Sign in / up

back to article BBC, Facebook steer users to vuln-afflicted Unity Web Player plugin

A vulnerability has been found in the Unity Web Player plugin, which could allow an attacker to access any website with the credentials of the plug-in's user. The vulnerability could pass on private messages sent over Facebook and Gmail, or, if exploited on the Internet Explorer browser, it could even read local files from the …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Sebby
    WTF?

    WTF?

    I thought we were supposed to be getting away from these bloody things and going to HTML5, not introducing even more of them.

    Plugins, I mean.

    17 0 Reply
  2. Zot

    Unity wants to move away from needing a plugin as well.

    The web player is very nice, and can run full 3d games with audio, but soon they're planning on converting the JIT code straight into JavaScript, which means the plugin is not needed at all.

    4 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      I hear they are in fact going this way. I don't have a lot to do with Unity3D myself however I recall mention of there being a HTML5 target that's experimental at the moment.

      So I think once they get that behaving better, the proprietary plug-in will become obsolete. (As it should.)

      3 0 Reply
  3. Christian Berger

    Why? Just Why?

    There's a perfectly good "video"-tag. It just works, and even if it doesn't work you can always use an external player. It may not be perfect, but it's _much_ better than any of those special proprietary players will ever get.

    The 1990s are over, get over it. Today you can just have an URL to a video file/stream inside a link and if people click it it'll just work.

    2 9 Reply
    1. Awil Onmearse
      Reply Icon
      FAIL

      Re: Why? Just Why?

      You know the unity player is a 3d game engine, not a video player, right?

      11 0 Reply
  4. Ken Hagan Gold badge

    Going the extra mile, but in the wrong direction

    So they reckon http://x:y@target.site/ is the same site as http://x:y@attacker.site/ ?

    That means they aren't just naively comparing the two strings for equality. If they'd been *that* simple-minded, they'd have been safe. Tragically, however, someone knew that they had to parse the URL into components and compare only the domain. They just didn't know the syntax for a domain.

    It reminds me of all those people who "knew" the extra rule about leap years and centuries, and consequently wrote extra code to get 2000 wrong.

    5 0 Reply
  5. Anonymous Coward
    Anonymous Coward

    BBC peddling malware?

    This simply can't be true, IT "expert" Rory Cellan-Jones would be all over it if this were really the case. Shame on you for suggesting such a thing, El Reg. ;)

    0 0 Reply
  6. x 7

    The Unity player is a piece of spamware-ridden shit and shouldn't be allowed near any PC. If a PC has Unity on it, it will also have a host of co-installed crapware which appeared at the same time

    1 5 Reply
    1. 142
      Reply Icon

      Eh? It's a plugin. No more. No less.

      Unity aren't responsible for what other stuff people put on their machines.

      4 0 Reply
      1. x 7
        Reply Icon

        its a plugin that comes bundled with spamming crapware

        a bit like Flash installing Chrome, or Java installing ASK, but a lot lot more maliciously

        0 3 Reply
        1. 142
          Reply Icon

          The Unity plugin installer is clean as downloaded from Unity's site. Perfectly clean. No ads. No toolbars. No nothing.

          If any adware is installed, it's through wrapped installers from other sites, like download.com, etc. in the same way they do with every installer.

          3 0 Reply
    2. Anonymous Coward
      Reply Icon
      Stop

      Looks like someone needs to learn how to download software correctly.

      This is an IT site, not MumsNet.

      Now if you were to rant how download sites bundle it with a load of crap, people would back you up.

      1 0 Reply
  7. Zot

    The view from Unity...

    ...seems reasonable to me:

    "WEB PUBLISHING FOLLOWING CHROME NPAPI DEPRECATION"

    http://blogs.unity3d.com/2015/05/28/web-publishing-following-chrome-npapi-deprecation/

    3 0 Reply
    1. king of foo
      Reply Icon

      Re: The view from Unity...

      Tough call...

      A) Spend time/effort fixing issue with plugin that will be obsolete in a few months.

      B) Try to rush replacement, hoping issue won't cause too much damage in the meantime.

      I'd likely be using door number 2. I'd probably be trying to keep quiet about it as well! But ignoring a bug hunter results in bad publicity so they should have opened a dialogue with the guy at the very least imho.

      1 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like