January 27, 2020 | 13:00
Behind on updating your AMD Radeon drivers? 4 major security vulnerabilities mean you should really get it done.
Talos Intelligence reported the 4 vulnerabilities recently with AMD fixing them in its Adrenalin 20.1.1 driver release, despite not mentioning it in the changelog. It was only thanks to TechPowerUp noticing the issue that the connection was made.
A denial of service or remote code execution could occur courtesy of a vulnerability in the AMD Radeon driver file, ATIDXX64.dll. Such an attack has been demonstrated to work via a virtual machine, with the vulnerability even potentially being used via a web page, thanks to WebGL which allows 3D applications to be run on a website.
Talos Intelligence tested the concept on a Radeon RX 550/550 series VMware Workstation 15 with Windows 10 x64 as the guest VM, but it seems likely it would affect far more than just this series of cards.
The firm referred to the vulnerabilities as CVE-2019-5124, CVE-2019-5146, CVE-2019-5147 and CVE-2019-5183. Catchy, perhaps not, but worth taking note of. The first 3 are similar to each other, allowing malformed shader code to crash the graphics driver. In the case of a VM, it would take the software and any other virtual machines with it.
It's CVE-2019-5183 that's the dangerous one. Described as 'AMD ATI Radeon ATIDXX64.DLL shader functionality VTABLE remote code execution vulnerability', it doesn't take a genius to realise why this is more problematic. It potentially allows for remote code execution. Instead of crashing, it could execute vTable methods which gives the offender control over code flow rather than merely collapsing in a virtual heap like the other issues.
Security vulnerabilities within graphics cards are far from exclusively an issue for AMD but it's not great news that AMD has kept quiet about this. Transparency and honesty is key when it comes to tackling security issues and really, we all deserve to know that an update fixes more than just frame rates.
Such a security exploit might not affect many users but it's not a risk worth taking given all you need to do is keep up to date with your graphics drivers.
The Adrenalin 20.1.1 update is available now. Besides those secret security vulnerability fixes, it also provides support for Monster Hunter World: Iceborne, and fixes various stability issues elsewhere.
February 17 2020 | 09:00