Slashdot Mirror

← Back to Stories (view on slashdot.org)

Exploit For Crashing Minecraft Servers Made Public

Posted by timothy on from the hey-fellas-door's-unlocked dept.

An anonymous reader writes "After nearly two years of waiting for Mojang to fix a security vulnerability that can be used to crash Minecraft servers, programmer Ammar Askar has released a proof of concept exploit for the flaw in the hopes that this will force them to do something about it. "Mojang is no longer a small indie company making a little indie game, their software is used by thousands of servers, hundreds of thousands people play on servers running their software at any given time. They have a responsibility to fix and properly work out problems like this," he noted." Here is Askar's own post on the exploit, and his frustration with the response he's gotten to disclosing it to the developers.

118 comments

  1. And it's already fixed in 1.8.4 by Anonymous Coward · · Score: 3, Informative

    ... hours before this hit /.

    1. Re:And it's already fixed in 1.8.4 by tlhIngan · · Score: 4, Insightful

      Yes, but it took two whole years before the fix came out. And the fix was made within a day of the exploit being released.

      Yes, I can understand 90 days being a bit tight if you're talking fundamental software like operating systems (which require a lot of testing, staging, and you lose some to Patch Tuesday), especially since root causing and fixing can require a bit of time. But two years is a bit on the long side.

      More like the guy got ignored and once he released the code, the "OH SH*T" came out.

      This is one of those struggles between what's right and what's reasonable... 90 days is a bit quick for something big like an operating system where a change can break everything, but it's also on the long side for something that only breaks something really minor, like Minecraft.

    2. Re:And it's already fixed in 1.8.4 by Anonymous Coward · · Score: 0

      From what I've read on the minecraft reddit, it seems like there were 2 approaches to exploit this bug.

      They patched one and thought that also covered the other, but it didn't and they weren't aware then fast forward 2 years.

    3. Re:And it's already fixed in 1.8.4 by Anonymous Coward · · Score: 0

      Just because it's fixed in the current version doesn't mean people won't be affected. There are still hundreds, thousands of people on previous versions of minecraft. Modded minecraft is huge, and every major minecraft version involves huge changes to mods to make them work. I gather that 1.8 is a particularly bad jump from 1.7.10 in terms of effort to make the mods simply work again. There's at least one mod that simply isn't going to make the jump to 1.8 because the mod author feels like Mojang is pulling the rug out from under him and other modders. Now that this exploit has made it into the wild, people still playing Buildcraft, Gregtech, Thermal Expansion, and Thaumcraft (those are all hugely popular mods with vast playerbases and they're all still on 1.7.10) on servers are exposed to rampant fuckwittery.

      Mojang is at fault here. But this guy, in releasing the exploit to the public (making a fucking program any script kiddy could run even!) has fucked over a lot of people for very poor reasons.

    4. Re:And it's already fixed in 1.8.4 by cfc-12 · · Score: 5, Funny

      it's also on the long side for something that only breaks something really minor, like Minecraft.

      I invite you to spend 5 minutes alone with my 8 year old son at a time when he can't get Minecraft to work. Then tell me if you still think it's minor.

    5. Re:And it's already fixed in 1.8.4 by sexconker · · Score: 1

      More like the guy got ignored and once he released the code, the "OH SH*T" came out.

      Yup. They never gave a shit until it was public.

    6. Re:And it's already fixed in 1.8.4 by Anonymous Coward · · Score: 0

      I have an 8 year old daughter and 6 year old son. When they can't play it, *they* think it's major.
      For me? It is a minor problem, they can simply do something else.

      However, effecting hundreds of thousands of users is major.

      Perhaps your son needs some perspective or parenting?

    7. Re:And it's already fixed in 1.8.4 by F.Ultra · · Score: 3, Funny

      He is 8, he is definitely a minor :)

    8. Re:And it's already fixed in 1.8.4 by Anonymous Coward · · Score: 0

      I invite you to do a better job at raising your kid.

    9. Re:And it's already fixed in 1.8.4 by Cammi · · Score: 0

      It is minor when an 8 year old act his age.

    10. Re:And it's already fixed in 1.8.4 by 0bject · · Score: 4, Informative

      They can't really say they "weren't aware" when the original bug submitter's proof of concept exploit (that was provided to them) was not fixed by the "patch". That is at best extremely lazy testing.

    11. Re:And it's already fixed in 1.8.4 by darkwing_bmf · · Score: 1

      On the other hand, maybe this can serve as a new baseline for some of the mods to be updated (or redone) for the newer (1.8.4+) Minecraft versions, especially if most of the server owners update their servers to fix this exploit/bug.

    12. Re:And it's already fixed in 1.8.4 by TechyImmigrant · · Score: 0

      From what I've read on the minecraft reddit, it seems like there were 2 approaches to exploit this bug.

      They patched one and thought that also covered the other, but it didn't and they weren't aware then fast forward 2 years.

      It's not a bug. It's a property of Turing complete languages. You cannot show the server will behave for all inputs. Computer science is a bitch sometimes.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    13. Re: And it's already fixed in 1.8.4 by Anonymous Coward · · Score: 0

      Compared to some early net games, it's not the worst. Hoverrace, I'm looking at you!

    14. Re:And it's already fixed in 1.8.4 by Zero__Kelvin · · Score: 2

      "You cannot show the server will behave for all inputs."

      Someone should invent input sanitization !

      "Computer science is a bitch sometimes."

