WARNING! Civ4 Ships With Critical Security Vulnerabilities!

[CivIndeed]

Just curiously, has anyone done a PoC on the Win32 versions listed to see if infact there is the vulnerablity?

Would "anyone" include the zlib authors?

I dont suppose the readable text of the zlib home page would convince you, eh?

Not to mention zlib's own release of an updated 1.2.3 version library for Windows?

I also take it that the many security vulnerability listings that i linked to about the flaws (not to mention many others), were also insufficient for you?

What source will you accept as definitive?

Would "anyone" also include the python folks?

If you cant accept zlib's own admission, and the many different security vulnerability reports and bulletins, perhaps a simple pasting from python's (yes, the other insecure third party source code library included with Civ 4) "changelog" about the included zlib source (within python) will convince you ?

http://www.python.org/2.4.2/NEWS.html

"Upgrade Windows build to zlib 1.2.3 which eliminates a potential security vulnerability in zlib 1.2.1 and 1.2.2."

Now, if zlib in Windows somehow was "immune", why would python update their zlib source inclusion to 1.2.3 for Python for Windows, specifically to address the aforementioned security vulnerabilities?

Incompetence?

Heck, again, why would the zlib folks bother to update their own provided windows DLL if that wasnt the case?

If it didnt effect their code under windows, why wouldnt they say so explicitly? Why would they bother to update their own zlib windows DLL?

Incompetence?

Curiously, i sense a "strange reluctance in the civ force" to accept as fact, that which is before them.

Apologism takes many forms.

 

[ZouPrime]

Hum... well... ok...

Yes, Firaxis should have make sure to use the latest version. Sure, they did not do their job. But in the grand scheme of things, it's not really a big problem, and I guess they'll simply include the upgrades in a future patch. It's really nothing to be alarmed.

Sure, the vulnerability allow for remote code execution, but we're talking about a game here that is going to be run on very, very few computers online, certainly not enough for a worm to be written for it for example.

As for the possibility of some random hacker writing an exploit for this specific vulnerability... sure it's possible, but who cares? If someone wants to get you at this point he will get you, vulerable zlib or not.

In other words... if you have a business need of making your computer completely secure then you shouldn't be running some random game on your machine to begin with. If you really need to use it for Civ then try to upgrade zlib and python if possible. But if you are some random dude on the Internet the chance that you end up affected by this problem are very remote.

 

[Smirk]

I for one wouldn't be just rushing out to update all my system libraries shortly before release, especially those that are free. MSS is something different, they could potentially get support if a unknown new problem arises. The last thing I want to be doing shortly before the targetted release is debugging a critical system that was chosen strickly because it is supposed to be a black box I don't have to bother coding.

I also fail to see the severity of these holes. At the heart it seems most likely exploitable with a phython mod of some sort which you would have to manually install, that being the case it would be easier to just install some rogue program on your computer than to exploit a security flaw in the script to then compromise your computer. That is, installing anything from an untrusted source is potentially compromising your computer.

 

[CivIndeed]

Your calling these Critical Security Vulnerabilities. How can these files be exploited by a hacker? I can see if these files were on a webserver how a user can use it to crash the server, but the only thing I believe might happen is Civ 4 would crash. Give me an example of how these can be exploited then I might believe that this is critical.

Wow, you can read. Thats a start.

Not only am I calling these security vulnerabilities critical, but so is the industry. Here's some more practice for those reading skills:

http://secunia.com/advisories/15949/

Critical: Moderately critical

Impact: DoS, System access

Where: From remote

"A vulnerability has been reported in zlib, which can be exploited by malicious people to conduct a DoS (Denial of Service) against a vulnerable application or potentially execute arbitrary code.

The vulnerability is caused due to a boundary error in inftrees.c when handling corrupted compressed data streams. This can be exploited to crash any application that uses the zlib library, or potentially to execute arbitrary code with privileges of the vulnerable application."

http://www.frsirt.com/english/advisories/2005/0978

Advisory ID : FrSIRT/ADV-2005-0978
CVE ID : CVE-2005-2096
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-07-06

"A vulnerability was identified in Zlib, which could be exploited by remote attackers to cause a denial of service or execute arbitrary commands. This flaw is due to a buffer overflow error in "inftrees.c" when decompressing specially crafted data streams, which could be exploited, via a malformed stream embedded within network communication or an application file format, to execute arbitrary commands in the context of applications that utilizes zlib."

http://www.securityfocus.com/bid/14162/info

Bugtraq ID: 14162
Class: Boundary Condition Error
CVE: CAN-2005-2096
Remote: Yes
Local: No
Published: Jul 06 2005 12:00AM

"Zlib is susceptible to a buffer overflow vulnerability. This issue is due to a failure of the application to properly validate input data prior to utilizing it in a memory copy operation.

