I guess nobody's reporting security issues to AMD anymore then. Have fun guys.
this post was submitted on 14 Jun 2026
600 points (99.0% liked)
Technology
85391 readers
3916 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 3 years ago
MODERATORS
Does AMD want their own Nightmare-Eclipse or what. And that researcher went rogue because MS has the habit to not credit researchers and claiming that vulnerabilities are not vulnerabilities while quietly fixing them.
Y'all really need to read past the headline:
the bug that Paul found seemingly wouldn't be triggered anyway, as the relevant section of the code wasn't being called to begin with
Okay, yes, but that's because they had messed up their application enough that the updater itself couldn't be updated, which they presumably discovered in the process of trying to remedy his bug. That is, the flaw he found couldn't actually be exploited only because of a deeper flaw he hadn't found. (Shades of the Sirius Cybernetics Corporation there, whose deep fundamental design flaws were almost totally hidden by their superficial design flaws.) He still led them to a critical vulnerability that took them months to fix.
I guess it's one of those "justifiable but unwise" sort of things. If your company is doing a bug bounty program to stay on top of security vulnerabilities, what you don't want is to create the perception that the work of devs who look for these vulnerabilities isn't appreciated, for example, by skimping on bounties over technicalities.
Paying the 10k doesn't ruin the company and allows them to fix a section of code that may become a vulnerability in the future. Not paying the 10k saves them 10k at the price of the devs' trust that keeps this program effective. From a financial point of view, this is some very poor decision making.
It encourages people who find these bugs to use them rather than report them.
Sure however it's still worth calling out click bait headlines and reactionary posters are all being bad actors here in the misinformation spread.
Probably more important as then developers don't back out over being emotionally manipulated by fake bullshit.
The woman in the stock photo looks like she's about to pilot an X-Wing.
Researcher commenting on the patch:
he remarks that the software only checks the validity of the downloaded file using the ancient CRC32 hash that isn't considered cryptographically secure anymore
I have to respect the researcher for his incredibly charitable wording here. CRC32 is not even remotely crypto. That's never been its purpose, and using it for digital signing is patently insane!
I fear I would have had a much shorter temper after what he's been through, and yet here he is keeping his cool and his criticism constructive. Good on him.
Although it is true that they now fully use HTTPS, the claim about signature verification is untrue; they only perform a CRC-32 check on the downloaded executable, which is not cryptographically secure.
This is the wording from the blog post. Tom's Hardware just rephrased it very poorly. (see e.g. https://www.reddit.com/r/hardware/comments/1ixgas1/articles_from_tomshardwarecom_should_be_banned/)
Do you really need signing if you're using HTTPS though?
My version of questioning this is if the same source is providing both the file and the hash, does it matter how hard it is to fake the hash? It could just generate a new hash for the fake file, couldn't it?
HTTPS is privacy in transit. It has no say into what's being downloaded.
A drug dealer with a heavily armed escort delivers a package of white powder. New problem: is it cocaine, cleaning detergent, anthrax, or some mixture of the former?
I suppose if the only way to obtain the patch were through an automated download from the AMD website, the authentication through the site certificate would be better than nothing. But this is a security patch, and I think the researcher is right in pointing out that the bar needs to be higher?
Excellent way to encourage responsible disclosure.
/s
Either you pay bug bounties, or crypto locker ransoms.
They should ask Microsoft about those current troubles.
Every major company is fucking evil
There's always Costco
Read the article
Are you saying that to yourself? Yes, you should read the article.
We let the psychopaths get their way
Psychopaths naturally rise to the top in environments like large corporations, because of their ability to manipulate people and not give a fuck about hurting others.
And stupid
Holy crap. I'd say not to buy AMD if you value your security (i have an AMD CPU and the Deck too). You already know the next vulnerability they're going to be the last ones to find out. In the news, probably.
Ok, so the alternative is buying Intel/Nvidia. Surely they've never done anything problematic, so this is a good plan.
The Steam Deck does run Linux right? Generally that means the used drivers are not written by AMD and also do not have an auto-updater from AMD. The deck is supposed to update through it's OS'es package manager and supposedly has the Mesa and Linux Foundation drivers in use.
Under Linux, AMD GPU is the only sane solution tho, due to open source drivers. And Intel CPUs have history of cookin hard.
AMD now with their security stuff and Intel with the crashing and quick degradation stuff a while ago. Sigh.
It was physics and battery sizes to blame for why we have drifted from the 5 GHz x86 CPU to the 32 core x86 CPU. I never thought the rush to ARM/RISC-V would be because Intel and AMD are run by morons.
Researches should publish after 90 days. That would solve the problem.
If anyone could provide an AMD email to ask for a statement concerning this issue, that would be nice.
I don't think a statement is really needed here, this wasn't a vulnerability, the code was never called. Even if the code were called, the $10,000 bounty is for a different type of bug entirely too
so stacking vulnerabilities is a thing
if the code exists it can be called
this is a valid bug and it’s silly to rule lawyer something like this
so good job amd, you are ‘actually’ right,
this totally won’t cost you in the long run at all
god damn do lawyers and business majors need to stop making tech decisions