Exploits in game servers? Unreal!

Earlier today I stumbled across this interesting piece at News.com regarding a vulnerability in the Unreal engine. It's an unusual place to find a vulnerability, to say the least, which is just as well, considering the way Epic handled it.

Apparently PivX, the company that discovered the bug, contacted Epic in November, at which point Epic did... absolutely nothing. Growing tired of this, PivX finally released a statement about the problem last week. Considering that the informal rule is to give a company a month to fix the bug, you can hardly blame them.

But wait, it gets better! Epic's vice-president Mark Rein was quoted saying that PivX's statements were "slanderous" and Epic was going to talk to its attorneys. Niiiiice. Epic's president Tim Sweeney apparently then stepped in, accepted full responsibility for the delay on behalf of Epic, and contradicted the earlier talk of lawsuits.

Of course, while concentrating on the whole soap opera who said what aspect, News.com apparently didn't feel the need to mention niggling little details like when we might expect a patch, what games were affected, or what effect the exploit would have on a machine running one of those games. Fortunately, they at least linked to the PivX advisory on the subject, which indicates a fairly serious problem.

It looks like pretty much every Unreal-engine game from Unreal forward is affected, be it running on Win32, Linux or Mac. The exploit allows the bad guy to launch DDoS attacks against other Internet addresses, as well as execute arbitrary code on the compromised machine. I poked around but couldn't find any information on forthcoming patches; if you know anything more, feel free to comment.

Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.