Announcement

Collapse
No announcement yet.

"Critical flaw found in game software"

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    "Critical flaw found in game software"

    I do not know if this has been posted yet:

    http://news.com.com/Critical+flaw+fo...j=news.1043.20

    A security researcher warned Tuesday of a "critical" flaw in a widely used piece of game software that could let attackers take over vulnerable PCs.

    Security company Secunia issued a bulletin warning of the flaw in some versions of the "Unreal" game engine, used by numerous PC games. Most game publishers using the engine have already issued patches, however, to plug the hole.

    According to the bulletin, malicious hackers could send a string of junk data to the security tool the Unreal engine uses to verify online game servers. Once the security tool was comprised by such a "buffer overrun," the attacker would be able to execute code at will on the machine.

    Games affected by the flaw include five versions of "Unreal," all of which are secured by patches released last week, plus shooting games "Postal 2" and "Deus Ex," also fixed by recent patches.

    The flaw was discovered by independent security researcher Luigi Auriemma, whose work has played a major role in publicizing online gaming as a possible vector for security threats. Auriemma discovered several flaws in software used by GameSpy, a popular online game-hosting service, and fought with the company to publicize the holes.

    As they develop more online capabilities, games have become an increasingly popular avenue for online miscreants. A recently patched flaw in the shooting game "Half-Life" and its popular online offshoots opened a door for denial-of-service attacks, while the GameSpy service and software have been the subject of several security alerts.
    Is this something that has already been addressed? And if not is this planned for the next patch?

    #2
    I think this problem was addressed some time ago, during the 2k3 era.

    Comment


      #3
      Ah, the joys of buffer overrun.

      Comment


        #4
        It was posted, but the article that was posted also mentioned that this most recent patch already addressed the issue for 2k4.

        Comment


          #5
          Heh... what exactly does "last modified" mean? Is that the original date of the story, or isn't it?

          Either way though, the article says this:

          Games affected by the flaw include five versions of "Unreal," all of which are secured by patches released last week
          Emphasis there is mine.

          Anyway, regardless of when it was posted it states that the problem has been fixed.

          *edit* So does that mean they released a patch for UT last week? WTF?!

          Comment


            #6
            I don't recall patches for unreal 1 or XMP released recently or UT2003.

            Comment


              #7
              it is needed, a unifying patch for unreal that fixes all issues
              between all versions.

              Comment


                #8
                I remember this bug. It was a LONG time ago. Like ut2k3/ut1 even.

                Comment


                  #9
                  Well - it's made headline news at: http://www.incidents.org/


                  Unreal Engine Heap Overflow, RBOT.CC, ISCAlert
                  Unreal Engine Heap Overflow:

                  A heap overflow has been found in the Unreal Engine that is exploitable against machines running many Unreal based games in server mode. Although we have no reports of exploits being used in the wild, it is believed that exploiting this vulnerability to remotely execute code is possible. We recommend that anyone serving one of the vulnerable games based on the Unreal Engine install patches as soon as they become available. Until patches are available, the only secure recourse is to block all UDP traffic to ports 7777 and 7787 (which will, effectively, keep you from acting as a game server). Limiting access to ports 7777 and 7787 to known IPs is not an effective defense because this is a UDP based attack and packets can be spoofed.

                  Perhaps Epic can clarify this?

                  Comment


                    #10
                    Maybe these are part of the MS updates that have been going on recently...? That would explain the 'patches last week' comment.

                    Comment


                      #11
                      Concerning UT2004 this AFAIK affects versions prior patch 3236.

                      Comment


                        #12
                        A little bit clearer article:

                        http://secunia.com/advisories/11900/

                        Now that this has been made public, I'd say you've definitely got a reason to patch your server.

                        Comment


                          #13
                          * Postal 2 (build 1337 and prior)

                          heh. I like noticing these things.

                          Comment


                            #14
                            Eeep, theres a lot of vulnerable servers out there, and the master server is providing a nice list of where to find them. Maybe the MS should stop showing unpatched servers.

                            Also Epic have known about this since 24 May and only managed to patch 1 out of the 15 affected games in that time? Luckily I only run a ut2004 server otherwise I might be a little miffed.

                            Comment


                              #15
                              lol, yes I'm not suprised they haven't fixed all 15 games...Unreal1 is still vulnerable to ALL past reported DoS attacks I wish they would get things done properly.

                              Comment

                              Working...
                              X