Posted on 02/11/2003 9:58:58 PM PST by Michael Barnes
Popular gaming engine could expose you to attack.
| By Becky Worley |
Entertaining computer games may no longer be so harmless -- especially for your computer.
PivX Solutions, a computer security firm in Newport Beach, Calif., recently disclosed that it has found a slew of vulnerabilities in the core software code or "engine" that is used in the Unreal video game. PivX says the holes could let an attacker launch a denial-of-service attack, crash a gaming server, or even run code on a player's machine.
Luigi Auriemma, a security researcher for PivX Solutions, discovered the holes.
"These bugs have been around for five years," he says. "They could be used by malicious attackers in worms or large-scale attacks that rival those of Nimda and Sapphire/Slammer... Really frightful."
In January, PivX released news of a vulnerability in networking protocols that affected many online multiplayer games. That flaw affected the connectivity functions of Unreal and Unreal Tournament computer games.
But this latest set of vulnerabilities actually stem from the Unreal Engine, the core software code that is licensed out to other developers to power the action and graphics of their own games.
Danger on your disk
Some of the more popular computer games that PivX claims are affected by the Unreal Engine flaw include:
Four of the games -- Hired Guns, Navy Seals, Werewolf, and X-Com: Alliance haven't made it onto store shelves, but PivX says the code they are built on could be affected by the vulnerabilities if the games are ever released.
According to its security release, PivX says that playing any of these games on a Windows, Linux, or Mac OS platform makes a user vulnerable.
Possible exploits include the following:
PivX CEO Geoff Shively called this reporter in November to talk about the Unreal holes. He asked us not to disclose them until PivX had a response from Epic Games, which makes the Unreal engine. But PivX now says Epic won't give it an answer about fixing the holes.
"Epic and its employees are playing 'cat and mouse' with us," Shively says. "Software vendors have a tacit obligation to protect their customers' security. Unfortunately, many of them don't take this responsibility seriously."
Fixes on the way
Tim Sweeney, president and chief programmer at Epic Games, says his company is working on a patch for the server holes.
"Last Wednesday, we produced an Unreal Tournament 2003 patch we've had in testing that solves all of the reported client-side 'malicious code' exploits and server exploits," says Sweeney. "We also immediately made this available to all of the Unreal Engine licensees for incorporation into their future patches and full game releases."
Sweeney adds that the fixes for the Unreal engine itself is currently being tested and its release to consumers is "imminent."
Sweeney added that the company isn't used to dealing with such security issues.
"This incident is the first time Epic Games has been confronted head-on with a network exploit of this nature. We didn't respond quickly enough to PivX's initial reports and it's clear that this event has been a wakeup call," he says. "We're now reviewing our code for undiscovered exploits, and if we or the community find others, we'll be jumping on them too."
|
TIA...
Klingon Honor Guard was one of the worst pieces of garbage I've ever played.
Deus Ex is probably the best PC FPS of all time. It's certainly the most immersive and expansive.
Wanna be Penguified? Just holla!
Got root?
T-minus 31 days until the birth of Tha SYNDICATE, the philosophical heir to William Lloyd Garrison.
101 things that the Mozilla browser can do that Internet Explorer cannot.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.