In certain circumstances, malformed input data during decompression may result in a memory buffer being overflowed. This may result in denial of service conditions, or possibly remote code executing in the context of applications that utilize the affected library."

Example: Inferior Civ Player B is in Multiplayer game with Somewhat Better Player A. Player B decides that losing isnt his forte, so he sends malformed packet ZZ to Player A using SuperDuperMalformedPacket Utility 3.3, whereupon Player A's Civ 4 session crashes.

Example: Inferior Civ Player B is in Multiplayer game with Somewhat Better Player A. Player B decides that losing isnt his forte, so he sends malformed packet ZZ to Player A using SuperDuperMalformedPacket Utility 3.3, whereupon Player A's PC comes under the "elite controls" of Inferior Player B, and he changes Player A's desktop wallpaper to an image of "I goTz owneD!!!", and then proceeds to steal Player A's entire gay pRon collection, and replace it with pictures of his momma.

There are two different vulnerabilties, one can lead to a DoS situation (Civ 4 crashes), the other can lead to either a DoS (Civ 4 crashes) or to execution of code (total system control).

Love is a temple. Walk the line.

Next.

 

[CivIndeed]

Yup. I was just about to say that, and I can't find the updated DLL anywhere in the C:\Python24 directory after I installed it.

I updated my original post to reflect the correct path location of the PYTHON24.DLL.

I apologize for the mistake and ensuing confusion

 

[Gorgo]

You're clearly very technically experienced with this kind of thing, but maybe a more humble and patient style would find your argument many more supporters.
My take on it is that your comments are welcome and this information is important and valid, but it's up to each user to assess the risk and whether they want to adopt measures accordingly. I bow to your expertise in these matters, but it strikes me that most software seems to have some security vulnerabilities, even companies with the resources of Microsoft. If all software shipped in a watertight way, then there would be no industry committed to finding new ways to thwart malicious intruders.

 

[CivIndeed]

The two vulnerabilities in zlib translate, in this context, to mean that if you're playing online it is possible to boot you from a game (oh noes!), and it is possible (under very particular circumstances) to force the game to crash.

Not only that, but those super silly angry bored cheating inferior civ opponents (and others) could completely utterly take over your PC!

That's what "arbitrary code execution" means (and results in), in essence.

It's not as if there are armies of malicious hackers stroking their evil cats, waiting to boot you from a multiplayer Civ session.

It just takes an Army of One (worst most misleading and incorrect ad campaign ever) Packet Attacker - or a bitter inferior cheating Civ 4 opponent provided the latest Packet Attack/DoS utility.

Neither of the exploits allow arbitrary code execution.

I used to believe reading was fundamental - but apparently it isnt.

What part of "allows arbitrary code execution" and "can be expoited to execute arbitary code" are you not comprehending? The Standard English portion?

The python problems, given the way it is implemented in Civ4, are pretty much totally trivial. Civ4 is not a webserver environment.

And you know this...how?

Arent you the guy who cant read Standard English who was just insisting that neither vulnerability allows arbitrary code execution?

You seem to be forgetting (or not reading) that the same zlib flaws present in the ZLIB1.DLL, are also present in the PYTHON24.DLL (they included the zlib source), not to mention all the python-specific flaws that exist in that version.

Why is it so hard to read?

Regardless, you do realize, that when a network connectivity application opens up a listening port awaiting incoming connections, that is in fact "server" behavior?

Not that it takes a listening port in order to be vulnerable - a pre-existing outgoing connection, with its bidirectional data functionality, suffices as an attack vector.

I'm sure the whole community appreciates your timely and exhaustively detailed account of these minor problems with the game.

Obviously your critical reading skills (pun intended) not only allow you to understand the "minimal" nature of remotely and locally exploitable security vulnerabilities that lead to DoS and system control scenarios, but they also allow you to "read" and represent the "sense of the whole community".

Well, at least your "community" - a Community of One.

The world hasn't ended yet, and it's not going to, no matter how many times you reply to inflate the significance of this.

And the game is still vulnerable, and the game still shipped with outdated insecure third party code libraries.

