Anarchy Online and Age of Conan Vulnerabilities Fixed

dachshund writes "The Baltimore Sun reports that security firm Independent Security Evaluators has disclosed vulnerabilities in the popular MMORPGs Age of Conan and Anarchy Online. The flaws (which have since been patched) allowed a malicious user to read files from and take control of another player's computer. The full details of the attack are available, including a video (hi-res MOV) showing how the targeted player's client can be crashed, and how an attacker can save and run scripts on the victim's computer."

Re:why isn't security a priority?

[mlts]

There is also the fact that a lot of MMO companies have to get updates for features or new content out posthaste, and in some cases, regression testing to check if new code broke older code falls by the wayside.

Even worse is that most MMO clients require administrative rights. I generally don't champion WoW, but this is something Blizzard got right -- the client (and the Warden) always runs in user mode unless it is downloading and updating a new patch (where it requires admin rights to write to the Program Files directory.) Other MMO clients just won't run if you don't give them the keys to the system.

Re:why isn't security a priority?

[_Sprocket_]

People just aren't security oriented. It doesn't matter what environment you're in. Unless it's your main focus, you're not likely to care as much about security as whatever it is that's your focus. That's assuming you're even aware of security implications.

There's exceptions of course. Some people just are naturally inclined to think about security ("just because I'm paranoid, it doesn't mean they're not out to get me"). But that's a small percentage of the population. And probably a base talent to get in to a line of work that puts it to good use. Game development probably isn't it.

We'll see more like that soon

[Opportunist]

Online games are the new entry point for exploits. With OSs being fixed and locked down, the current angle of attack are web browsers and their plugins (especially the latter gain a lot of attention lately, especially plugins that are most likely present in browsers like flash players and PDF-readers). This won't work forever either.

The next will be online games. They are fairly widely spread, they usually use standardized ports and they are also usually done with security as a minor concern, if any. I'd be especially wary of games that require a forwarded port to work properly, but any game communicating with a server is a possible attack vector.