Half-Life Vulnerabilities Exposed, Patched

AEton writes "PivX Solutions revealed in a press release three apparently new vulnerabilities in Half-Life and its related mods (such as Counter-Strike and Day of Defeat). Security researcher Auriemma Luigi discovered the flaws, reported them to Valve, and waited over three months for an official response before releasing an unofficial patch to correct the issues. Details on each of the vulnerabilities and sample code are linked to in the press release. (The third one looks kind of flaky, but the buffer overflows seem real.)" Thanks to an anonymous reader for pointing out Valve have now released a dedicated Windows server patch and dedicated Linux server patch (links via Fileshack) which seem to fix the issues.

3 months

[Taral]

I'm appalled that it apparently took a public release to get them to patch the servers. It would have been trivial for Valve to slide this into a patch and release it to everyone.

What possible rationale do they have for not fixing it in <b>3 months</b>?

Re:3 months

[Telastyn]

money.

It's not as though these patches will help them fix more copies of half life, or even half life 2.

Being a little less cynical, I hope the reason was because they don't really have security people in house, and thus didn't understand the implications from some random guy as they were busy working on HL2....

Unfortunately, I suspect it was money.

Re:3 months

[breon.halling]

What possible rationale do they have for not fixing it in 3 months?

Hmmm. Maybe they were busy working on Half-Life 2? ;)

Seriously, though: considering Half-Life's age, I find it amazing it got patched at all! Half was released at the end of 1998, making it almost 5 years old. I can't think of many other games (or even applications, for that matter) that still get support after such a length of time.

Re:3 months

[kmak]

Anything made by Blizzard is constantly patched.. they still release updates/patches to Starcraft!

Re:3 months

[lightspawn]

I'm appalled that it apparently took a public release to get them to patch the servers. It would have been trivial for Valve to slide this into a patch and release it to everyone.

When a way was found to delete other people's characters in Sega's Phantasy Star Online, the company tried to patch it, while keeping it a secret (and so not explaining how to avoid this abuse). This strategy worked very well with their inability to patch the bug or save the game state on the server side, and their decision to disallow making backups of the data files (the only file manager for the Dreamcast is in ROM, and it respects the do-not-copy bit of course). That's 50-100 hours down the drain for thousands of people.

I'll never pay for an online Sega game, and it will take a long time before I'm even willing to trust another company enough to spend my time on their online game.

I hope it makes sense but there's a fight on the cubicle next to me and I'm a bit distracted.

Re:3 months

[WhilelM]

Subliminal message Buy Id

Not good enough

[sevensharpnine]

They still haven't fixed VAC (valve anti-cheat) so wine users can play Half-Life. This doesn't stop them from assuming Linux fans will host their games via dedicated servers though. I'm still a little pissed off that they think Linux is good enough to host their games but not worthy of a client. This is just more of the same old excellent community support from Valve.

Re:Not good enough

[ceejayoz]

Most Windows-only games have Linux servers - the added stability is beneficial for a server (and most rent-a-server places have Linux, anyways) but not necessary for just the game client.

I imagine it's substantially easier to code a cross-platform server than it is to code a similar client.

Re:Not good enough

[Hard_Code]

"They still haven't fixed VAC (valve anti-cheat) so wine users can play Half-Life."

And why should they burn money supporting a niche customer base which either 1) won't pay for software or 2) already has a copy of the windows version of a game that is OVER FIVE YEARS OLD? There are like, 3 people that play half life through wine.

"This doesn't stop them from assuming Linux fans will host their games via dedicated servers though. I'm still a little pissed off that they think Linux is good enough to host their games but not worthy of a client."

They don't assume shit. Linux is a popular server operating system that is run by MANY hosting services, so naturally they would port the dedicated server to linux. The dedicated server is much easier to port than the full blown client with graphics (duh).

"This is just more of the same old excellent community support from Valve."

Let's see:

* publish half life sdk with tools, source, and documentation
* maintain strong mod community relationships with valve-erc website
* support popular mods: socially, technically, financially, etc.
* listen to the incessent bitching of every kiddie who wants something for nothing

Yeah, I'd say it is excellent support. Quityerbitchin.

