Anarchy Online and Age of Conan Vulnerabilities Fixed

dachshund writes "The Baltimore Sun reports that security firm Independent Security Evaluators has disclosed vulnerabilities in the popular MMORPGs Age of Conan and Anarchy Online. The flaws (which have since been patched) allowed a malicious user to read files from and take control of another player's computer. The full details of the attack are available, including a video (hi-res MOV) showing how the targeted player's client can be crashed, and how an attacker can save and run scripts on the victim's computer."

For AoC's sake

[Gewalt]

For AoC's sake, they shouldnt have patched the vulnerability. It would have made the game better. Can't speak for anarchy, never played.

Re:For AoC's sake

The game has been fixed for over a month now. No players = nothing to exploit. My server was like a ghosttown, cancelled and I must say it is one of the few MMO's I know that I will NEVER return too.

I can't believe that AoC vuln

"A sword to the head may result in death. Fixed."

I Wonder if this happened...

[bemo56]

I can see this complaint popping up on the banned forum - "I didn't use a bot, my client was hacked!"

Anarchy Online?

[spiffmastercow]

That game is still around? I remember the 2002 E3 where they were trying to give away the game with a 30 day pass.. Most people walked right past them like they were canvassers for Greenpeace. I was one of the few who took one, and I was bored with the game before an hour had passed.

Re:Anarchy Online?

[ilovegeorgebush]

Anarchy Online's been very successful. Before Age of Conan was released, it had a relatively large player-base. That's since dwindled due to AoC, but it's still around.

There's a graphics update due to be released (if ever), that would revamp the game entirely. Lots of players are waiting on it.

Re:Anarchy Online?

It is still around, just not as active as it used to be. Probably lots of new content since you last played. It's very in-depth as far as character building, so many people get bored when they feel it becomes too hard. If you are interested in playing again, get a good organization, and have fun.

Re:Anarchy Online?

[Opportunist]

Erh... no. Just ... no.

Anarchy was already in decline long, long before AoC came along. Personally, if you ask me, they killed it when they ended the war between Clans and Omni, mashing them together and creating some alien threat.

Anarchy was a pretty good MMORPG with a cyberpunk-esque atmosphere with a quite unique blend of different character classes (I mean, where else can you play a bureaucrat?), but it was killed entirely when they shifted the focus away from PvP to create yet another "gotta-get-them-all" item collection game.

And that happened a long, long time before AoC was even designed.

Re:Anarchy Online?

[Opportunist]

That game is still around?

Yeah, I guess the last dev forgot to turn off the lights when he left.

Re:Anarchy Online?

[ilovegeorgebush]

I was rating its success on age. It's been around for 7 or so years.

why isn't security a priority?

[smartaleq]

It doesn't surprise me. With the exception maybe of blizzard, it seems most MMO games are wholly focused on preventing cheating and entirely disregard client security as a result. I would bet that many chat interfaces have gaping holes since they aren't "core" to the gameplay - plus it gives the attacker simultaneous access to the maximum number of players.

Imagine if someone nefarious had (or did) find this exploit first. Account stealing of even 10% of an MMO's playerbase would immediately compromise any financial viability of the publisher/developer. With such a high risk, why is so little time/money spent on finding these exploits?

I don't want to start running my games in a sandbox because I can't trust the industry to take care of itself.

Re:why isn't security a priority?

[mlts]

There is also the fact that a lot of MMO companies have to get updates for features or new content out posthaste, and in some cases, regression testing to check if new code broke older code falls by the wayside.

Even worse is that most MMO clients require administrative rights. I generally don't champion WoW, but this is something Blizzard got right -- the client (and the Warden) always runs in user mode unless it is downloading and updating a new patch (where it requires admin rights to write to the Program Files directory.) Other MMO clients just won't run if you don't give them the keys to the system.

Re:why isn't security a priority?

[_Sprocket_]

People just aren't security oriented. It doesn't matter what environment you're in. Unless it's your main focus, you're not likely to care as much about security as whatever it is that's your focus. That's assuming you're even aware of security implications.

There's exceptions of course. Some people just are naturally inclined to think about security ("just because I'm paranoid, it doesn't mean they're not out to get me"). But that's a small percentage of the population. And probably a base talent to get in to a line of work that puts it to good use. Game development probably isn't it.

Re:why isn't security a priority?

Stop karma whoring.

Security is important in MMOs, it's just very difficult -- ney, impossible -- to be 100% secure. There are too many variables.

Hush.

And no mention to this at official Anarchy Online forums. Why am I not surprised?

Ahem

[Moraelin]

Ahem. It was IIRC the first major MMO where they just went ad-supported and otherwise let most people pay for free. Because the player base which was willing to pay for their game, had started small and was imploding.

(And if anyone wonders why, read the two reviews on Something Awful. I can personally vouch that every single problem in there was true, and a lot more. And yes, that was after the devs had proclaimed it 110% fixed and working as intended.)

