Slashdot Mirror
Unreal Security Hole
Screaming Lunatic writes "There seems to be a big security hole in the Unreal engine that has been around for about 5 years. It affects servers for a number of games and operating systems, including Linux (which accounts for about 40% of UT2003 servers). Epic has been working on a patch for about 3 months. Imagine the bad publicity games would receive if a worm on the scale of Slammer had been created." A Bugtraq post from Thor Larholm of Pivx,
says that Marc Rein of Epic threatened PivX with "getting
our lawyers involved with this"; the TechTV article Larholm cites (the same one linked from this submission), however, contains no
mention of legal action. Rein nonetheless apologized for "those completely unfortunate comments" in a followup message to Bugtraq.
Lots of software has security holes. Games are no different... the difference with games is that they are not targets. It's interesting that this one was spotted, but it's no real surprise.
The poster mentions Slammer. The difference between Slammer and this is that Slammer affected "mission critical" systems, and there are pretty easily demonstratable monetary losses attributed to that worm.
In the case of Unreal, there are not many (if any) businesses (or lives) depending on this software. Hypothetically, someone who hosts games for a fee would get some complaints from customers. But really, a lot of the people affected would be "home users". And, let's face it, home users (including those running Linux) are really vulnerable to all kinds of attacks. This is just a drop in the bucket...
Of course, it'd still suck to get fucked over by this security flaw (just like all the others).
Down with Saudi Arabia!!!
"Games are no safer than any other piece of Internet connected piece of software."
I'd go one step further and suggest games are *less* secure than regular software since the dev team has many more issues to deal with other than regular software, with less time and less operating money, especially for PC games. Console game seem to have a lot more operations cash lying around, but I can't understand why. Likely it's because PC games attract more resourceful people who sell themselves short? Hard to say.
The half-life (pardon the pun) of games is also much less than regular software. The rush to buy a game might last a few months, while in contrast software like Photoshop has a continual demand that is unbending. And Microsoft could release a program with a little flashing textbox and sell a billion copies at $400 a pop. It's sick.
Games are also flukes at times, too. Who would have ever thunk CS would be so damn popular? I remember being on the first servers and we all thought it was cool but we never had a notion it would blow everything else away.
The problem with security for games like CS is that it was passed off by two other companies (id to valve and then to the CS team), so you've got a pretty confusing situation to take grasp of with all that passing of the security buck. I don't think the makers of CS are at all in the same league as John Carmack, but it doesn't seem to matter in the wake of HL/CS sales, does it?
You, clearly, do not run a dedicated Unreal Tournament server. Or maybe you thought the occasional "runaway-process" that eats all your memory and disk-space before crashing was just a random benign bug?
I had to run ucc-bin in an unprivledged environment and put "ulimit" guard rails around it on my linux server to keep it from taking the OS with it when it was attacked. Now it's just the game that crashes.
And then, when I had a cron job to detect and bring the server back up- some very unscrupulous players would use the crash-and-restart "feature" to kick other players off the server and have their friends rejoin.
So- now when some id10t crashes the server, it stays down for up to 4 hours. That way the skr1pt k1dd13s get bored and go f--- up someone elses server.
No, I'd say it's been abused. Any dedicated server operator has known about these holes for years. It's nice to see it get acknowledged. There isn't an original UT patch yet. Now let's just hope there's a patch BEFORE there's a whole new slew of exploits.
- PM