Comment by pixl97

5 hours ago

> is a separate issue.

No, just no. This is not a separate issue. It is 100% the issue.

Lets say I'm a nation state attacker with resources. I write up my exploit and then do a BGP hijack of whatever IPs the driver host resolves to.

There you go, I compromised possibly millions of hosts all at once. You think anyone cares that this wasn't AMDs issue at this point?

3 comments

pixl97

Reply
b1temy  5 hours ago

You misunderstand.

I already said I do not like that it is just using HTTP, and yes, it is problematic.

What I am saying is that the issue the author reported and the issue that AMD considers man-in-the-middle attacks as out-of-scope, are two separate issues.

If someone reports that a homeowner has the keys visibly on top of their mat in front of their front-door, and the homeowner replies that they do not consider intruders entering their home as a problem, these are two separate issues, with the latter having wider ramifications (since it would determine whether other methods and vectors of mitm attacks, besides the one the author of the post reported, are declared out-of-scope as well). But that doesn't mean the former issue is unimportant, it just means that it was already acknowledged, and the latter issue is what should be focused on (At least on AMD's side. It still presents a problem for users who disagree with AMD of it being out-of-scope).

  • Dylan16807  5 hours ago

    The phrasing of your first two sentences in your first post makes it sound like you're dismissing the security issue. For saying that it's a real security issue and then another issue on top you should word it very differently.

    • b1temy  4 hours ago

      > The phrasing of your first two sentences in your first post makes it sound like you're dismissing the security issue.

      Genuine question, How does it sound like I'm dismissing it? My first sentence begins with the the phrase

      > I don't like that the executable's update URL is using just plain HTTP

      And my second sentence

      > Whether you agree with whether this rule should be out-of-scope or not is a separate issue.

      which, with context that AMD reported MITM as out-of-scope, clearly indicates that I think of it as an issue, albeit, a separate one from the one the author already reported.