Relic2K Posted February 11, 2003 Report Share Posted February 11, 2003 Looks like Epic has finally acknowledge to hole in the Unreal Engine, and they definately messed up BIG TIME :D From: "Thor Larholm" <thor@pivx.com>To:<bugtraq@securityfocus.com> Date: Tue, 11 Feb 2003 18:15:00 +0100 On February 5th, Luigi Auriemma of PivX Solutions released a tightly packed advisory detailing multiple vulnerabilities in the Unreal network gaming engine developed by Epic Games. These vulnerabilities affect both clients and servers who are playing the plethora of games that are using the engine, and has been readily exploitable for 5 years. The press release: http://www.pivx.com/press_releases/ueng-adv_pr.html The advisory itself: http://www.pivx.com/luigi/adv/ueng-adv.txt Following both industry and personal standards, PivX gave Epic Games a duration of 30 days to (at the very least) respond to our private notification to them. After nothing had happened during that month we prepared to release the advisory, yet once the press asked Epic Games for comments they were suddenly very responsive. Promises to work closely with us on the vulnerability and advisory were made and we managed to hold down the press for several months after this. 60 days passed after this, without any collaberation, honest effort or actual contact from Epic Games. We released the advisory after 90 days had passed from the original vendor notification. 90 days, in which we were played like fools, in which Epic Games had ample time and sufficient opportunity to react and work with us on a coordinated release. 90 days in which Epic Games, from the best of our comprehension, had archived our communications in the thrash, during which we received no serious communication except for crisis handling at the originally planned release time. On February 6th, BluesNews (among many others) could cite a quote from Mark Rein, Epic Games Vice President: "I won't sugar coat this. We f***ed up on this. Yes this is real and yes this was brought to our attention and yes we should have fixed it by now." http://www.bluesnews.com/cgi-bin/board.pl?...&threadid=39954 On February 11th the tides have changed, and TechTV are reporting public legal threats from that same person: "This is slanderous," he says. "They've taken this too far. We're getting our lawyers involved with this." http://www.techtv.com/news/security/story/...3417248,00.html I fail to see how Mark Rein on one hand can publicly announce this to be a real threat that they should have fixed earlier, and on the other hand can announce the advisory to be false and malicious statements. There is no slander or libel in any aspect of this, and the only imaginable outcome that Mark Rein must have been aiming for by his declaration of layer involvement is to silence future security research on Epic Games products through the promise of unfounded barratry. As we know from precedents in the past, this approach to security is counterproductive at best and encouraging for underground security research at worst, and I can only hope for an official retraction of this policy by Epic Games once other employees have had half a minute to think about the implications and example that Mark Rein is setting forth. Now lets see how long they will take to finally fix some of the holes ? Quote Link to comment Share on other sites More sharing options...
Guest JaseP Posted February 11, 2003 Report Share Posted February 11, 2003 This is kinda old news (as in a couple of days old already). What is more surprising,... the hole or the company's response to it??? At least only 1-2 Linux titles are effected. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.