A security flaw in AMD’s auto-updater software has been patched, but the circumstances surrounding its discovery and remediation are drawing significant scrutiny. Researcher MrBruh identified a vulnerability that could allow for remote code execution via a man-in-the-middle attack, only to have his report initially dismissed by AMD and ultimately denied a $10,000 bounty.
The Vulnerability: An HTTP Update Risk
Security researcher MrBruh uncovered the vulnerability while configuring a new gaming PC. The flaw stemmed from AMD’s auto-updater software which, despite utilizing HTTPS for retrieving its update list, downloaded executable files via plain HTTP. Critically, this process lacked certificate validation or signature checks, creating an opportunity for attackers on the same network to substitute legitimate updates with malicious executables. Given that the updater runs with elevated privileges, such a substitution could lead to remote code execution.
A Delayed Response and Changing Rules
MrBruh reported the issue to AMD’s bug bounty program on February 6th, detailing how an AMD updater console window appeared unexpectedly. Initially, AMD dismissed it as “out of scope,” effectively denying a potential reward. The situation escalated when MrBruh publicly disclosed his findings. AMD’s PSIRT team then requested he retract the post while they worked on a fix. Further fueling criticism, AMD subsequently amended its bug bounty rules to mandate written consent before public disclosure—even for reports deemed ineligible for a reward—effectively penalizing MrBruh retroactively.
Patch and Lingering Concerns
AMD has since released an official bulletin acknowledging the vulnerability and crediting MrBruh’s discovery, assigning CVE-2026-40677 to it. The patch now mandates HTTPS for all update communications and incorporates signature verification. However, MrBruh’s independent verification revealed that only a CRC32 check is currently implemented – a measure considered less robust than a full cryptographic signature. A separate redirection bug also persists, potentially preventing the updater from completing self-updates correctly.
Why It Matters
This incident underscores the vital importance of transparent and consistent vulnerability disclosure programs within tech companies. AMD’s initial dismissal, followed by a rule change seemingly designed to silence MrBruh, has damaged trust and risks discouraging future security contributions from researchers. The extended remediation timeline also highlights the critical need for secure practices when distributing software updates with elevated privileges – a reminder that robust security extends beyond merely patching vulnerabilities; it requires fostering positive relationships with those who identify them.
Key Takeaways
- AMD patched a remote code execution vulnerability in its auto-updater software after a delay of 124 days.
- The company initially denied a $10,000 bounty to the researcher who discovered it.
- AMD subsequently altered its bug bounty rules retroactively to penalize disclosure of vulnerabilities deemed ineligible.
- Current protections include HTTPS for updates and signature verification, though limited to a CRC32 check.
- Users are advised to manually download AMD software from the company’s website instead of relying on automatic updates.
FAQ
What was the severity of the vulnerability?
The vulnerability received a CVSS 4.0 score of 7.7, classifying it as high-severity due to its potential for remote code execution.
Why did AMD change its bug bounty rules?
AMD changed its rules after MrBruh publicly disclosed his findings, seemingly to prevent similar disclosures in the future, even when reports are deemed ineligible for a reward.
The incident serves as a cautionary tale about responsible vulnerability handling and highlights the need for consistent policies within software companies.
Source: TechSpot