Re:Not good enough

[sevensharpnine]

My problem is that Valve thinks it's cool for me to run a server for their game even though I can't play it. That bugs me. I can respect that the financial decision to make a client might not be a great idea today, but there was certainly a time when it would have made sense. I, along with many others, would happily pay for a Linux client. I never once said they should do it for free. I don't expect things like that from game companies. As far as fixing wine, that might take a precious hour or two away from their team. Or they could have told people roughly how VAC would work client-side so the wine team and contributors could work around it.

As far as your other points, I think you need to sit back and take a look at just what you're defending. The SDK was cool, fine, but the financial support was simply good business. I have no doubt that they've made far more money from CS, DOD, etc. than they've given in financial support. The mod community has contributed significantly to the success of Half-Life.

Valve has set up a very complex network of mod developers to make money off of. I don't think you have the tools to realize it at this point, but you're being strung around like some corporate fanboy tool. Valve has very carefully crafted themselves in this we're-just-like-you-gamers image. In turn, they receive untold amount of defense from almost all of their fans. I hate to tell you this, but Valve honestly doesn't care about you or the mod community. As long as it's profitable, they'll continue on as they have been. This isn't necessarily wrong, mind you, but I see no reason for you to champion them as this gracious benefactor to the gaming industry. In reality, they're a business out to make money.

Even though I'm complaining about Valve, this argument could be applied to almost any big game company. I've just been dissapointed in the way things have been turning out lately. Games are watered-down to be "accessible" to as many people as possible. Slick advertisements and clever lures get massive amounts of people to pre-order games they haven't even played. Corporate branding creates legions of blind fanboys running about the 'net exalting their favorite companies. I'm not asking for anything too big here. I'd just like to see a few more companies that genuinely care about their fans and strive for positive long-term relationships and not this short-term profitability. Valve could have been one of them. Unfortunately, success killed them.

Re:Not good enough

[Zathrus]

This doesn't stop them from assuming Linux fans will host their games via dedicated servers though

Uh... yeah... right. I'm sure it has absolutely nothing to do with the minor point that a rather large percentage of co-lo/hosted systems are running Linux, and that having a server available for said systems dramatically increases the number of potential dedicated servers.

Making a dedicated server for another OS is a pretty easy thing. Your networking, physics, and other core code is probably fairly platform independant. There may be tweaks, but they're going to be minor unless you vastly deviated from standards.

Making the UI is another matter. DX9 ports poorly (as in - not at all). There is very little financial incentive for doing so, since the user base is insanely small, and the number of users who would buy for platform X but haven't already bought for Windows is even smaller -- and you'd be burned at the stake if you tried to sell the engine twice, instead of just the content.

Bitching about the community support from Valve shows just how inanely biased and out of touch with reality you are.

Oh... and I returned HL when it first came out. I'm not a Valve fan boy, although I am very impressed with the HL2 demos thus far.

Re:Not good enough

[PainKilleR-CE]

My problem is that Valve thinks it's cool for me to run a server for their game even though I can't play it. That bugs me. I can respect that the financial decision to make a client might not be a great idea today, but there was certainly a time when it would have made sense. I, along with many others, would happily pay for a Linux client.

From a purely financial standpoint:
- Any game that relies on someone other than the developer to setup servers NEEDS linux server software. There's simply no way around that, as a very large percentage of all servers running for any of these games right now is a Linux (or other *nix) box. It has nothing to do with the capabilities of the OS when it comes to whether or not they will do the port, it has everything to do with the fact that the people running the servers are running Linux (and just a note, while the people running the servers may choose Linux for it's capabilities, Valve, id, and others did not choose to make the Linux server because of Linux' capabilities)
- Past performance of boxed Linux client sales have given sufficient reason for them not to make the porting effort. Additionally, they dropped work to port the game to the MacOS (they said it was because the Mac port wouldn't play online with the Win port, but that doesn't make a lot of sense to me). Arguably, MacOS has a larger user base on the client, and a better retail history for game ports, yet most companies can't financially justify the ports.

I never once said they should do it for free. I don't expect things like that from game companies.