      You are anthropomorphizing CompSci, and then actually blaming it for your inadequacies.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    15. Re: And it's already fixed in 1.8.4 by Anonymous Coward · · Score: 0

      True, but if you have a test case, you can get 100% coverage for that test. And they evidently ran that test case zero times against the release version. So that's pretty much 100% fail.

      While your statement is correct, it is irrelevant.

      Also note that ripe banana skins are yellow.

    16. Re:And it's already fixed in 1.8.4 by Anonymous Coward · · Score: 0

      "but it's also on the long side for something that only breaks something really minor, like Minecraft." says the guy who clearly hasn't spent any time around 8 year old kids lately...

    17. Re: And it's already fixed in 1.8.4 by Anonymous Coward · · Score: 1

      Not quite, since the server wasn't accepting a Turing machine but a recursively defined data structure. It's fairly straightforward to prove the properties of parsers.

    18. Re:And it's already fixed in 1.8.4 by Anonymous Coward · · Score: 0

      Rather than moaning I'd have invited the exploit publisher to author a fix, then send it in instead of making a bunch of demands since it's such a simple matter and his time is so valuable. You get no points for pointing out the problem. Fix it or stfu, is my motto. The fix came out when it was ready.

    19. Re:And it's already fixed in 1.8.4 by Anonymous Coward · · Score: 0

      You must be the Mojang developer who "fixed" it the first time...

    20. Re:And it's already fixed in 1.8.4 by lokedhs · · Score: 1

      Right, but everything is still on 1.7.0 because most mods don't work on 1.8.

  2. I like it... by fuzzyfuzzyfungus · · Score: 1

    It's like the beloved classic '42.zip'; but can be delivered directly over the minecraft server protocol and will be naively parsed by the server, no social engineering required... Never trust the client.

    1. Re:I like it... by Anonymous Coward · · Score: 1

      I've come to realize, much to my dismay, that far too many developers simply aren't' aware of the most basic computer security axiom:

      "Treat all input as hostile"

      Seriously. This should be day 2 of programming 101

      Day 1: Hello world
      Day 2: Your users are evil and they will try to paste the earnings report, which they composed in powerpoint, in to "subject" field of your feedback form. (And subsequently complain that email is down)

    2. Re:I like it... by Rei · · Score: 4, Interesting

      I once coded for a game, Eternal Lands, where I discovered a major security bug. The game had a feature where if a person said a URL, it would turn into a clickable link. This was opened via a popen call. No input sanitization. Aka, vulnerable to injection. A person who simply speaks a malicious URL and makes it look like something interesting to click (hiding the insertion command in the path) could run it on anyone's computer who clicks to open the link.

      Big problem. Simple fix. But try as I might, I couldn't get them to let me fix it. They were fine with me writing a whole new special effects graphics system for them, but one simple input sanitization, noooo, the popen works, let's not mess with it and possibly "introduce a bug"! Eventually it took me writing a sample command on the forum that would make a file in the user's home directory (which anyone who knows anything about unix commands could make far more malicious) by clicking on the URL. Suddenly they let me patch the system immediately (and deleted the forum thread... I don't blame them).

      I didn't want to have to resort to that. But I didn't want a potentially dangerous exploit sitting in the system.

      I never got approval to fix all of the other potential exploits in their system. Their networking protocol was terrible. I only ever saw the client code, but there was literally zero authentication that the server was who they said they were and that packets weren't malformed. Their entire security model was "let's initiate a TCP connection to a hard-coded IP and unconditionally trust everything that we receive". I can't imagine what their server code is like. But they wouldn't even let me add in trivial bounds checking to make sure that the packets weren't oversized - the most minimal of sanity checking.

      The fear of changes breaking stuff often leads developers to neglect security. Changes to improve gameplay or graphics? Of course, our users will love it! Changes to the protocol? Nonono, the protocol is working, why risk breaking it?

      The short of it? Don't have too much faith that that MMORPG you're playing isn't hackable in a way that could be nasty to your system.

      --
      *Kid Rock runs for Senate* Democrats: We must run Kid Scissors.
    3. Re:I like it... by Anonymous Coward · · Score: 0

      Wow, I remember that game and I think I remember that incident. I use to write bots for it (good kind! vendors and such). Thanks for sharing.

  3. Good by bluefoxlucid · · Score: -1, Flamebait

    Maybe people will stop playing this waste of bandwidth.

    --
    Support my political activism on Patreon.
    1. Re:Good by thedonger · · Score: 4, Funny

      Maybe people will stop playing this waste of bandwidth.

      If you can think of a better program with which to spend three hours digging then I'd like to hear it.

      --
      Help fight poverty: Punch a poor person.
    2. Re:Good by Minwee · · Score: 1

      No worries about that. Slashdot will be around for quite a while.

    3. Re:Good by aardvarkjoe · · Score: 3, Insightful

      If you can think of a better program with which to spend three hours digging then I'd like to hear it.

      I'm going with Nethack. Although Dig Dug would be an obvious choice too.

      --

      How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
    4. Re:Good by Anonymous Coward · · Score: 1

      Translation:

      "I don't like this game therefore everyone else who plays it is wrong and the game should cease to exist ASAP"

      If you want to comment, please do so more constructively for everyone's sake.

    5. Re:Good by wonkey_monkey · · Score: 1

      Please provide a list of games, the playing of which will please you, oh exalted one.