According to MMO Charts, it peaked at a mere 60,000 subscribers. Then AO subscribers hit an all time low of 20,000 (yes, I'm not missing a zero or anything), and after some major rework, it peaked again at 40,000. And went downhill again. Currently the _paying_ subscribers are around 12,000.

Not exactly a sign of a great success, if anyone asks me. In fact, that's piss-poor. The pile of turd that is post-NGE SWG still does about 10 times better. _Vanguard_ does 3-4 times better, and God alone knows why would anyone want to play that one. Heck, I haven't even heard of anyone who liked Tabula Rasa, but apparently some 7 times more people are willing to pay for that, than for AO.

Yes, apparently they have some more free accounts. I wonder how many are (A) actually played, since there is no disincentive to just let your accound active for free instead of bothering to deactivate it, and (B) how many of those are there only because it's free. I.e., as a prime illustration that you get what you pay for.

So basically, heh, let's stop waving around "very successful" and "large player base". It doesn't qualify as that by any sane reckoning. There are probably MUD's out there with a larger population base.

Re:Ahem

[Opportunist]

Well, it's not really entirely free. You can play Anarchy for free without any expansions, i.e. the "original" game. With one expansion it is IIRC 5 bucks a month, and if you want the full game, you pay the usual full price.

Anarchy isn't the most popular MMORPG, and never was. It has its issues. Let's not even talk about the dated graphics (that was already dated when it went live), it had much bigger issues with balance and exploits, and given that it was originally concepted as a PvP oriented game, that is a pretty big problem.

I played Vanguard and Tabula Rasa, and they both failed for the same reason: They both were released before they were ready. Vanguard is now, about 1.5 years after it went live, at a point where you could actually release it. It still has its issues (the frequent stuttering does get on your nerves after a few hours), and while crafting is quite entertaining compared to other games it's also utterly pointless, but you could actually consider the state it is in now as a worthy release. Unfortunately we're already 1.5 years into the game, and despite the recent "re-invitation" for people who left, I doubt it will pick up some speed again.

TR was released WAY before it was ready. We're coming close to the 1 year mark and the game's core idea, PvP, is still not even implemented, let's not talk about balance. I foresee the same fate Vanguard has to face: Release a game too early and the best idea sinks before it has a chance to swim.

Re:Ahem

[VGPowerlord]

I'd be hard pressed to name an MMO that didn't launch before it was ready. That includes the current MMO darling child, World of Warcraft, which not only had horrid server problems for months after launch, but was also missing features printed in the manual (World of Warcraft Game Manual, p. 133, para 2 "Battlegrounds") for a good seven months after launch.

Re:Ahem

[Opportunist]

WoW was surprisingly ready for release for an MMORPG. It was not without its issues and a lot of people had troubles, but generally it did work. The skills were in place, they (mostly) worked, so did the quests, etc.

This is of course to be seen relative to other MMORPG releases, not on an absolute scale. It was certainly not "finished". But it did not contain a game breaker like so many other MMORPGs at release day, which includes random and frequent crashes, skills that don't work (or get redone entirely after a month or two), quests that routinely require GM interaction to be completable, nonexistant balance that makes one class the only viable one (or makes a few classes completely unplayable and/or useless in groups) and so on.

It needed balancing, it needed ironing, it sure had its edges and kinks, but it was playable, and most of all, it was playable and entertaining to keep people playing until the missing parts came in.

When you look at other MMORPGs, you either have crashes and other issues that make the game utterly unplayable (Vanguard) or too many bugs to make it entertaining and development that's too slow to deliver the missing content before people start missing it (Tabula Rasa).

Re:Ahem

[VGPowerlord]

But it did not contain... skills that don't work (or get redone entirely after a month or two)

...wait, you're saying that WoW didn't have that? I must have been playing a different WoW than you. Nearly four years in, WoW is routinely redoing skills. This includes fixing skills that don't work (check the patch logs and/or WoW official forums).

But it did not contain a game breaker like so many other MMORPGs at release day, which includes random and frequent crashes

It may not have had client crashes, but server crashes, DB server lag (aka loot lag, where the server acts like your character is doing nothing until the DB server updates your inventory after looting, despite what you're doing on the client), disconnects, and rollbacks (sometimes losing everything you did in the past 15+ minutes) were the norm for WoW when it launched.

We'll see more like that soon

[Opportunist]

Online games are the new entry point for exploits. With OSs being fixed and locked down, the current angle of attack are web browsers and their plugins (especially the latter gain a lot of attention lately, especially plugins that are most likely present in browsers like flash players and PDF-readers). This won't work forever either.

The next will be online games. They are fairly widely spread, they usually use standardized ports and they are also usually done with security as a minor concern, if any. I'd be especially wary of games that require a forwarded port to work properly, but any game communicating with a server is a possible attack vector.