But would they be able to recover the cost of porting, especially when they make claims of having a very large percentage of original code, and most of that code was written in C++ using MS VC++ (with probably very little regard to portability)? If their estimates say they won't make the money back, then they're essentially doing it for free. In fact, they'd probably be better off giving away the Linux binaries and telling you to buy Windows copies to get the art and CD Key, then getting an idea of the number of Linux clients through surveys and online stats.

As far as fixing wine, that might take a precious hour or two away from their team.

Except that their teams aren't made up of API hackers, they're people that were generally hired for game programming experience.

Or they could have told people roughly how VAC would work client-side so the wine team and contributors could work around it.

Which makes me wonder, if wine could work around VAC, would that give more people a way to get around VAC (in the malicious sense) when running Windows clients? Perhaps wine doesn't work with VAC simply because it isn't Windows, because the environment is not that in which the game was meant to be run?

Re:Not good enough

[sevensharpnine]

Making the UI is another matter. DX9 ports poorly (as in - not at all).

Half-Life doesn't use DX9; it uses DX6. Furthermore, the game has a very complete OpenGL renderer. Porting it would still take some work, I'm sure, but it's not like they would have to re-write it. And for the record, I'm neither "inanely biased" or "out of touch with reality". I simply have the rare and mystical ability to see through the PR hype and their "community support." But who cares, eh? Pretty movies make all ok.

Re:Not good enough

[Fo0eY]

yeah, i hate selfish companies like valve

i'm still mad at dodge for not making certain that all their truck engines will fit in my pinto

i mean, it can't be THAT hard for them to do

and me and my other 2 buddies with pinto's would certainly be happy to buya new dodge truck if the engine would fit in my pinto
so it's not like they won't make money off of it

Re:Not good enough

[mahdi13]

You still using wine-20020416???
They had this fixed in WineX last year...it took a month, but it's been fine since.

Re:Not good enough

[sevensharpnine]

Valve periodically updates their VAC system to catch new cheats. Sometimes it breaks compatibility. This time it did, and they haven't fixed it or even said anything about it for a couple of weeks. Here's a relevent quote posted a couple of days ago from the transgaming forums from one of the WineX devs:

"Due to a recent Valve-Anti-Cheat (VAC) update WineX users cannot currently play Half-Life online. We are investigating the reasons for this are working on a solution."

This also includes wine. Nobody knows if/when this will get fixed, unfortunately.

Re:Not good enough

[PainKilleR-CE]

Half-Life doesn't use DX9; it uses DX6. Furthermore, the game has a very complete OpenGL renderer. Porting it would still take some work, I'm sure, but it's not like they would have to re-write it.

The OpenGL renderer takes care of graphics (and their OpenGL renderer has always been better than their Direct3D renderer in HL anyway), assuming that the game can be brought up under Linux to the point of using the renderer in the first place, but then you have the i/o and sound systems (the sound definitely uses DX, don't know about the i/o). If Valve is to be believed, the client-side of the network code was giving them (actually the team that was porting it, I forget which company was working on that) problems on Mac OS that would make it incompatible online, which makes me wonder if they're using DX for the netcode as well.

Re:Not good enough

[irc.goatse.cx+troll]

Is it atleast giving the old disconnect and warn, or is it jumping to the automatic ban until 2008 like everyone else is unfairly getting?

Re:Not good enough

[iainl]

"I imagine it's substantially easier to code a cross-platform server than it is to code a similar client"

Almost certainly, I'd say; most game clients are making DirectX calls these days (even when they can use OpenGL rather than Direct3D most games use the DirectX sound and control calls). Servers, by definition, aren't having to render any 3D, and so the main area of Windows dependence is removed.

Hehe..."security researcher"

[0x0d0a]

There's a lot of "security researcher"s out there. :-)

3 months? Who cares?

[entrager]

Despite comments made by others saying that it took too long to patch these holes, I am actually glad they weren't putting resources into this. The entire HL team is probably working really hard on HL2, and I want it to stay that way. If letting HL die is the price we must pay to get HL2 out the door on Sept. 30 (in recent proximity to my birthday), then so be it.

For the record: I still play HL and CounterStrike online. And I use Wine to do it. Do I care that there isn't a Linux client? NOPE! Why? See above.

Want a HL2 Client then sign this

If you want a HL2 Client for Linux then sign this petition, the more signatures the better the odds, there are already 4500 signatures. Add you name to it.

