Half-Life Vulnerabilities Exposed, Patched

AEton writes "PivX Solutions revealed in a press release three apparently new vulnerabilities in Half-Life and its related mods (such as Counter-Strike and Day of Defeat). Security researcher Auriemma Luigi discovered the flaws, reported them to Valve, and waited over three months for an official response before releasing an unofficial patch to correct the issues. Details on each of the vulnerabilities and sample code are linked to in the press release. (The third one looks kind of flaky, but the buffer overflows seem real.)" Thanks to an anonymous reader for pointing out Valve have now released a dedicated Windows server patch and dedicated Linux server patch (links via Fileshack) which seem to fix the issues.

Not good enough

[sevensharpnine]

They still haven't fixed VAC (valve anti-cheat) so wine users can play Half-Life. This doesn't stop them from assuming Linux fans will host their games via dedicated servers though. I'm still a little pissed off that they think Linux is good enough to host their games but not worthy of a client. This is just more of the same old excellent community support from Valve.

Re:Not good enough

[ceejayoz]

Most Windows-only games have Linux servers - the added stability is beneficial for a server (and most rent-a-server places have Linux, anyways) but not necessary for just the game client.

I imagine it's substantially easier to code a cross-platform server than it is to code a similar client.

Re:Not good enough

[sevensharpnine]

My problem is that Valve thinks it's cool for me to run a server for their game even though I can't play it. That bugs me. I can respect that the financial decision to make a client might not be a great idea today, but there was certainly a time when it would have made sense. I, along with many others, would happily pay for a Linux client. I never once said they should do it for free. I don't expect things like that from game companies. As far as fixing wine, that might take a precious hour or two away from their team. Or they could have told people roughly how VAC would work client-side so the wine team and contributors could work around it.

As far as your other points, I think you need to sit back and take a look at just what you're defending. The SDK was cool, fine, but the financial support was simply good business. I have no doubt that they've made far more money from CS, DOD, etc. than they've given in financial support. The mod community has contributed significantly to the success of Half-Life.

Valve has set up a very complex network of mod developers to make money off of. I don't think you have the tools to realize it at this point, but you're being strung around like some corporate fanboy tool. Valve has very carefully crafted themselves in this we're-just-like-you-gamers image. In turn, they receive untold amount of defense from almost all of their fans. I hate to tell you this, but Valve honestly doesn't care about you or the mod community. As long as it's profitable, they'll continue on as they have been. This isn't necessarily wrong, mind you, but I see no reason for you to champion them as this gracious benefactor to the gaming industry. In reality, they're a business out to make money.

Even though I'm complaining about Valve, this argument could be applied to almost any big game company. I've just been dissapointed in the way things have been turning out lately. Games are watered-down to be "accessible" to as many people as possible. Slick advertisements and clever lures get massive amounts of people to pre-order games they haven't even played. Corporate branding creates legions of blind fanboys running about the 'net exalting their favorite companies. I'm not asking for anything too big here. I'd just like to see a few more companies that genuinely care about their fans and strive for positive long-term relationships and not this short-term profitability. Valve could have been one of them. Unfortunately, success killed them.

Re:3 months

[Telastyn]

money.

It's not as though these patches will help them fix more copies of half life, or even half life 2.

Being a little less cynical, I hope the reason was because they don't really have security people in house, and thus didn't understand the implications from some random guy as they were busy working on HL2....

Unfortunately, I suspect it was money.

Re:3 months

[breon.halling]

What possible rationale do they have for not fixing it in 3 months?

Hmmm. Maybe they were busy working on Half-Life 2? ;)

Seriously, though: considering Half-Life's age, I find it amazing it got patched at all! Half was released at the end of 1998, making it almost 5 years old. I can't think of many other games (or even applications, for that matter) that still get support after such a length of time.

Patch Status

[BrookHarty]

When I saw the news on Bugtrack, i posted the information on planethalflife forums and a few other places. Was rather surprised that nobody posted it on the HL forums.

And all those "HL is old" posts, "let it die", are posted by morons. CompuUSA has HL selling for 45 bux for the entire collection. They are selling the collections and still making money! The Mods alone make the HL series worth the money. Day of defeat just came out, and it rocks, the mod even made its own release like CounterStrike.

Gamespy reports that 27,000+ HL servers are running, compare that to Tribes at 700. The game is STILL selling, no reason not to patch an active cash cow. I respect Valve for supporting us, after a bad experience on Tribes2 support, Sierra needs some good karma.

BTW, Natural Selection HL mod rocks. Too bad its not well known. (Think AVP+Tribes+CC+WC3)