This just in????
Fill in the blanks (*SMILE*).
A flaw in EA's Origin game store puts its 40 million or so users at risk of remote execution vulnerabilities The vulnerability was described by security researchers Luigi Auriemma and Donato Ferranta of ReVuln, in a paper released on Saturday. Origin is the distribution platform behind just-launched SimCity, along with other …
Fill in the blanks (*SMILE*).
afaict the problem breaks down as:
1. Contrive a mechanism to fool someone into clicking a link which will automatically run some program.
2. Contrive that this mechanism will run a program with an attack vector (Crysis 3).
1 doesn't need Origin to achieve, just an idiot user (in contrast to the impression given in the piece "reporting" this, it is not possible to contrive a link that if clicked on one machine will result in code running on some OTHER machine so you still need that perfect storm of Idiot User and Machine Not Treated With Care and Respect by Said Idiot User. And as I say, there are plenty of those around).
2 relies on a vulnerability in Crysis 3, not Origin.
Smells like people desperate for attention, contriving a FUD and scare story leveraging something that they think will gain enough attention that at least some of it will reflect enough onto them in which to bathe.
Erm you don't quite understand this issue at all do you?
If the problems they had with SimCity weren't bad enough, now this!
Pretty much says everything about them.
It's not FUD when security researchers write a paper documenting an attack vector that has been demonstrated in other software - namely browsers. Fishing or spear fishing attacks against gamers happen all the time so it's not unreasonable to think this could be exploited.
I've not used origin but the fact that it uses URI's suggests that it has a built-in browser like Steam does. Probably means they failed to apply patches to the underlying browser tech they imbedded. Or it may be that they can't because iirc the solution to the URI problem was to limit it's size and/or provide a user prompt if the URI contained scripting. Which may be an issue depending on how URI's are implemented in origin. Wait.. I think it was URI's that had an optional file based format that bypassed sandboxing. Getting old.
At any rate maybe this will be a wake up call to EA. A digital store does not mean pure profit. It takes time and money to maintain it. If exploits like this aren't quickly resolved then how are consumers are supposed to feel about all the customer data EA collects thru origin? They can't keep their client secure what's to say they can keep the back end safe either?
"because Origin functions on multiple platforms"
"because Origin does not function on multiple platforms"
What are those "multiple platform" and why did 40 million install it? Is this like smoking? Does the Surgeon General emit health and safety issues? Is it sin-taxed at least? Questions, questions...
"The issue can be mitigated by disabling the origin://URI globally using tools such as 'urlprotocolview'. This means a user will be no longer able to run games via Desktop shortcuts or internet websites with customs command line parameters."
Did Steam fix their problem of the same nature, btw?
Yes, they did.
My first thought was "well, that's just great" as I rushed to uninstall Origin but apparently I never re-installed it when I upgraded my Vista box to Win 7. Whew!
So they install a DRM software that literally rips all the data from your machine / console / phone that they want and now it has security holes large enough for someone else to get through?
All of this and stored outside the DPA and outside any legal form of prosectution...
Wow I feel safer knowing my data is in secure hands. Oh wait I haven't installed origin.
I won't install Origin, and that rules out EA games.
My loss in one respect.
My security in another...
Nor me. If a game requires Origin I simply won't buy it as I value my privacy over a few hours on a game. Installing Origin is like putting an advert paper telling people your PIN and alarm codes.
Yep... Origin includes a web browser inside their UI... And unless they've changed something since I last looked it tends to go to pages with too much content for the box provided (at least on my system) and has no scroll bars... Made it rather awkward getting DLC for Mass Effect 3 like the extended cut when the confirm/purchase/whatever button is off the bottom (forcing scrolls by drag highlighting text worked)... So with that (and on average needing three attempts to start ME3 every time) I "knew" it was buggy... Didn't know it was THAT buggy... Luckily I'm not affected having totally uninstalled Origin after finishing ME3 and was personally glad to be rid of it...
It's a shitty rip-off of Steam and I wish I didn't need it installed.
It did update last night, I suspect it would be too much to hope this issue has been patched.
One thing I noticed about Steam was that its client and attached games run completely in user-space on Windows. Even if I believe it is a bad idea to make a folder in Program Files user-writeable, at least any Steam exploits would be limited to the Steam environment and not leak out to the host OS, provided the user only runs it in user-space. A user can defeat any exploit with CTRL-ALT-DEL and logging off.
By comparison, does Origin work in kernel-space (using drivers) or otherwise require admin or kernel level access to run? I don't run any Origin games and from what I'm reading here I don't want to, either.
Even Java, for all of the hate Oracle's received this year, stays in user-space.
Some would say, if you were worried about your privacy, you would not have installed Origin in the first place..... Surprising news, EA's distribution / spyware platform allows you to be spied on.
And before you say it, the EULA did not change from them having the right to gather whatever info they want from your machine, when you decide to use it. And this is not the same as Facebook as you decide what you want to share with the world and as a by product Facebook. Origin, unlike Steam where the surveys are optional, gives you no choice in what is uploaded to EA....
This is how EA has gotten around not being able to sell the info they gather to 3rd parties as in the original EULA. Now they just give 3rd parties a conduit to get the info directly.....