This happens in security-is-a-priority software

[patio11]

Look at the details of the exploit: exploitation of a web browser and then privilege escalation by clobbering a trusted processes' stack because it didn't check input. The list of well used programs which have NOT seen buffer overrun attacks is pretty darn small, and it will continue to be small for as long as programmers insist on managing memory.

I'm of the opinion that managing memory is like writing a cryptography library: you should leave the task to someone who is actually capable of doing it. If you think you're capable of doing it, you're deluding yourself.

Let's put this in perspective

[Moraelin]

Let's put this in perspective. WoW was missing some features, but the ones in the game worked pretty damned well. AO, by contrast, off the top of my head had:

- massive graphics glitches. E.g., more often than not doors would turn into a swirly graphical glitch, so you can't see what awaits you on the other side. (And virtually any mission in the game consisted of lots of rooms connected by lots of doors.)

- collision code problems where you'd suddenly fall through and start swimming in the ground. Or would run on a flat road, and suddenly you're falling from the sky. Or a few other such.

- NPCs could punch you through walls, from the next room, and you couldn't even see who or in which direction to run to find that NPC and kill it before it kills you. Running _away_ didn't work, btw. Once an NPC started punching you, putting more distance and more walls between you and it, did nothing. See the next point.

- NPCs could punch you from any distance, negating the usefulness of any kind of ranged combat, including their reason to exist of their ranged combat class. Yes, a fist had the same range as a sniper rifle. Not to mention how badly that tripped suspension of disbelief.

- massively broken class balance. And I'm not talking the "OMG, rogues are too tough" or "OMG, shamans can't be killed" arguments on WoW. Some classes, say, a healer or buffer couldn't solo at all, while a couple of other classes didn't even need a healer or buffer to do any mission. So if on WoW your only complaint is that your Priest doesn't solo as fast as a Rogue, count your blessings.

- broken faction balance. And not as in the "horde vs alliance" bickering on WoW, but as a matter of design. One faction got better money and equipment, one faction got shafted, and one faction didn't even have shops past the newbie level. You can recognize an incompetent designer by his rationalizing why an imbalance is ok to exist (e.g., "well, they're corporates, of course they should get better money and equipment",) instead of fixing it.

- boring, randomly generated missions, with no more story than "go steal the generic round item on the floor."

- ... and some of them were broken too, or their map was broken. (E.g., it wouldn't be that unusual to fall into some 6 ft deep hole in the ground and have no way to get out of it and continue the mission.)

- Not much variety there either. E.g., the stupidity that you'd be given a "stealth" or "infiltration" mission, but wouldn't get the mission token unless you killed everyone on the map.

Etc, etc, etc.

But, hey, they had painted photo-realistic anatomically-correct mooning, and the best animation of giving or receiving a blow job. And stuff like female "armour" which consisted of only 2 strips of kevlar on the sides of the body. I guess someone had taken the "sex sells" dictum to heart.

At any rate, yes, WoW may not have been 100% finished, but you can't really put an equals sign between the AO launch and the WoW launch.

Re:Let's put this in perspective

[VGPowerlord]

- boring, randomly generated missions, with no more story than "go steal the generic round item on the floor."

Just a nitpick: That isn't a bug, but a game design problem.

WoW had its share of problems, too. Heck, I'm going to copy and paste some of yours, as they were present in WoW at launch.

- Collision code problems where you'd suddenly fall through landscape to your death, fall endlessly through a featureless area with no floor; walls; or ceiling, or get stuck in the landscape itself. The second latter required you to petition a GM, as you can not use items while falling. The third was sometimes fixable through the unstick command once they made it so players could use it without petitioning a GM.

- Loot lag. You'd grab items from a dead enemy, only to have the game take forever to pick them up. While the game is waiting for the DB server to add them to your inventory, it lets you move around, but monsters see you at your old location. In addition, you can't attack while this is going on. So, yes, you can be killed by monsters (or on PvP, other players) attacking where you were standing and you can't attack them back. This problem is still present in the game although it is quite rare now.

- Vanishing items from inventory. This could happen with any item from the most worthless to epic (or better).

- Enemies can appear stuck in place, but attack you. Attempting to attack them gives you either "Evade" messages or "Out of Range" messages. This problem is still present in the game.

- The same thing happens with allies. You have to log out and back on to see their real locations and/or to heal them. This problem is still present in the game.

- Enemies can appear stuck in place and Evade any attacks. For a while, certain named enemies for quests did this; those quests were not completable. This problem is still present in the game.

- Related to the last item, certain named enemies would not always respawn after they were killed. Usually, this happens after a patch and is not always immediately fixed.

Etc, etc, etc...

But hey, rose-colored glasses are neat.

(The note "This problem is still present in the game" was actually from the last time I played a few months ago.)