      --
      systemd is Roko's Basilisk.
    6. Re:Good by MrTester · · Score: 4, Funny

      YOU don't like Minecraft?
      Why didn't anyone tell me!??!?!?!
      Now that I know that YOU don't like it I will stop playing it and make my kids stop playing it!
      I had NO idea it had been judged unworthy by YOU.
      I am so sorry. Obviously NO ONE should play a game YOU don't like.

      Clearly we both need to be back on our meds.

    7. Re:Good by Anonymous Coward · · Score: 0

      Boulderdash?

    8. Re:Good by bluefoxlucid · · Score: 1

      Kobalt Digging Shovel and Kobalt Fiberglass Pick Mattock are my favorites for digging.

      --
      Support my political activism on Patreon.
    9. Re:Good by Anonymous Coward · · Score: 0

      Ooooohhh DigDug... my secret love. Recently an 80's arcade opened in my town and I have since spent 10+ hours playing DigDug, achieving the Local HiScore :D

    10. Re:Good by thedonger · · Score: 1

      Kobalt Digging Shovel and Kobalt Fiberglass Pick Mattock are my favorites for digging.

      Is there an Android port available yet?

      --
      Help fight poverty: Punch a poor person.
    11. Re:Good by thedonger · · Score: 1

      Although Dig Dug would be an obvious choice too.

      And Mr. Do. But the open world of Minecraft offers near unmatched digging-based time wasting without the added stress of increasing level difficulty. And the possibility of finding shiny blue diamonds...Oh my, I do believe I'm a tad flush.

      --
      Help fight poverty: Punch a poor person.
    12. Re:Good by GoodNewsJimDotCom · · Score: 2

      Nethack? Angband is the superior choice for digging. If you think its too easy, don't ever take upstairs again, the game is beatable(and adds a whole new couple levels of fun and strategies).

      Boulderdash wasn't bad either for an early C64 game when I experienced it. There was something about the rising sun coming over the horizon in more complicated games than atari2600 could provide that just opened a young kid's mind.

      --
      God spoke to me
    13. Re:Good by Anonymous Coward · · Score: 0

      Awwww did someone get trolled a bit too hard on their personal server?

      Maybe someone blew up your personal island getaway?

      MC ain't gonna take up enough bandwidth in any developed country to really cause any sort of problem, so shut it and go back to your CoD wall hacks.

    14. Re:Good by bluefoxlucid · · Score: 1

      Duct tape your phone to the shovel.

      --
      Support my political activism on Patreon.
    15. Re:Good by Sowelu · · Score: 1

      Hm. That actually was my problem with Angband. Too easy, too farmable. I'll have to give that a shot...though I suspect it's going to be a lot of long, boring running around in circles trying to get that ring of fire resistance before I hit whatever depth will kill me without it. And you thought stair scumming was boring...

    16. Re:Good by Whorhay · · Score: 1

      Terraria is a pretty fun digging sim, though not 3D.

    17. Re:Good by Anonymous Coward · · Score: 0

      >If you can think of a better program with which to spend three hours digging then I'd like to hear it.

      Terraria!

    18. Re:Good by GoodNewsJimDotCom · · Score: 2

      Positive:

      You don't keep running back to town for a ton of arrows and selling stuff. That's just boring. If you're really trying, you might have even tried to check every time the elite object guy was selling. This was boring.

      No hovering next to stairs for easy escape which feels like cheating

      Identifying potions, equipment and mushrooms becomes a lot more fun. Um, I have no food left! I guess its time to id the mushrooms and scrolls

      Rules: Never take up stairs or recall. If you accidentally recall from id by reading, don't use the store or stairs, just recall back to where you were by buying a scroll( you should have enough gold). If you find down stairs, you don't need to take them until you're ready.

      Spoiler strategy:

      The only sane approach is Half Troll warrior. It sounds far fetched since they need to eat twice as mutch, but you need the brute strength for extra attacks to fight orcs and trolls before you have: Phial and enough food.



      Sell everything you have to buy food/light. You may want to keep your weapon. You may want to add to the challenge by saying no town even to start.

      You will want to clear the first 5-10 levels and just go down stairs without resting for wandering monsters.
      Once you're about 10-20, you need to figure out if you want to rest or go down in stairs.

      I go down in stairs if:
      I'm getting low on food, fresh levels are more likely to have food.
      There's a boss critter I can't handle. But going down in stairs makes it more challenging, so you might end up spiraling downstairs to a death condition because monsters are too tough.
      When light is low, I dive for more light. Remember to make your rest macro remove your light before you rest. If you're really detail oriented, have a light removal macro when you enter rooms with light, but I find you don't need this. Light isn't as big as a problem as food(but is a possible loss condition)
      The results is sometimes you dive further than you want to just to get food/light or avoid a boss or situation. Then you need to be aware of monsters that paralyze or breath you can't resist. It feels great when you get a Phial, or pile up satisfy hunger scrolls.

      Now other classes can win! I especially started with the cleric/priest/druid or whatever gets a book of satisfy hunger, but I find that Morgoth needs to be whacked in melee, and the best melee is a fighter to do damage quickest. Also there's nothing more annoying than getting belted with a bunch of flames and your spell books all disappear and can't easily be restored. Play around, see what you can do.

      No up stairs Angband is a whole new game, one which actually has challenges you can't exploit your way around. I'd say its one of the best games of all time, but few people even know about it. Make sure you get a version with autosquelch so the end levels don't slow you down sorting through trash on the floor.

      --
      God spoke to me
    19. Re:Good by davecarlotub · · Score: 1

      But Mr. Do! has shiny blue diamonds too!

