Remote Vulnerability in Unity, Game Developers Warned

The Unity game company has warned the professionals about the vulnerability, and that it stands exposed to remote compromise.

Those using Windows version of its editor are advised to update it immediately. Looking at the risk the company decided to sync the software between the two platform and has released a patch for the new Mac version.

Amanda Taggart, Unity’s head of global communications, said in a statement sent to eWEEK. “By proactively working with internal and external security researchers, a Remote Code Execution flaw in the Editor has been identified and we have rolled out a critical security patch to the global community,” She further added “Security is paramount at Unity and is enabled by close collaboration with our security partners and customers to provide the most trustworthy software possible. Per our commitment to responsible disclosure, we’re unable to share more details at this time.”

Only developers need to worry about this vulnerability because the attackers have focused this on the coders who work on this platform. Such kind of attack was also reported earlier when the authentic code would turn into Trojan horse. This way the attacker would send out a large number of trojan that would attack their users.

Cyber criminals have created repositories or say advertising libraries and frameworks, which the coder of that platform incorporates it into their software, and this erodes the security of the end user. This way it steals the credentials of the users and other information. This came to light when Trend Micro found a malicious advertising library called Xavier, which was incorporated into more than 700 apps for Android mobile devices. Nearly every data was stolen from the mobile. Again in 2015, a Chinese cyber-criminal released a compromised version of Apple’s Xcode development toolkit, which worked in the background as it contained the malicious code and would act accordingly as it compiles.

There is no explanation on the current issue from Unity, so it is not clear how vulnerable the malware is in the present form. The company has released mitigation to neutralize the effect and disable the feature that is vulnerable. This will not allow the malware to open certain Unity asset files from the email or browser.

The company released a statement on how to apply the mitigation tool reads “This mitigation will remove the ability for you to open Asset Store assets from an internet browser or an email client. To download these assets, you’ll have to navigate to the store from within the Unity Editor.”

Using developer to manipulate malicious virus is an old technique, but often comes into play. Microsoft released a patch for MS-Word in last April to protect its users. This was again the same technique when attackers integrated a code, which would spread the worm once word file is downloaded from the email.

“Unity has adopted a Responsible Disclosure policy as a part of our cooperation with internal and external Security Researchers and Bug Bounty program,” the company said. “Unity may withhold information about an identified vulnerability for a reasonable period of time to ensure that all customers are given time to patch their systems.”