Apparently AMD's AutoUpdate downloads the updates over HTTP and executes them without any validation (presumably as SYSTEM user).
-
Apparently AMD's AutoUpdate downloads the updates over HTTP and executes them without any validation (presumably as SYSTEM user). AMD was notified of the vulnerability but according to them "attack requiring physical access to victim's computer/device, man in the middle or compromised user accounts" are out of scope.
Madness.
source: https://web.archive.org/web/20260206152314/https://mrbruh.com/amd/
I just summarily blocked www2.ati.com in my local DNS until this is fixed.
-
Apparently AMD's AutoUpdate downloads the updates over HTTP and executes them without any validation (presumably as SYSTEM user). AMD was notified of the vulnerability but according to them "attack requiring physical access to victim's computer/device, man in the middle or compromised user accounts" are out of scope.
Madness.
source: https://web.archive.org/web/20260206152314/https://mrbruh.com/amd/
@harrysintonen This is imo just as bad or worse than the Notepad++ supply chain attack that has been much in the news. It is easier for many state level actors to exploit, as well, since no compromise of the actual server is necessary. https + verification of code signing is imo the minimum bar for any auto-update process. This is 2026, not 2017. We shouldn't be dealing with another NotPetya in the making through failure to follow well established best practices.
-
Apparently AMD's AutoUpdate downloads the updates over HTTP and executes them without any validation (presumably as SYSTEM user). AMD was notified of the vulnerability but according to them "attack requiring physical access to victim's computer/device, man in the middle or compromised user accounts" are out of scope.
Madness.
source: https://web.archive.org/web/20260206152314/https://mrbruh.com/amd/
@harrysintonen tf!? In twenty-fucking-twenty-six!?
-
Apparently AMD's AutoUpdate downloads the updates over HTTP and executes them without any validation (presumably as SYSTEM user). AMD was notified of the vulnerability but according to them "attack requiring physical access to victim's computer/device, man in the middle or compromised user accounts" are out of scope.
Madness.
source: https://web.archive.org/web/20260206152314/https://mrbruh.com/amd/
Typo? HTTPS would help.
-
Apparently AMD's AutoUpdate downloads the updates over HTTP and executes them without any validation (presumably as SYSTEM user). AMD was notified of the vulnerability but according to them "attack requiring physical access to victim's computer/device, man in the middle or compromised user accounts" are out of scope.
Madness.
source: https://web.archive.org/web/20260206152314/https://mrbruh.com/amd/
Here's how to check if the http:// URLs are still in use:
curl -s -L hxxps://www2.ati.com/drivers/patch/ec1b73b4-bc2a-4ca1-8431-c514730dbd90/versioninfo.xml | grep http://
replace hxxps with https
-
@harrysintonen This is imo just as bad or worse than the Notepad++ supply chain attack that has been much in the news. It is easier for many state level actors to exploit, as well, since no compromise of the actual server is necessary. https + verification of code signing is imo the minimum bar for any auto-update process. This is 2026, not 2017. We shouldn't be dealing with another NotPetya in the making through failure to follow well established best practices.
I got bad news for you about a lot of Linux distributions, they fail on at least one point (https). Not that I agree with that policy but it's often the most compatible way.
The lack of code signing is an issue, though it's unclear whether RyzenMaster is run by a user granted permissions to run unsigned code. If it requires signing they're basically praying that Microsoft's stuff is doing the heavy lifting for them. The blog is a bit light on details and seems to suggest this is a theoretical that the researcher didn't follow through with proving out fully.
-
I got bad news for you about a lot of Linux distributions, they fail on at least one point (https). Not that I agree with that policy but it's often the most compatible way.
The lack of code signing is an issue, though it's unclear whether RyzenMaster is run by a user granted permissions to run unsigned code. If it requires signing they're basically praying that Microsoft's stuff is doing the heavy lifting for them. The blog is a bit light on details and seems to suggest this is a theoretical that the researcher didn't follow through with proving out fully.
@fennix @Infoseepage The scheduled task run as admin.
-
Apparently AMD's AutoUpdate downloads the updates over HTTP and executes them without any validation (presumably as SYSTEM user). AMD was notified of the vulnerability but according to them "attack requiring physical access to victim's computer/device, man in the middle or compromised user accounts" are out of scope.
Madness.
source: https://web.archive.org/web/20260206152314/https://mrbruh.com/amd/
You can do the following to remove the scheduled task that executes the vulnerable AMDAutoUpdate:
1. Run cmd.exe as administrator
2. schtasks /delete /TN AMDAutoUpdate /F
This prevents the AMDAutoUpdate from executing.
-
Apparently AMD's AutoUpdate downloads the updates over HTTP and executes them without any validation (presumably as SYSTEM user). AMD was notified of the vulnerability but according to them "attack requiring physical access to victim's computer/device, man in the middle or compromised user accounts" are out of scope.
Madness.
source: https://web.archive.org/web/20260206152314/https://mrbruh.com/amd/
@harrysintonen 404
-
@gsuberland @harrysintonen 404 here too
-
@gsuberland Fixed the link to archived copy of the blog post. https://web.archive.org/web/20260206152314/https://mrbruh.com/amd/
-
-
Apparently AMD's AutoUpdate downloads the updates over HTTP and executes them without any validation (presumably as SYSTEM user). AMD was notified of the vulnerability but according to them "attack requiring physical access to victim's computer/device, man in the middle or compromised user accounts" are out of scope.
Madness.
source: https://web.archive.org/web/20260206152314/https://mrbruh.com/amd/
@harrysintonen this was how Razers auto updater was used as a payload delivery mechanism previously
-
@gsuberland @harrysintonen 404 here too
-
Apparently AMD's AutoUpdate downloads the updates over HTTP and executes them without any validation (presumably as SYSTEM user). AMD was notified of the vulnerability but according to them "attack requiring physical access to victim's computer/device, man in the middle or compromised user accounts" are out of scope.
Madness.
source: https://web.archive.org/web/20260206152314/https://mrbruh.com/amd/
@harrysintonen The WHAT now?
-
S svenja@mstdn.games shared this topic