    20. Re:Good by RavenLrD20k · · Score: 1

      Eclipse. Visual Studio. Code Blocks. Dev-C++. BlueFish. NASM. gdb. Vi(m). Emacs. Pico/Nano. cat & sed... need more?

    21. Re:Good by Anonymous Coward · · Score: 0

      boulder dash > dig dug any day .

      and o yeah...

      minesweeper > minecraft

    22. Re: Good by mordjah · · Score: 1

      +1 agree ;)

      --
      "A mind reader? That sounds like sci fi." "Honey, we live on a space ship"
    23. Re:Good by Anonymous Coward · · Score: 0

      wurmonline.com works for digging you can mess up alot in that game.

    24. Re:Good by Anonymous Coward · · Score: 0

      Maybe you'll stop paying junkies to fuck you in your asshole.

  4. May finally get servers updated... by Vrallis · · Score: 1

    There are tons of servers running relatively ancient versions at this point due to massive amounts of custom mods (Herocraft and places like that). It sounds like they're screwed now unless they get caught up to the current version.

    1. Re:May finally get servers updated... by CastrTroy · · Score: 1

      Personally, I think that Minecraft needs a lot of work. The gameplay itself is pretty good, but it really needs to be reworked in terms of performance and stability. I was hoping that things would change with MS buying it as they could hire more people to work on it, but I don't think they've actually done anything noteworthy with it yet.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    2. Re:May finally get servers updated... by PPalmgren · · Score: 4, Insightful

      Modders move quite slow due to the frustrating architecture. 1.6 required a major overhaul to most mods, and 1.8 is being avoided like the plague for the same reason. There's also little incentive to upgrade, since the amount of content in the mods is orders of magnitude higher than vanilla, no ones going to switch off 60 mods in a modpack to get some horses and a biome.

    3. Re:May finally get servers updated... by SuricouRaven · · Score: 3, Informative

      Try some of the mods. The gameplay gets better - and the stability gets worse.

    4. Re:May finally get servers updated... by pspahn · · Score: 1

      There's also little incentive to upgrade ...

      Maybe their incentive will be that if they don't upgrade, someone will just crash their server.

      I deal with the same thought pattern at work on a daily basis. I develop on a very popular e-commerce platform that is notorious for being difficult to update due to poor compatibility with various customizations done to the application code. Clients come to me with problems their store is facing, and I tell them the fix is to update to a newer version. I then tell them that it may cause problems with all the extensions they've installed and that it takes time to get things all sorted out. This quickly puts them into "not enough incentive" mode.

      What that really means is they value running their day-to-day business more than they value the sustainability of their business. They'd rather make $1 a day than save $365 a year.

      --
      Someone flopped a steamer in the gene pool.
    5. Re:May finally get servers updated... by Anonymous Coward · · Score: 0

      I was hoping that things would change with MS buying it ... but I don't think they've actually done anything noteworthy with it yet.

      Oh, there's a big surprise! I think I'm gonna have a heart attack and die from that surprise!

    6. Re:May finally get servers updated... by JackieBrown · · Score: 1

      Not all businesses are doing well enough or have enough capital to have everything broken for a while due to an upgrade.

      Also, nowadays, there are so many online stores that if one goes down, people move on to the next.

      In any case, in order to have sustainability, you need to survive the day-to-day stuff

    7. Re:May finally get servers updated... by Jarik+C-Bol · · Score: 1

      I agree, hell, its pretty possible for anyone to crash any Minecraft server through dedicated and obsessive gameplay. Either set off far to much TNT, or simply build a hilariously large auto wheat farm, and you can grind the game to a halt, with probable crashing. And thats without any malformed packets, just in game mechanics.

      --
      I've decided to Diversify my Holdings. I've divided my cash between my left and right pockets, instead of all in one.
    8. Re:May finally get servers updated... by Vrallis · · Score: 1

      Yeah, the architecture changes screwed the entire modding world. Maybe someday they'll finally have a proper mod API and proper support.

      As for incentive, the incentive this time around is to prevent having permanently crashed servers. Until the new loader was released that supported easier management of multiple versions the incentive was you'd lose half your players with every update as they automatically updated. With the new loader that became far less of an issue, so yes, a brief period with less incentive.

    9. Re:May finally get servers updated... by Anonymous Coward · · Score: 0

      That's why you do it in a staging environment first, work out the process and duration, and then go to production (or not, if you choose).

    10. Re:May finally get servers updated... by Anonymous Coward · · Score: 0

      The comparison is false, you ignorant clod. These are freely released mods created by people who were more or less working on them as a hobby, in their free time. They're not business software. Thousands of dollars per day won't be lost if these mods don't get updated and something bad happens.

    11. Re:May finally get servers updated... by myowntrueself · · Score: 1

      Personally, I think that Minecraft needs a lot of work. The gameplay itself is pretty good, but it really needs to be reworked in terms of performance and stability. I was hoping that things would change with MS buying it as they could hire more people to work on it, but I don't think they've actually done anything noteworthy with it yet.

      Some anti-aliasing would be nice. I'd like to play it but it does terrible things to my eyes.

      --
      In the free world the media isn't government run; the government is media run.
    12. Re:May finally get servers updated... by Anonymous Coward · · Score: 0

      http://www.minecraftforum.net/...

    13. Re:May finally get servers updated... by TechyImmigrant · · Score: 1

      Personally, I think that Minecraft needs a lot of work. The gameplay itself is pretty good, but it really needs to be reworked in terms of performance and stability. I was hoping that things would change with MS buying it as they could hire more people to work on it, but I don't think they've actually done anything noteworthy with it yet.