You also havent mastered comprehension of Standard English, but hey, your world clearly hasnt ended either, no matter how many times you make it clear your reading skills are entirely insufficient.

Here you are, posting and declaring to the world "i cant read, look at me! look at me!". No shame in that, clearly.

Other people are having much more serious problems and are not gabbing about it like it's the worst thing Firaxis could have done

Yeah its true, there are people complaining that the game bugs prevented them from mastering reading comprehesion of Standard English, and the English learning module isnt working properly!

I guess all those people proclaiming elsewhere they have never experienced such an inferior buggy game product as released, and wont ever purchase a 2K or Firaxis product again - arent.

Of course, in order to know about such proclamations, that would probably require Standard English reading and comprehension skills................

Next.

 

[oldStatesman]

but it's up to each user to assess the risk and whether they want to adopt measures accordingly.

<Warning: ON Soapbox>

Very True, but... We all are a tiny bit responsible for the health of the network we use together.

This is especially true on 'always' on connections like Broadband Cable.... Unpatched machines can be used without the owners knowledge...to the detriment of the whole. Crackers can use such exploits in apps that use the network to launch DoS attacks against others using tens of thousands of 'innocent' machines...potentially affecting large numbrs of folks; they can use it to initially spread self-propagating trojans (viruses) that don't use the flaw, affecting thousands of clean machines. It has been done in the past and it will be done again.

Civ 4 is probably deployed in many thousands of pc's now...don't bet some cracker couldn't find this out and potentially cause problems for all.

Much like automobile traffic safety, there is some responsibility to the community as a whole, as long as one drive's a car they should be aware of any defects that could lead to harming others and ... as long as you are using a public network you should at the least be aware of security issues.

 

[WarX]

You're clearly very technically experienced with this kind of thing, but maybe a more humble and patient style would find your argument many more supporters.

If what he said is based on facts, and is true, then I dont see how his "style" would or should be an issue. I frankly do not see anything wrong with his current style, it is the ignorant brush everything aside until i get hit by a bus attitude of some that needs some working on.

 

[CivIndeed]

Excellent work CivIndeed. I run Apache/MySQL/PHP/Python on my local PC for testing of various scripts I write, and occasionally i allow remote access to the webserver for previewing purposes. Which makes me wonder if my version of python has been overwritten by the version installed with Civ4? Hmmm.. not a nice thought.

As far as I can remember, Civ4 also forced me to install their version of DirectX 9c, although I already had v9.0c installed prior to that.

Thanks again CivIndeed.

No problem.

No, it doesnt overwrite a generic python installation, as the PYTHON24.DLL that Civ 4 uses is installed in Civ 4's base folder - not elsewhere such as \Windows or \Windows\System32.

Unless a python-using app is pointing to the Civ 4 folder for some strange reason, it should never be an issue.

As far as DirectX 9.0c goes, thats a huge mistake/problem created by Microsoft - they are actually updating DirectX 9.0c via routine SDK updates, but they arent updating the run-time executable that they are making available to users at Windows/Microsoft Update or the Downloads section at microsoft.com.

The updated DirectX 9.0c runtime is only available via the developer/SDK version.

To further confuse the situation, they arent updating the version of DirectX 9.0 to "d" - they continue to build/name it as "c" - even though it has some entirely new/changed files.

Absurd.

So, when you already have DirectX 9.0c installed, and you see a game (like Civ 4, that includes a more recent version of 9.0c via an SDK update) asking to install DirectX 9.0c, naturally, you say "no", knowing that you already have it installed.

Except that you dont know that they have the "updated" version of 9.0c (with the same name).

Just horrendous. This is one of the most boneheaded stupid absurd things Microsoft has done as of late, considering that DirectX is such a critical end-user technology, its absolutely necessary to make the process of acquiring and updating it as seamless, simple ,and comprehensible as possible.

So yeah, now, users will never know which "version" of 9.0c they have, at least, not easily.

Feel free to email Microsoft about the absurdity of not increasing the minor build letter (to "d" and "e" instead of leaving it at "c") to reflect the new files and changes.

Everyone should.

 

[Adamal]

Wow, you can read. Thats a start.

Not only am I calling these security vulnerabilities critical, but so is the industry. Here's some more practice for those reading skills:

http://secunia.com/advisories/15949/

Critical: Moderately critical

Impact: DoS, System access

Where: From remote

"A vulnerability has been reported in zlib, which can be exploited by malicious people to conduct a DoS (Denial of Service) against a vulnerable application or potentially execute arbitrary code.

