Paul found this out when he noticed a console window popping up unbidden in his new gaming PC. Hell hath no fury as that of a researcher scorned, so he quickly tracked said window to AMD's auto-updater, and in his own words, chose to "punish [the] software by decompiling it." That quickly yielded the link where the software pulls the list of available updates from, oddly named the "Devlpment" link [sic].
The said list is delivered via an HTTPS link, thus securely, but to Paul's dismay, the actual driver packages themselves use standard HTTP links. That means they're bereft of the two main benefits of HTTPS: the identity of the remote server (in this case, ati.com), and the integrity of the transmitted data against modification.
If all this is true, one can but hope that AMD realizes the mistake and fixes the issue immediately, and grants Paul a bounty for his sleuthing.
Follow Tom's Hardware on Google News , or add us as a preferred source , to get our latest news, analysis, & reviews in your feeds.
Bruno Ferreira is a contributing writer for Tom's Hardware. He has decades of experience with PC hardware and assorted sundries, alongside a career as a developer. He's obsessed with detail and has a tendency to ramble on the topics he loves. When not doing that, he's usually playing games, or at live music shows and festivals. ","collapsible":{"enabled":true,"maxHeight":250,"readMoreText":"Read more","readLessText":"Read less"}}), "https://slice.vanilla.futurecdn.net/13-4-13/js/authorBio.js"); } else { console.error('%c FTE ','background: #9306F9; color: #ffffff','no lazy slice hydration function available'); } Bruno Ferreira Contributor Bruno Ferreira is a contributing writer for Tom's Hardware. He has decades of experience with PC hardware and assorted sundries, alongside a career as a developer. He's obsessed with detail and has a tendency to ramble on the topics he loves. When not doing that, he's usually playing games, or at live music shows and festivals.
Blastomonas Forgive my ignorance, but how easy would this be to exploit? I could see how this might be easy by using a dodgy WiFi access point, but not so sure about a private internet connection. Would be grateful if someone could explain how this could be done. Reply
Shiznizzle Blastomonas said: Forgive my ignorance, but how easy would this be to exploit? I could see how this might be easy by using a dodgy WiFi access point, but not so sure about a private internet connection. Would be grateful if someone could explain how this could be done. https://en.wikipedia.org/wiki/Man-in-the-middle_attack Do a test on yourself. https://www.grc.com/dns/dns.htm Easiest way is to get you to install "bad" certificates. Reply
Key considerations
- Investor positioning can change fast
- Volatility remains possible near catalysts
- Macro rates and liquidity can dominate flows
Reference reading
- https://www.tomshardware.com/tech-industry/cyber-security/SPONSORED_LINK_URL
- https://www.tomshardware.com/tech-industry/cyber-security/security-researcher-says-amd-auto-updater-downloads-software-insecurely-enabling-remote-code-execution-company-rep-reportedly-said-man-in-the-middle-attacks-are-out-of-scope-ignored-bug#main
- https://www.tomshardware.com
- 20-gigawatt Chinese microwave weapon touted as ‘Starlink’s worst nightmare’ by country's media — portable 5-ton device can deliver full-minute destructive burst
- NVIDIA DRIVE AV Raises the Bar for Vehicle Safety as Mercedes-Benz CLA Earns Top Euro NCAP Award
- 20-gigawatt Chinese microwave weapon touted as ‘Starlink’s worst nightmare’ by country's media — portable 5-ton device can deliver full-minute destructive burst
- US Air Force bans use of smart glasses among its troops — earphones and other Bluetooth devices also limited to official duties while in uniform
- NVIDIA DRIVE AV Raises the Bar for Vehicle Safety as Mercedes-Benz CLA Earns Top Euro NCAP Award
Informational only. No financial advice. Do your own research.