Security researcher discovers AMD's Windows driver auto-updater downloads updates via insecure HTTP connections, potentially allowing man-in-the-middle attacks for nearly a decade.
Security researcher Paul has uncovered a critical vulnerability in AMD's Windows driver auto-updater that could expose millions of users to remote code execution attacks. The flaw, which has reportedly existed for nearly a decade, involves the auto-updater downloading software updates via insecure HTTP connections rather than encrypted HTTPS.
According to Paul's findings, when the AMD auto-updater detects an available update, it initiates a download through an unencrypted connection. This fundamental security oversight opens the door for attackers on the same network or positioned elsewhere along the connection path to intercept and modify the download in transit. The implications are severe - malicious actors could inject spyware, ransomware, or other malware into the update package, which would then be executed with administrator privileges on the victim's machine.
The vulnerability stems from AMD's use of HTTP for downloading actual driver packages, despite using HTTPS for the initial update list retrieval. This inconsistent security approach means that while the auto-updater securely verifies which updates are available, it then proceeds to download those updates without any integrity checking or server authentication. An attacker could exploit this by either redirecting the ati.com domain to their own malicious server or intercepting and modifying the HTTP download in real-time.
Paul, described as an "aspiring kiwi security researcher," discovered the issue when he noticed an unexpected console window appearing on his new gaming PC. His investigation traced the window to AMD's auto-updater, prompting him to decompile the software for further analysis. This technical examination revealed the insecure download mechanism and the oddly named "Devlpment" link used to retrieve the update list.
The potential attack surface is enormous, given AMD's widespread presence in computer hardware. With millions of devices potentially affected and the vast majority of users automatically connecting to known Wi-Fi networks, the conditions are ripe for exploitation. The researcher estimates the vulnerability could have been active for up to nine years, based on the auto-updater's vintage dating back to 2017.
When Paul responsibly reported the issue to AMD through what appears to be their bug bounty program, he received a response stating that man-in-the-middle attacks are "out of scope" for their security considerations. This dismissive stance effectively means AMD has no plans to address the vulnerability, leaving users exposed. The company's position that MITM attacks fall outside their responsibility is particularly concerning given the fundamental nature of the security flaw.
The technical implications are significant. HTTP connections lack the two primary security benefits that HTTPS provides: server identity verification and data integrity protection. Without these safeguards, there's no way for the auto-updater to confirm it's communicating with AMD's legitimate servers or to detect if the downloaded files have been tampered with during transmission.
This security lapse represents a serious failure in AMD's software delivery infrastructure. While the company's hardware products are widely respected, this vulnerability in their software update mechanism could undermine user trust and potentially expose countless systems to compromise. The fact that such a basic security measure - using HTTPS for all downloads - has been overlooked for so long raises questions about AMD's software security practices.
For users concerned about this vulnerability, the immediate mitigation is to disable AMD's auto-updater and manually download updates directly from AMD's official website, ensuring they use secure connections. However, this places the burden on individual users rather than addressing the systemic security failure.
The security community has responded with concern to both the vulnerability itself and AMD's apparent unwillingness to address it. The situation highlights the ongoing challenges in software security, particularly around update mechanisms that have broad system access and execute with elevated privileges.
As this story develops, the pressure mounts on AMD to reconsider their position and implement proper security measures for their software distribution. The potential for widespread exploitation and the length of time this vulnerability has existed make it a critical issue that demands immediate attention from the company.
For now, users of AMD hardware should remain vigilant and consider the risks associated with automatic updates until AMD addresses this fundamental security oversight in their update delivery system.
Comments
Please log in or register to join the discussion