Anarchy Online and Age of Conan Vulnerabilities Fixed

dachshund writes "The Baltimore Sun reports that security firm Independent Security Evaluators has disclosed vulnerabilities in the popular MMORPGs Age of Conan and Anarchy Online. The flaws (which have since been patched) allowed a malicious user to read files from and take control of another player's computer. The full details of the attack are available, including a video (hi-res MOV) showing how the targeted player's client can be crashed, and how an attacker can save and run scripts on the victim's computer."

why isn't security a priority?

[smartaleq]

It doesn't surprise me. With the exception maybe of blizzard, it seems most MMO games are wholly focused on preventing cheating and entirely disregard client security as a result. I would bet that many chat interfaces have gaping holes since they aren't "core" to the gameplay - plus it gives the attacker simultaneous access to the maximum number of players.

Imagine if someone nefarious had (or did) find this exploit first. Account stealing of even 10% of an MMO's playerbase would immediately compromise any financial viability of the publisher/developer. With such a high risk, why is so little time/money spent on finding these exploits?

I don't want to start running my games in a sandbox because I can't trust the industry to take care of itself.

Re:why isn't security a priority?

[mlts]

There is also the fact that a lot of MMO companies have to get updates for features or new content out posthaste, and in some cases, regression testing to check if new code broke older code falls by the wayside.

Even worse is that most MMO clients require administrative rights. I generally don't champion WoW, but this is something Blizzard got right -- the client (and the Warden) always runs in user mode unless it is downloading and updating a new patch (where it requires admin rights to write to the Program Files directory.) Other MMO clients just won't run if you don't give them the keys to the system.

Re:why isn't security a priority?

[_Sprocket_]

People just aren't security oriented. It doesn't matter what environment you're in. Unless it's your main focus, you're not likely to care as much about security as whatever it is that's your focus. That's assuming you're even aware of security implications.

There's exceptions of course. Some people just are naturally inclined to think about security ("just because I'm paranoid, it doesn't mean they're not out to get me"). But that's a small percentage of the population. And probably a base talent to get in to a line of work that puts it to good use. Game development probably isn't it.

Re:Anarchy Online?

[ilovegeorgebush]

Anarchy Online's been very successful. Before Age of Conan was released, it had a relatively large player-base. That's since dwindled due to AoC, but it's still around.

There's a graphics update due to be released (if ever), that would revamp the game entirely. Lots of players are waiting on it.

Ahem

[Moraelin]

Ahem. It was IIRC the first major MMO where they just went ad-supported and otherwise let most people pay for free. Because the player base which was willing to pay for their game, had started small and was imploding.

(And if anyone wonders why, read the two reviews on Something Awful. I can personally vouch that every single problem in there was true, and a lot more. And yes, that was after the devs had proclaimed it 110% fixed and working as intended.)

According to MMO Charts, it peaked at a mere 60,000 subscribers. Then AO subscribers hit an all time low of 20,000 (yes, I'm not missing a zero or anything), and after some major rework, it peaked again at 40,000. And went downhill again. Currently the _paying_ subscribers are around 12,000.

Not exactly a sign of a great success, if anyone asks me. In fact, that's piss-poor. The pile of turd that is post-NGE SWG still does about 10 times better. _Vanguard_ does 3-4 times better, and God alone knows why would anyone want to play that one. Heck, I haven't even heard of anyone who liked Tabula Rasa, but apparently some 7 times more people are willing to pay for that, than for AO.

Yes, apparently they have some more free accounts. I wonder how many are (A) actually played, since there is no disincentive to just let your accound active for free instead of bothering to deactivate it, and (B) how many of those are there only because it's free. I.e., as a prime illustration that you get what you pay for.

So basically, heh, let's stop waving around "very successful" and "large player base". It doesn't qualify as that by any sane reckoning. There are probably MUD's out there with a larger population base.

We'll see more like that soon

[Opportunist]

Online games are the new entry point for exploits. With OSs being fixed and locked down, the current angle of attack are web browsers and their plugins (especially the latter gain a lot of attention lately, especially plugins that are most likely present in browsers like flash players and PDF-readers). This won't work forever either.

The next will be online games. They are fairly widely spread, they usually use standardized ports and they are also usually done with security as a minor concern, if any. I'd be especially wary of games that require a forwarded port to work properly, but any game communicating with a server is a possible attack vector.