      I don't know much about game programming, but I know how big corporations work.
      1) Buy a company
      2) Leave it there doing what it does.
      3) Think hard about how to integrate it, use it's technology etc.
      4) Do that.

      The gap between 2 and 4 can be years.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    14. Re:May finally get servers updated... by Anonymous Coward · · Score: 1

      The "frustrating architecture" involves decompiling the obfuscated java code and then guessing which method is which to compile a huge lookup table of obfuscated method names to human-readable ones. And the mapping changes every time they do a build. There was supposed to be a mod API but it never happened.

    15. Re:May finally get servers updated... by Anonymous Coward · · Score: 0

      They're just patch it in Forge.

      That is the beauty of the framework, you can override anything.

    16. Re:May finally get servers updated... by myowntrueself · · Score: 1

      http://www.minecraftforum.net/...

      I'll have to see if I can find some screenshots of that. But its a mod, and isn't that the main reason no one upgrades minecraft servers (because updating mods is so painful)?

      --
      In the free world the media isn't government run; the government is media run.
    17. Re:May finally get servers updated... by Anonymous Coward · · Score: 0

      microsofts track record on their gaming studios:

      FASA http://www.bit-tech.net/news/g...

      Ensemble - shut down

      Aces Studio - shut down

      Xbox Entertainment Studio - shut down

      Cabonated games - shut down

      Rare - couldnt release one game as good as before they were bought and they used to have a lot of massive hits.

      Bungie - split from microsoft in 2007 http://seekingalpha.com/articl...

      Lionhead - has only really worked on one game franchise microsoft bought them - fable

      Press Play - Who? Went from multi platform developer to windows/xbox only after purchase.

      343 - founded by microsoft to make halo stuff

      black tusk - founded by microsoft to develop future gears of wars games which microsoft bought off Epic.

      Turn 10 - founded by microsoft, makes forza games for xbox only.

      Twisted pixel - who? Makes windows/xbox games only

      Big park - who? Makes stuff for the kinect only

    18. Re:May finally get servers updated... by Anonymous Coward · · Score: 0

      It's client-side only. You can still connect to any server, it just modifies how your client does OpenGL.

    19. Re:May finally get servers updated... by Anonymous Coward · · Score: 0

      It's an exceptionally empty game. And that is fine. It means it's a game of Lego with indefinite number of bricks, depending on how much time you spend.

      What they ARE fucking up is in trying to make the game more "interesting", which the mods (as another poster mentions) do a far far FAR better job of, by trying to make it better to move often and see new places.

      Problems:
      1) They use the stick liberally to make you move. Mob spawn rates ramp up as you stay in one place
      2) There is absolutely no carrot, except a temporary drop in spawn rate.

      There should be mostly carrot. And moving in MC vanilla is a pain. You can't travel far before you have to camp or get creepered. You can't take much with you at a time. And if you ferry back and forth, that is a limit to the migration distance you can manage based on how many items you need to pass on.

      Mods make bosses like the Ender Dragon and Wither too easy. Though they're both far too difficult to bother with under the vanilla game and, except for the wither, absolutely no reason to beat.

      And do away with kiddie zombies. At least as anything other than a really rare zombie spawn.

      And cut the creeper. It causes far far too much swearing when you walk out your home and a creeper spots you from 120 blocks away and while you farm up your wheat for "breakfast", comes up behind you, quietly whispers and blows up long before you can kill the fucker. If it just killed you, fair enough, it's a danger. But it blows up shit, and with mods, very expensive shit, taking a long time to remake and configure. If it had few enough hearts that an iron sword could take them out in one shot, you'd be able to deal with them if you were quick and alert. And if they blew stuff up that would be because you weren't good enough. With it being impossible to kill one before it blows unless you are prepared and have space, it doesn't matter how good or bad you are, it will blow up. And then it's not YOUR fault it happened, it's the game's fault. And that's a very different (and annoying) scenario.

    20. Re:May finally get servers updated... by Jesus_666 · · Score: 1

      Yeah, the architecture changes screwed the entire modding world. Maybe someday they'll finally have a proper mod API and proper support.

      Perhaps someone should write a mod that redundantly reimplements Minecraft on top of Minecraft with as few calls into actual Minecraft code as possible. Still dependent enough to require the actual game but with such little contact area that it's almost completely isolated from changes to the game itself.

      Yeah, it'd basically be a fork that attempts to solve the rights issues by requiring the main game. You'd lose anything Mojang adds to the game later (unless it's ported over) but the API could be designed to be long-term stable...

      --
      USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
    21. Re:May finally get servers updated... by RivenAleem · · Score: 1

      Ah, so you've heard of Skyrimming?

    22. Re:May finally get servers updated... by Acaeris · · Score: 1

      Optifine gets regularly updated for the latest mod supported version which shouldn't be that far behind at the moment as it's been a while since 1.8's base release. The reason why most servers are still 1.7 at the moment is because 1.8 actually makes it near impossible for some existing mods to be updated. Mojang changed the way models are coded so that they have to be supplied by JSON for every possible state that includes a reference to the texture used. Consequently, any mod that used a single model for multiple blocks and just changed the texture now has to have a model file for every single possible combination of that model. The vanilla game's fire block has 20+ JSON files just to manage it's various states of setting blocks on fire. Then there were mods like Carpenter's Blocks that gave various model shapes and then applied the texture dynamically based on the texture of the block you used on it, including blocks from other mods. That's pretty much impossible now.

