Bye bye responsible disclosure, hello actively exploited 0days.
I guess nobody’s reporting security issues to AMD anymore then. Have fun guys.
Does AMD want their own Nightmare-Eclipse or what. And that researcher went rogue because MS has the habit to not credit researchers and claiming that vulnerabilities are not vulnerabilities while quietly fixing them.
Y’all really need to read past the headline:
the bug that Paul found seemingly wouldn’t be triggered anyway, as the relevant section of the code wasn’t being called to begin with
Okay, yes, but that’s because they had messed up their application enough that the updater itself couldn’t be updated, which they presumably discovered in the process of trying to remedy his bug. That is, the flaw he found couldn’t actually be exploited only because of a deeper flaw he hadn’t found. (Shades of the Sirius Cybernetics Corporation there, whose deep fundamental design flaws were almost totally hidden by their superficial design flaws.) He still led them to a critical vulnerability that took them months to fix.
I guess it’s one of those “justifiable but unwise” sort of things. If your company is doing a bug bounty program to stay on top of security vulnerabilities, what you don’t want is to create the perception that the work of devs who look for these vulnerabilities isn’t appreciated, for example, by skimping on bounties over technicalities.
Paying the 10k doesn’t ruin the company and allows them to fix a section of code that may become a vulnerability in the future. Not paying the 10k saves them 10k at the price of the devs’ trust that keeps this program effective. From a financial point of view, this is some very poor decision making.
It encourages people who find these bugs to use them rather than report them.
things like that should give a pause for other corporations, when they consider where they buy their stuff from.
I mean, you get paid an awful lot more if you sell it on the dark web, so why wouldn’t you at this point?
I hope they do.
Sure however it’s still worth calling out click bait headlines and reactionary posters are all being bad actors here in the misinformation spread.
Probably more important as then developers don’t back out over being emotionally manipulated by fake bullshit.
The woman in the stock photo looks like she’s about to pilot an X-Wing.
Researcher commenting on the patch:
he remarks that the software only checks the validity of the downloaded file using the ancient CRC32 hash that isn’t considered cryptographically secure anymore
I have to respect the researcher for his incredibly charitable wording here. CRC32 is not even remotely crypto. That’s never been its purpose, and using it for digital signing is patently insane!
I fear I would have had a much shorter temper after what he’s been through, and yet here he is keeping his cool and his criticism constructive. Good on him.
Although it is true that they now fully use HTTPS, the claim about signature verification is untrue; they only perform a CRC-32 check on the downloaded executable, which is not cryptographically secure.
This is the wording from the blog post. Tom’s Hardware just rephrased it very poorly. (see e.g. https://www.reddit.com/r/hardware/comments/1ixgas1/articles_from_tomshardwarecom_should_be_banned/)
Do you really need signing if you’re using HTTPS though?
HTTPS is privacy in transit. It has no say into what’s being downloaded.
A drug dealer with a heavily armed escort delivers a package of white powder. New problem: is it cocaine, cleaning detergent, anthrax, or some mixture of the former?
My version of questioning this is if the same source is providing both the file and the hash, does it matter how hard it is to fake the hash? It could just generate a new hash for the fake file, couldn’t it?
I suppose if the only way to obtain the patch were through an automated download from the AMD website, the authentication through the site certificate would be better than nothing. But this is a security patch, and I think the researcher is right in pointing out that the bar needs to be higher?
Excellent way to encourage responsible disclosure.
/s
They should ask Microsoft about those current troubles.
Either you pay bug bounties, or crypto locker ransoms.
Every major company is fucking evil
There’s always Costco
We let the psychopaths get their way
Psychopaths naturally rise to the top in environments like large corporations, because of their ability to manipulate people and not give a fuck about hurting others.
And stupid
Read the article
Are you saying that to yourself? Yes, you should read the article.
Holy crap. I’d say not to buy AMD if you value your security (i have an AMD CPU and the Deck too). You already know the next vulnerability they’re going to be the last ones to find out. In the news, probably.
Ok, so the alternative is buying Intel/Nvidia. Surely they’ve never done anything problematic, so this is a good plan.
No no no. You buy half an intel chip, and half of an AMD chip. Then mush them together!
Under Linux, AMD GPU is the only sane solution tho, due to open source drivers. And Intel CPUs have history of cookin hard.
It’s not. RISC-V and ARM exist. You can buy laptops based on either of these architectures for a very reasonable price, compared to Intel and AMD’s x86 offerings.
Of course, that means no AAA gaming, for the most part at least. But then again, who even plays AAA games these days?
RISC-V and ARM exist. You can buy laptops based on either of these architectures for a very reasonable price, compared to Intel and AMD’s x86 offerings.
Have fun dealing with that Device Tree bullshit because hardware autodetection is so 1998.
those are not consumer friendly
But then again, who even plays AAA games these days?
Gaming industry is way bigger than movie industry. Almost everyone plays games.
Steam alone has like 40 million concurrent players right now.
Gaming industry is way bigger than movie industry. Almost everyone plays games.
Most money goes into mobile money traps, though.
But then again, who even plays AAA games these days?
Err many people? And Linux gaming is on the rise too.
Consumer ARM hardware mostly needs customized images for each board. Plus, depending on your CPU manufacturer you’ll be stuck on an ancient kernel version to get full functionality.
And the performance/watt is not that exceptional.
(Serious) is there really a reasonably priced arm laptop? Which one? I only see apple silicon and some over 2k dollars laptops. Does it have good battery life and performance?
The Steam Deck does run Linux right? Generally that means the used drivers are not written by AMD and also do not have an auto-updater from AMD. The deck is supposed to update through it’s OS’es package manager and supposedly has the Mesa and Linux Foundation drivers in use.
AMD now with their security stuff and Intel with the crashing and quick degradation stuff a while ago. Sigh.
It was physics and battery sizes to blame for why we have drifted from the 5 GHz x86 CPU to the 32 core x86 CPU. I never thought the rush to ARM/RISC-V would be because Intel and AMD are run by morons.
Researches should publish after 90 days. That would solve the problem.
If anyone could provide an AMD email to ask for a statement concerning this issue, that would be nice.
I don’t think a statement is really needed here, this wasn’t a vulnerability, the code was never called. Even if the code were called, the $10,000 bounty is for a different type of bug entirely too
so stacking vulnerabilities is a thing
if the code exists it can be called
this is a valid bug and it’s silly to rule lawyer something like this
so good job amd, you are ‘actually’ right,
this totally won’t cost you in the long run at all
god damn do lawyers and business majors need to stop making tech decisions