Re:3 months? Who cares?

[PainKilleR-CE]

Last I heard, the HL2 and HL patch teams were made up of different people. They released a boatload of HL patches in the time they've spent making HL2, not to mention the level of work that went into some of those HL patches.

Not that I plan on bashing Valve for releasing a patch for a 4-year-old game with only 3 months, considering the level of testing they normally subject their patches to (though I will gladly bash the number of client bugs they haven't fixed that have been in there the full 4 years and the number of things their testing hasn't caught over the years).

For a game that old...

[JavaLord]

We should be happy that they are at least patching it. On a side note, I wonder if the next aimbot/wallhack will come with a built in "attack server/buffer overflow" feature. YEY!

FYI: Natural Selection 2.0 mod is out today

[Bobtree]

If you don't know what NS is, try googling for reviews (as their website has been temporarily replaced with a download page).

http://natural-selection.org/

Patch Status

[BrookHarty]

When I saw the news on Bugtrack, i posted the information on planethalflife forums and a few other places. Was rather surprised that nobody posted it on the HL forums.

And all those "HL is old" posts, "let it die", are posted by morons. CompuUSA has HL selling for 45 bux for the entire collection. They are selling the collections and still making money! The Mods alone make the HL series worth the money. Day of defeat just came out, and it rocks, the mod even made its own release like CounterStrike.

Gamespy reports that 27,000+ HL servers are running, compare that to Tribes at 700. The game is STILL selling, no reason not to patch an active cash cow. I respect Valve for supporting us, after a bad experience on Tribes2 support, Sierra needs some good karma.

BTW, Natural Selection HL mod rocks. Too bad its not well known. (Think AVP+Tribes+CC+WC3)

Re:Patch Status

[BrookHarty]

Forgot to mention, even on Driver support forums for the ATI and Nvidia gfx boards, people said they should drop support for Halflife because its old and unsupported.

I'm glad they didnt, 1600x1200 CS with 6xAA,8XAF and high poly skins, the game looks perfect. Cant wait to see CS2 or CS ported to the new HL engine. Different engines, so CS ported to HL2 might look better than CS2. (Did you get that?)

Actually Valve's already patched this (yesterday)

[Pvt_Waldo]

Email from Eric Smith @ Valve...

We've already released an update to fix this (yesterday).

-Eric

Re:3 months? Who cares?

[psxndc]

HOLY FUCKING SHIT! What's up PK? [WoB]Abaddon here. What have you been up to?

-psxndc

Another?

[forwhomthebelltrolls]

Half-life hasn't got the best
security track record

This is very simple.

You along with 'many' others would pay for a linux client? How many others? 5? 10? 100? Linux users aren't a valid gaming market place right now. So you can stuff your boohoo's in a bag. Start a petition to Valve if you disagree.

Just stop crying on Slashdot about what a valid market segment you are, because, newsflash, you aren't!

Money talks, Linux walks.

And before you say it, I'm actually a hardcore unix guy.

redundant???

[psxndc]

At least mod it OT. how the fuck is me saying "hi" to a friend "redundant"? dumbass.

psxndc

Re:redundant???

[PainKilleR-CE]

heh, I changed my redundant modifier in my preferences because:
a) one of my posts got modded redundant when it clearly wasn't and
b) a lot of the posts I see in metamoderation that are marked redundant clearly are not

Maybe people just don't know what redundant means (maybe like the word ironic, they think they know what it means...).

Now, if you posted it three times, 2 of those would be redundant. Oh, and this post is probably redundant as well. Everything below my previous post is, obviously, off-topic. Since my karma hasn't moved in almost a year, I can't say I really give a shit if my posts are marked off-topic, either (as long as they actually are off-topic).

Re:redundant???

Just got that moderation in meta-mod and gave it unfair, if that makes you feel slightly better ;)

Re:redundant???

[psxndc]

heh. I don't mind the karma ding because it _is_ Offtopic, but at least call it what it is. :-) Good to see metamod is working. Speaking of which, I'll go do some now. Thanks.

psxndc

Re:3 months? Who cares?

[PainKilleR-CE]

hey Ab, not much, just playing far too many console games these days, and spending a lot of time over here on Slashdot ;)