  5. little late by Anonymous Coward · · Score: 5, Informative

    From TFA:
    Update: With the release of this full disclosure I have actually made contact with mojang and they are working to fix the issue. Apparently the initial fix they tried failed which indicates a lack of proper testing.

    Update 2: The exact problem that caused this bug to go unpatched has been identified. Mojang attempted to implement a fix for this problem, however they did not test their fix against the proof of concept I provided, which still crashed the server perfectly fine. This, in combination with ignoring me when I asked for status updates twice led me to believe that Mojang had attempted no fix. In retrospect, a final warning before this full disclosure more recently was propbably in order. A combination of mis-communication and lack of testing led to this situation today, hopefully it can be a good learning experience.

    Update 3: This problem has been patched as of minecraft version 1.8.4

    https://mojang.com/2015/04/minecraft-1-8-4-security-release/

    I’m happy to see that multiple other security issues have also been fixed. Once again, I feel better communication would have easily alleviated this problem. Keeping me in the loop and not ignoring me, in addition to proper testing would have easily led to this exploit being fixed long ago.

    As usual, by the time news hits slashdot, it's not really news anymore. RIP Martin Lawrence.

    1. Re:little late by Anonymous Coward · · Score: 0

      RIP Martin Lawrence.

      I had to google him to find out if there was a different Martin Lawrence you might have been talking about. The first search result was about a hoax that I hadn't heard about until right then. Apparently, it was "all over the internet" (no it wasn't) a couple of days ago, but not one news site that I've seen has even had that story in the "you might also like" section.

      So... yeah, blaming /. for old news... not so helpful when supposedly "good" news sites are 1) full of stuff that someone, somewhere maybe cares about, and 2) have terrible algorithms bringing the same week-old garbage to the top of the page. I have yet to find a news site that isn't complete shit. Even Google is bad at it.

  6. And fixed... by Wulfson · · Score: 2

    Addressed in vanilla by the 1.8.4 update: https://mojang.com/2015/04/min... And for the modded community, here's the Forge discussion: https://github.com/MinecraftFo...

  7. "exploit" by Anonymous Coward · · Score: 0

    I don't think that guy understands what an exploit is. If you can crash the server, you haven't "owned" or "exploited" it. You've simply found a way to remotely crash it.

    1. Re:"exploit" by Anonymous Coward · · Score: 0

      I think that counts perfectly fine as an exploit

    2. Re:"exploit" by nedlohs · · Score: 1

      Apparently you don't.

    3. Re:"exploit" by Em+Adespoton · · Score: 3, Informative

      The guy has found a way to exploit the server code to cause denial of service via code complexity.

      Further to this, depending on how the complexity managed to cause the server to crash (as opposed to just using up all server resources decoding the nested elements), it may also be possible to use his exploit to gain remote code execution (RCE).

      But I haven't actually seen anything documenting a server crash -- just an exhaustion of resources, resulting in denial of service. If someone could document what actually happens on the server when this is run, that'd be useful for indicating if there's a possible RCE here or just a case of the server software using up all resources and grinding to a halt, with a possible out of resources exception thrown at the end, causing the server to exit gracefully.

    4. Re:"exploit" by omglolbah · · Score: 1

      Running a server out of memory can cause game world corruption if it happens at a bad time.
      Quite annoying and could cause rollbacks to backups and such... bleh

    5. Re:"exploit" by Em+Adespoton · · Score: 1

      So... it doesn't have the code design to exit gracefully. This means it's not just open to game world corruption, but memory and DB corruption -- which hints at the possibility of an in-memory or on-disk exploit. In order to prep such an exploit, you'd likely have to have a client logged in already and performing a specific function when you hit it with the attack.

  8. Miscommunication by kav2k · · Score: 1

    Both parties admit that it could have been handled better.

    I specifically asked Nathan Adams (Dinnerbone) about it on Twitter; he said that it would've been handled better if the exploit was logged with the bug tracker to begin with, instead of trying to talk directly to people.

    1. Re:Miscommunication by kav2k · · Score: 1

      And I botched up the link to the tweet: https://twitter.com/Dinnerbone...

    2. Re:Miscommunication by Sowelu · · Score: 2

      Okay, yeah, this guy is definitely a tool with a massive ego trip. He already seemed like a dick from the way he phrased his press releases, but insisting he's too important to use the bug tracker and instead he needs to talk to the devs personally? No.

    3. Re:Miscommunication by serviscope_minor · · Score: 1

      I've heard that arrogance before and it's silly. If people are doing free work for you you don't get to set the terms of how they do it. This guy did free security work for them, they shouldhave been beating a path to his door to make the best use of that work. Or, you know, being entirely free to ignore it at their peril. Which they did.

      --
      SJW n. One who posts facts.
    4. Re:Miscommunication by BarbaraHudson · · Score: 1

      Logging it into the bug tracker, along with the proof of concept, would let it get into the wild pretty quickly, no?

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    5. Re:Miscommunication by omglolbah · · Score: 1

      Log a case, ask them to contact you for the specifics due to the sensitive nature.

      Not -that- hard to do...

    6. Re:Miscommunication by Anonymous Coward · · Score: 0

      Too important? Where did you even get that from. They keep talking about the bug tracker yet according to his blog none of them directed him to it.

    7. Re:Miscommunication by s0nicfreak · · Score: 1

      Except it was "to their minor annoyance" rather than "peril".

