Semiconductor company AMD runs a product security bug bounty program that awards up to $30,000 to security researchers who report a vulnerability discovered in AMD products. But when a New Zealand researcher identified a remote code execution (RCE) vulnerability in AMD’s AutoUpdate software, the company refused to pay the $10,000 bounty that such a bug should have been worth.
The researcher in question is a 22-year-old programmer named Paul. He posted about the situation on his MrBruh blog, where he details how he discovered the flaw and how easily a malicious party could exploit the RCE vulnerability to execute a man-in-the-middle (MITM) attack on your network. Despite the severity of this bug and the possibility that it could have affected millions of users, it took AMD 124 days to fix it – a fact you may want to keep in mind when deciding whether Intel or AMD is better for your next computer.
AMD acknowledged Paul’s findings and even took action based on his report, so why aren’t they paying the premium? Although Paul called attention to a major bug, the terms of the bounty program state that MITM attacks are outside the scope of the program. The report was closed and, to add salt to the wound, Paul was asked to remove his original blog post on the subject indefinitely.
What the AMD bug means for consumers
Marvin Samuel Tolentino Pineda/Getty Images
Like any business, AMD has its ups and downs. They recently gained some goodwill after announcing that older AMD graphics cards would soon get a major free upgrade. However, the situation surrounding Paul raises questions about AMD’s consideration of its consumers and community members. The big question that arises from all this is: should you be worried about security if you have AMD components in your computer?
The good news is that AMD has fixed the AutoUpdate bug that Paul highlighted. AMD released a CVE report on June 12 that includes details about the issue and the actions taken. Prior to this patch, users were exposed to potential MITM attacks for 124 days. This type of attack involves eavesdropping or even placing code directly between the target and the application they are using. This was made possible because malicious parties could perform a simple RCE to, as Paul explains, “replace the network response with any malicious executable they wanted.”
If you use AMD products that have an automatic update feature, you might still be affected by the AMD bug discovered by Paul. In Paul’s republished blog post on the RCE vulnerability, he recommends AMD users to “uninstall everything” and download the latest versions of AMD software from the official website. And of course, you should always use security applications that actually protect your computer.