The vulnerability is caused due to a boundary error in inftrees.c when handling corrupted compressed data streams. This can be exploited to crash any application that uses the zlib library, or potentially to execute arbitrary code with privileges of the vulnerable application."

http://www.frsirt.com/english/advisories/2005/0978

Advisory ID : FrSIRT/ADV-2005-0978
CVE ID : CVE-2005-2096
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-07-06

"A vulnerability was identified in Zlib, which could be exploited by remote attackers to cause a denial of service or execute arbitrary commands. This flaw is due to a buffer overflow error in "inftrees.c" when decompressing specially crafted data streams, which could be exploited, via a malformed stream embedded within network communication or an application file format, to execute arbitrary commands in the context of applications that utilizes zlib."

http://www.securityfocus.com/bid/14162/info

Bugtraq ID: 14162
Class: Boundary Condition Error
CVE: CAN-2005-2096
Remote: Yes
Local: No
Published: Jul 06 2005 12:00AM

"Zlib is susceptible to a buffer overflow vulnerability. This issue is due to a failure of the application to properly validate input data prior to utilizing it in a memory copy operation.

In certain circumstances, malformed input data during decompression may result in a memory buffer being overflowed. This may result in denial of service conditions, or possibly remote code executing in the context of applications that utilize the affected library."

Example: Inferior Civ Player B is in Multiplayer game with Somewhat Better Player A. Player B decides that losing isnt his forte, so he sends malformed packet ZZ to Player A using SuperDuperMalformedPacket Utility 3.3, whereupon Player A's Civ 4 session crashes.

Example: Inferior Civ Player B is in Multiplayer game with Somewhat Better Player A. Player B decides that losing isnt his forte, so he sends malformed packet ZZ to Player A using SuperDuperMalformedPacket Utility 3.3, whereupon Player A's PC comes under the "elite controls" of Inferior Player B, and he changes Player A's desktop wallpaper to an image of "I goTz owneD!!!", and then proceeds to steal Player A's entire gay pRon collection, and replace it with pictures of his momma.

There are two different vulnerabilties, one can lead to a DoS situation (Civ 4 crashes), the other can lead to either a DoS (Civ 4 crashes) or to execution of code (total system control).

Love is a temple. Walk the line.

Next.

First off lets not start with insults. The question I have for you is how is the Civ 4 engine using these shared libraries. Sure if the user can get direct access to the shared libraries through the Civ 4 engine then your examples would work. How does the Civ 4 engine handle the packets that are being sent. Does the engine pass them to the dll's to be handled or do they do any checking on thier own.

 

[CivIndeed]

Hum... well... ok...

Yes, Firaxis should have make sure to use the latest version. Sure, they did not do their job. But in the grand scheme of things, it's not really a big problem, and I guess they'll simply include the upgrades in a future patch. It's really nothing to be alarmed.

Of course they could and should have. It was pure irresponsible imcompetence that apparently ruled the day there however.

If the security of your system is meaningless, and you dont mind the real potential of the game crashing on you, or having your entire system compromised, simply from say, going online to play (not that its limited to online play scenarios), then hy, its not a "big problem".

Sure, the vulnerability allow for remote code execution, but we're talking about a game here that is going to be run on very, very few computers online, certainly not enough for a worm to be written for it for example.

Considering the amount of attention this game has gotten (TV commercials, radio spots), its series reputation, significant positive review attention, and chart topping sales, I'd be real hesitant to minimize the attractiveness exploiting vulnerabilities within the game environment holds.

Regardless, a "worm" is simply one vehicle of exploitation, and limiting your risk exposure assessment to worms alone, is foolish, to say the least

As for the possibility of some random hacker writing an exploit for this specific vulnerability... sure it's possible, but who cares? If someone wants to get you at this point he will get you, vulerable zlib or not.

I care. Several people that have posted to this thread care. A whole "caring" security industry exists to track report and address just such issues.

None of that changes anything. The libraries that shipped with Civ 4 are/were outdated and insecure, and firaxis (and Take Two/2K) are responsible for the security of their shipped software.

You can attempt to apologize, minimize and rationalize as much as you want, it doesnt change the situation.

In other words... if you have a business need of making your computer completely secure then you shouldn't be running some random game on your machine to begin with. If you really need to use it for Civ then try to upgrade zlib and python if possible. But if you are some random dude on the Internet the chance that you end up affected by this problem are very remote.