    8. Re:Miscommunication by kav2k · · Score: 1

      Typical bug trackers allow you to classify something as a security issue, which automatically hide the bug from public. Some automatically do that to crash reports.

    9. Re:Miscommunication by kav2k · · Score: 1

      It's not like the existence of this bugtracker is a secret from anybody, not for 2+ years. It's even referenced in every release announcement.

  9. And nothing of value was lost by Anonymous Coward · · Score: 0

    It's like if Facebook went down due to a bug. Nothing actually valuable would be impacted.

  10. I am completely unsurprised. by MostAwesomeDude · · Score: 3, Interesting

    I spent four damn years trying to have a dialog with Mojang and Bukkit about how to write good code and have a community that wants good code. The MC community literally does not want anybody participating if they have any sense of QA or planning for the future.

    Remember, these are people that wrote their own cryptographic transport *three times* and called it good after nobody could post an exploit for it within a week. MC is not even willing to use standard things like TLS.

    --
    ~ C.
    1. Re:I am completely unsurprised. by Anonymous Coward · · Score: 0

      This reinforces the point that while popular things are, umm, popular, but not necessarily any good.

    2. Re:I am completely unsurprised. by Em+Adespoton · · Score: 1

      Then again, this approach means that any attacks will have to target MC directly, as they can't just target something like Heartbleed and expect it to work here too.

      But they really do seem to suffer from NIH syndrome; those writing hacks for MC are having to code around the outside of it, degrading performance and introducing security issues.

      Anyone know of a modular open source alternative to MC?

    3. Re:I am completely unsurprised. by Anonymous Coward · · Score: 0

      I'm constantly amazed at the complete lack of good architecture and coding practices in the Minecraft (and MC mod) codebases.

      Seriously, you'd think someone would've standardized a damned ICrafter interface for things that have an n-by-n grid to craft with and an IFurnace interface for things that smelt things and consume fuel. But, no, that's apparently something that EVERY mod author has to roll their own solution to and does so in slightly incompatible ways. Because, professionalism. The mod authors aren't and don't claim to be professionals. But Mojang does claim that. And that's why I just don't give a damn about Minecraft anymore. It once looked hopeful, like core and mod code would work together and get more efficient, more generalized, and more capable of being expanded with new content in a reasonable way. And then it turned to a big, smelly, sticky pile of shit. It happened right about the same time as the Bukkit crew was integrated into Mojang.

    4. Re:I am completely unsurprised. by Anonymous Coward · · Score: 0

      And they'll cries on their piles of money about that.

      Its a fundamental flaw of engineering to think that the engineering is what matters.

      As an engineer, I care. I also constantly remind myself that I'm the only one that does.

    5. Re:I am completely unsurprised. by TechyImmigrant · · Score: 1

      MC is not even willing to use standard things like TLS.

      I'm a cryptographic security architect (their name, not mine) for a large techy corporation and I am not willing to use the steaming pile of poo that is TLS. This was a good call on the part of the Minecraft developers. They might not be able to write a good security protocol, but they sure avoided a bad one.

      If I succeed in destroying TLS, X.509 and all that goes along with it, replacing it with something sane, I will have succeeded and I can die content.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    6. Re: I am completely unsurprised. by Anonymous Coward · · Score: 0

      Minetest?

  11. sh1t by Anonymous Coward · · Score: -1

    lagged behind, Wash off hands Let's keep to you join today! Create, manufacture operating systems, look at the Par/anoid conspiracy Creek, abysmal

  12. Too bad they left 1.6.4 a broken mess by Anonymous Coward · · Score: 0

    What does it take to fix the zombie pathfinding bug in 1.6.4? The game is unplayable and i finally gave in to the last 1.7.x. Again, billions of dollars to go around. They spend more hours on twitter than just sitting down and fixing that damn bug.

  13. Exploit for New Google Maps? by Anonymous Coward · · Score: 0

    Is there an exploit for the New Google Maps that just makes it work properly like the old one does?

    1. Re:Exploit for New Google Maps? by Anonymous Coward · · Score: 0

      Use an old browser.

  14. Turing complete protocols by TechyImmigrant · · Score: 1

    Friends don't let friends put Turing complete languages in communication protocols.
    This cannot be fixed in general. The behavior of a Turing complete language executor is formally undecidable over all inputs.

    Minecraft (and X.509 certs and HTML 5.0 and SQL and, and, and...) all need to switch to non Turing complete languages if they are to have the option of secureable implementations.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    1. Re:Turing complete protocols by Altrag · · Score: 1

      if (took too long) { throw TookTooLongException(); }

      Problem solved. Undecidability is only an issue when "running forever" is actually possible.

      Defining what "too long" is may be difficult in some scenarios to be sure, but when you're dealing with something like a game that inherently requires responsiveness, "too long" can be defined fairly strictly without too much negative impact -- anything (even completely legitimate) routines that take more than a few fractions of a second per game loop is going to "break" the game.

      Things like SQL are another story. A query that takes an hour to run may well be legitimate in certain large-data scenarios. You could have a configurable max query duration I suppose but there's certainly no globally valid duration. But of course you really shouldn't be giving unrestricted query access to untrusted clients in the first place (which is any client you don't have 100% control over!)

      Also, being Turning-complete is sufficient but not necessary to have this problem -- any language that provides an unrestricted looping mechanism can loop forever even if it doesn't have all of the other necessary features to be Turing-complete (in particular, to be truly Turing-complete an unlimited tape aka storage capacity is required.)

