http://www.techtv.com/news/security/story/0,24195,3417248,00.html By Becky Worley February 10, 2003 Entertaining computer games may no longer be so harmless -- especially for your computer. PivX Solutions, a computer security firm in Newport Beach, Calif., recently disclosed that it has found a slew of vulnerabilities in the core software code or "engine" that is used in the Unreal video game. PivX says the holes could let an attacker launch a denial-of-service attack, crash a gaming server, or even run code on a player's machine. Luigi Auriemma, a security researcher for PivX Solutions, discovered the holes. "These bugs have been around for five years," he says. "They could be used by malicious attackers in worms or large-scale attacks that rival those of Nimda and Sapphire/Slammer... Really frightful." In January, PivX released news of a vulnerability in networking protocols that affected many online multiplayer games. That flaw affected the connectivity functions of Unreal and Unreal Tournament computer games. But this latest set of vulnerabilities actually stem from the Unreal Engine, the core software code that is licensed out to other developers to power the action and graphics of their own games. Danger on your disk Some of the more popular computer games that PivX claims are affected by the Unreal Engine flaw include: * "Star Trek: The Next Generation: Klingon Honor Guard" * "Unreal" * "The Wheel of Time" * "Deus Ex" * "Mobile Forces" * "Rune" * "Unreal Tournament" * "Hired Guns" * "Navy Seals" * "TNN Outdoor Pro Hunter" * "Werewolf" * "X-Com: Alliance" * "Adventure Pinball" * "America's Army" * "Unreal Tournament 2003" Four of the games -- Hired Guns, Navy Seals, Werewolf, and X-Com: Alliance haven't made it onto store shelves, but PivX says the code they are built on could be affected by the vulnerabilities if the games are ever released. According to its security release, PivX says that playing any of these games on a Windows, Linux, or Mac OS platform makes a user vulnerable. Possible exploits include the following: * Local and remote denial of service. * Distributed denial of service (flooding remote computers with data packets to freeze it). * Bounce attacks with spoofed UDP packets. (This is how attackers can flood a server without using all of their bandwidth. It creates a data transfer loop within the targeted computer.) * Fake players can exclude others on a game server. * Most importantly, PivX says, the holes could allow the execution of malicious code on a targeted computer. PivX CEO Geoff Shively called this reporter in November to talk about the Unreal holes. He asked us not to disclose them until PivX had a response from Epic Games, which makes the Unreal engine. But PivX now says Epic won't give it an answer about fixing the holes. "Epic and its employees are playing 'cat and mouse' with us," Shively says. "Software vendors have a tacit obligation to protect their customers' security. Unfortunately, many of them don't take this responsibility seriously." Fixes on the way Tim Sweeney, president and chief programmer at Epic Games, says his company is working on a patch for the server holes. "Last Wednesday, we produced an Unreal Tournament 2003 patch we've had in testing that solves all of the reported client-side 'malicious code' exploits and server exploits," says Sweeney. "We also immediately made this available to all of the Unreal Engine licensees for incorporation into their future patches and full game releases." Sweeney adds that the fixes for the Unreal engine itself is currently being tested and its release to consumers is "imminent." Sweeney added that the company isn't used to dealing with such security issues. "This incident is the first time Epic Games has been confronted head-on with a network exploit of this nature. We didn't respond quickly enough to PivX's initial reports and it's clear that this event has been a wakeup call," he says. "We're now reviewing our code for undiscovered exploits, and if we or the community find others, we'll be jumping on them too." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Feb 12 2003 - 00:30:50 PST