This is super bad right? Like anybody who has this running will be vulnerable to a super basic HTTP redirect -> installer running on their machine attack, right? And on top of that it's for something that is likely installed on _so many_ machines, right?
I don't think I've ever seen something this exploitable that is so prevalent. Like couldn't you just sit in an airport and open up a wifi hotspot and almost immediately own anyone with ATI graphics?
You can get arrested for this in my country, fun fact.
I guess that's how you prevent anything, just make it illegal and the exploit becomes an unintended illegal feature, like occupying the low-freq radio signal.
Not that this isn’t bad, doesn’t this only apply when an update is available?
So you have to be on a shady hotspot, without VPN, AMD has recently published an update, and your update scheduler is timed to run.
That would be a little less than “immediately own anyone with ATI”.
You need only a device on network to spam DHCP messages with malware DNS. So you don't need "shady hotspot", only compromised device within network.
Oh yeah fair point, the HTTPS-ness of the first step is a helpful backstop
If somebody is MITMing a target person, they will respond positively to "update available?" calls from that person and then serve the tainted update. The article does not say what the frequency of auto update check is. Let's say one per day. If somebody is targeted it's one day away from RCE.
The update check is HTTPS, only the files themselves are HTTP.
TLS doesn’t mask the IP of the server. The updater probably isn’t using DNS over HTTPS. If I can determine that a user’s updater just hit the update check server, I can start impersonating the update server.
That takes it out of the one day away territory, but it does allow an attacker to only have a malicious HTTP capture up and detectable during the actual attack window.
Then, of course, if you’re also being their DNS server you can send them to the wrong update check server in the first place. I wonder if the updater validates the certificate.
I missed that, thanks!
Who would connect to unknown person's hotspot?
But it seems pretty trivial for some bad actor at local ISP.
> Who would connect to unknown person's hotspot?
SSID "Sydney Airport Wifi" or the like.
You're more [security minded](https://www.schneier.com/blog/archives/2008/03/the_security_...) than me
This is oh sweet summer child stuff.
Have you ever gone to a crowded public place and setup an open hotspot?
Ah I think I never had to do connect to a public open hotspot because by the time I grew up 4G and then 5G internet were commonplace.
Never travelled to another country and needed internet before you could get a local sim working?
Airport is prime for this but in general the average person keeps wifi on and the click through on an Android to use open networks is so seamless
esim for the win.
And you have them in your laptop? Or just using your phone and don't own a laptop at all?
I would use my phone's 'hotspot' long before I tried random wifi on my laptop?
Are you being willfully obtuse or do you actually believe that's true of everyone? There are so many reasons why someone might have a laptop in such a situation but not be able to use a hotspot on their phone - it's not even worth listing them.
That isn't what this thread suggested; I was supporting plausibility of the GP's claim never to have used public Wifi because of good 4G; stating they could still have used a laptop in public. My wording was also explicit that this isn't always an option.
> Like couldn't you just sit in an airport and open up a wifi hotspot and almost immediately own anyone with ATI graphics?
Some of us do not enable automatic updates (automatic updates are the peak of stupidity since Win98 era). And, when you sit in an airport, you don't update all your programs.
Automatic updates are absolutely not peak stupidity. Most users’ devices would have nasty security vulnerabilities wide open for a much longer period of time without automatic updates.
This asuming Automatic updates fix security vulnerabilities, which is almost never the case.
I blindly do apt upgrade all the time. Are you telling me you vet every package?
Laughably ignorant update policies.