    2. Re:Turing complete protocols by TechyImmigrant · · Score: 1

      You solved one problem. Now solve all the other problems without knowing what they are. The problem space is undecidably large.

      >Also, being Turning-complete is sufficient but not necessary to have this problem

      Yes. No argument there. Once free of Turing you can hedge with the simplest possible design. Formal methods may help.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    3. Re:Turing complete protocols by Altrag · · Score: 1

      Now solve all the other problems without knowing what they are.

      Sandboxing solves pretty much all other problems. Sure there are situations where a sandbox isn't a practical solution, but again that's not really limited to being Turing-complete. Any language that allows a client to modify data risks the ability to modify it in unfortunate ways.

      Certainly more complex languages will have more possible avenues of attack but they also provide more (legitimate) capabilities and sometimes the benefits outweigh the risks, especially in these days where patching a previously-unknown risk can be done relatively easily via internet distribution once it becomes known.

    4. Re:Turing complete protocols by TechyImmigrant · · Score: 1

      >Sandboxing solves pretty much all other problems.

      Like Java and ActiveX?

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    5. Re:Turing complete protocols by Zero__Kelvin · · Score: 1
      Do you not realize that you are running an Operating System, written in a Turing Complete language, and that it is only possible because the other problems can (and have) been addressed? Also:

      " Now solve all the other problems without knowing what they are ."

      Just because you don't know what they are doesn't mean that they aren't well known and understood.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    6. Re:Turing complete protocols by TechyImmigrant · · Score: 1

      Do you not realize that you are running an Operating System, written in a Turing Complete language, and that it is only possible because the other problems can (and have) been addressed? Also:

      " Now solve all the other problems without knowing what they are ."

      Just because you don't know what they are doesn't mean that they aren't well known and understood.

      An operating system has a API through which you communicate with it. Much like a protocol. Of course the compute environment the programs, both kernel and application are turing complete and operating systems and applications have vulnerabilities.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    7. Re:Turing complete protocols by Zero__Kelvin · · Score: 1

      "An operating system has a API through which you communicate with it."

      You are joking, right? Out of curiosity, as you are communicating with your OS, do you use Pascal or C calling conventions as you type?

      "Much like a protocol."

      Considering that "protocol" allows me to type 'sudo rm -rf /' Turing doesn't actually give an fsck at that point now, then, does he?

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    8. Re:Turing complete protocols by Anonymous Coward · · Score: 0

      if (took too long) { throw TookTooLongException(); }

      Easier said then done. There aren't a whole lot of programming languages or libraries for that matter that support such resource restrictions, most of the time it's a "fire and forget" situation, you start a function and hope that it will return, but if it doesn't, there isn't much you can do about it, even if you detect it from another thread, killing a thread is often unsupported or dangerous in itself. At the OS levels you have processes that provide resource boundaries and ways to kill amok running processes, but inside a programming languages you don't have that level of control (unless you separate the function call into a process, but that is often impractical). And even when you have those limits build in, they often trigger to late. Firefox will often completely freeze for minutes before it allows you to kill a crazy gone Javascript and then it might not even stop the right one. Even in the Linux kernel it's very easy to make the machine completely unresponsive just by allocating a lot of memory, the OOM killer will catch the process after a while, but a reboot is often faster.

    9. Re:Turing complete protocols by TechyImmigrant · · Score: 1

      No but he determined the limits of decidability. Keep up please.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    10. Re:Turing complete protocols by Zero__Kelvin · · Score: 1

      Keep up with what? You clearly are talking out your paper asshole and have no idea what the various terms you are throwing around with impunity even mean.

      Your statement "An operating system has a API through which you communicate with it" broadcasted to the world that you had no idea what you were even saying.

      Then this beauty: "Much like a protocol"The fact that you don't evidently know that protocols and APIs are virtually completely disparate is almost sad.

      You wrap it up in a way that wouldn't make it more apparent how clueless you are if you launched a tour on the talk show circuit to announce it and ran for office as the candidate who is "Just as Clueless as the Little Guy!"

      "both kernel and application are turing complete" ... Serioulsy ... you are kidding us and trying to make yourself out to be the biggest moron ever to post on Slashdot, right? If so, Bravo Sir.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  15. Not such a big deal by Time_Ngler · · Score: 2

    It's just a DOS attack. Shouldn't really even be called an exploit, no information is gathered, nothing is lost.

    1. Re:Not such a big deal by Anonymous Coward · · Score: 0

      If you can cause a server to run out of memory, it is quite possible something will be lost.

  16. Developer arrogance by MoarSauce123 · · Score: 1

    I count this under developer arrogance. There we, the quality and security minded people, hand developers all the information they need to fix a flaw and they outright reject it. The Mojangs could not even be bothered testing their 'fix' just ONCE using the example provided to them!! Sadly, they are not alone. How many times did I report bugs, get the note that it was 'fixed', then find out that absolutely nothing changed (best case) or that it is now worse than before? Way too many times. Dear developers, we, the QA folks, are there to have your back. We are there to keep you from pulling all nighters to fix that important issue that crept up in the release branch. In 90% of the cases we pointed you to that very same flaw during development, but you poo-pooed it as a non-issue and marked it as 'won't fix'. Dear developers, give the QA and security folks more credit. We do know what we are talking about, many of us do this stuff for decades having one ear on the customer's side and one ear on the design and development side. We know what is going to work out for users. Stop ignoring us!