U.S. retailer listings spurs cancellation rumor
- Razer Boomslang 20th anniversary edition is as l33t a mouse as they come, for a princely $1,337 — legacy lives on two decades onwards
- Adafruit pushes back against NY state’s sweeping ban on 3D printing guns — suggests amendments to ‘preserve the public safety goal without breaking education, o
- Distinctive Hyte X50 mid-tower case drops to a $129.99 all-time low on Amazon — premium, curved-glass, chassis with top-tier airflow goes on sale
- Nemotron Labs: How AI Agents Are Turning Documents Into Real-Time Business Intelligence
Informational only. No financial advice. Do your own research.