Unity, the cross-platform game engine developed by Unity Technologies, suffers a critical flaw that may allow remote code execution by a bad actor. The group partially disclosed the vulnerability and has deployed patches for select versions of the platform, as well as a workaround for developers looking to keep their application bundles intact.
On Unity’s security page, the company reveals that “An input string validation issue was identified that could lead to remote code execution.” Additional details are scarce, but the affected component is the Windows version of the Editor. Patches have been deployed for Unity versions 5.3, 5.4, 5.5, 5.6, and 2017.1
A separate mitigation tool – or “workaround,” as the Unity team calls it – allows developers to postpone patching but removes the ability to open assets from the web browser or an email client.
“Please understand, though, that the workaround is not a patch and has limitations,” reads the notice. “The workaround will disable the Editor feature identified as vulnerable, but since we can’t control whether the affected functionality becomes re-enabled at some point after applying the workaround (system changes, reinstallations, etc.), we strongly recommend updating to the latest version of Unity to get the benefits of the full patch. You will also no longer be able to use the ‘Open in Unity’ functionality in the web browser version of the Asset Store after applying the workaround.”
“Security is paramount at Unity and is enabled by close collaboration with our security partners and customers to provide the most trustworthy software possible. Per our commitment to responsible disclosure, we’re unable to share more details at this time,” Amanda Taggart, head of global communications at Unity, told eWEEK.
The workaround tool can be applied to all affected versions of Unity, including versions older than 5.3. An update has been released for Mac users too, simply to keep versioning on par with other platforms. The flaw doesn’t affect the Mac version.
Hackers have been known to create malicious library bundles with malicious code (i.e. Trojans) designed to steal credit card info and other credentials, and trick legitimate developers into incorporating them in their binaries.
In 2015, Chinese hackers injected Apple’s Xcode development kit with malicious code, uploaded the tainted version to a FTP server, and offered it up for grabs to developers, promising a much faster download. As a result, 39 legitimate apps were infected with malware.
Another case was recorded in June, this year, when hundreds of Android apps were found infected with malicious code. A flaw such as the one described by Unity above may well have led some to leverage it in a similar manner.
By avoiding a full disclosure of the flaw, Unity is giving developers leeway to take steps to mitigate risk and limiting the amount of information that would otherwise prove useful to those with bad intent.