Security researcher says AMD auto-updater downloads software insecurely, enabling remote code execution — company rep reportedly said man-in-the-middle attacks are "out of scope," ignored bug
2 hours ago
6
(Image credit: Getty Images)
The year is 2026. The future of humanity is under discussion thanks to the rise of artificial intelligence, as robots become eerily humanoid. And somehow, AMD's Windows driver auto-updater still downloads software insecurely (Web Archive link), as discovered by an individual identified only as Paul, an aspiring kiwi security researcher, who published his findings on a blog post that has since then been taken down "temporarily [...] due to a request." For now, it's unclear if the bug has been verified directly by AMD, but the author does note that the takedown is temporary, and it has generated intense interest online.
According to Paul, when the auto-updater finds an eligible update, it proceeds to download it via an insecure connection. This opens up the possibility that an attacker in the same network or further down the line could simply pretend to be AMD's website, or modify the download in flight, adding spyware or ransomware — with administrator permissions, too.
According to Paul, he took the responsible action and immediately reported the issue to AMD, only to be met with a somewhat canned reply stating that man-in-the-middle attacks are "out of scope," implying the bug will see no fix. Although Paul didn't specify, he likely reported the issue via AMD's bug bounty program, meaning he won't see a reward for his work.
While the AMD rep is technically correct (often called the best kind of correct), should the situation be as described, then the bar for an attacker to clear is exceedingly low.
The easiest way would be to redirect the ati.com domain to their own malware delivery, as the auto-updater will blindly trust it, or intercept the download and modify it, as insecure connections offer no integrity checking.
Given that AMD wares are present in many computers, the potential attack surface is likely in the range of many millions. The fact that the vast majority of users let their devices automatically connect to known Wi-Fi networks wouldn't help matters any.
Making matters worse, if the findings pan out, it's hard to tell for how long the updates have been delivered this way. Some searching indicates that the auto-updater is of 2017 vintage, though it's hard to pin down when this exact download handler was put in production. At worst, we could be talking nearly a decade of insecure software delivery for the world at large.
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Paul found this out when he noticed a console window popping up unbidden in his new gaming PC. Hell hath no fury as that of a researcher scorned, so he quickly tracked said window to AMD's auto-updater, and in his own words, chose to "punish [the] software by decompiling it." That quickly yielded the link where the software pulls the list of available updates from, oddly named the "Devlpment" link [sic].
The said list is delivered via an HTTPS link, thus securely, but to Paul's dismay, the actual driver packages themselves use standard HTTP links. That means they're bereft of the two main benefits of HTTPS: the identity of the remote server (in this case, ati.com), and the integrity of the transmitted data against modification.
If all this is true, one can but hope that AMD realizes the mistake and fixes the issue immediately, and grants Paul a bounty for his sleuthing.
Bruno Ferreira is a contributing writer for Tom's Hardware. He has decades of experience with PC hardware and assorted sundries, alongside a career as a developer. He's obsessed with detail and has a tendency to ramble on the topics he loves. When not doing that, he's usually playing games, or at live music shows and festivals.
2 hours ago
6
English (US) ·