I didnt realize this was some "random game" - i surely thought this was specifically about Civ 4. I must be in the wrong forum, dude.

But yeah dude, people can upgrade/update their zlib and python libraries dude, as i recommended dude, totally, no matter what probability level exists for the situation.

Next.

 

[DreamTheaterSFG]

Going on 4 weeks, and the game keeps getting better and better. Great job guys! keep up the good work!

 

[dragontail]

Stop spreading misinformation. The vulnerability can't be exploited because:

1. Civ4 is not running as a server application. There's no way that a malicious user may send some data to crash your PC through Civ4.

2. The flawed library is only used by Civ4. There's no way that it may affect other (server) applications running on your PC.

Bottomline: Installing/running Civ4 does not make your PC less secure on the internet. Case closed.

PS

For people who don't understand the difference between vulnerability and risk, your keyboard is the biggest vulnerability of your PC because anyone can do virtually anything to your PC with the keyboard. However PC keyboard is not generally considered a security risk, because the vulnerability can only be exploited by someone having physical access to your PC, and by definition having physical access = already being compromised.

 

[randallman]

Stop spreading misinformation. The vulnerability can't be exploited because:

1. Civ4 is not running as a server application. There's no way that a malicious user may send some data to crash your PC through Civ4.

I beg to differ... When you're playing multiplayer - it's connected to the internet and as such is accepting data from an 'external' source. The biggest mistake that coders have always made is accepting data from 'external' sources w/o ensuring that the data is within the 'bounds' of what will be handling said data.

Not knowing the full internals of how the software functions in multiplayer mode, it could be more of a 'server' than you'd think...

 

[Gorgo]

If it works for you, that's cool. I think some may find it patronising and confrontational, which is a shame when there's a message in there which deserves the attention of all. The whole "dude" and "next" thing personally makes me cringe.

 

[ZouPrime]

Of course they could and should have. It was pure irresponsible imcompetence that apparently ruled the day there however.

If the security of your system is meaningless, and you dont mind the real potential of the game crashing on you, or having your entire system compromised, simply from say, going online to play (not that its limited to online play scenarios), then hy, its not a "big problem".

Accepting a risk does not mean the security of your system is meaningless. It just mean that the risk is not important enough to justify taking action.

Considering the amount of attention this game has gotten (TV commercials, radio spots), its series reputation, significant positive review attention, and chart topping sales, I'd be real hesitant to minimize the attractiveness exploiting vulnerabilities within the game environment holds.

Even if Civilization was the game of the year, he wouldn't be installed on a lot of machines in comparaison to, say, Windows, IE or IIS. Ever heard of a worm spreading to a quake server? Me neither. And there's a lot of them out there. But still not enough for someone to bother exploiting them.

The biggest problem you could have is probably someone exploiting this to cheat in the game. Again, it sucks, I hope Firaxis fix the issue, but it certainly nothing to be alarmed of, and it won't change much in the grand scheme of things.

Regardless, a "worm" is simply one vehicle of exploitation, and limiting your risk exposure assessment to worms alone, is foolish, to say the least

The vast majority of information security incidents deemed of mention are worms. They are the main problem. Focusing of that is good security. Focusing on flushing your system of all vulnerability whatsover make no sense, since they are so many of them; the vast majority of commercial and opensource software out there are subject to buffer overflow.

Again, if you have a good reason to keep your system real tight, you shouldn't be running an application like Civ IV anyway. For the rest of us, the risk is really, really minimal.

I care. Several people that have posted to this thread care. A whole "caring" security industry exists to track report and address just such issues.

Tracking records of security vulnerabilities is one thing, but it doesn't mean that the threat is real, and that you begin some kind of crusade against Firaxis, and that you should tell people who don't know better that they have been put in danger. The vast majority of vulnerabilities are never exploited. Finding a security vulnerability and informing the developpers is all cool, but accusing this same developper of "incompetence" because they did what everybody does anyway, in an application that nobody expect to be secure to begin with, is stretching it. A lot.

In case you are wondering, am I actually a information security professional, working in a real security shop, so I have hands on experience on this kind of stuff. There are new vulnerabilities found in dozen of applications every day, and for the vast majority of them, the dangers are incredibly remote. There's no reason to crap in your pans over something like this.

 

[DaveShack]

Shipping with the libraries that you test with is a standard procedure throughout the industry. Should it be fixed? Yes, it should. Can it be exploited? Maybe... Simple question though, if you're concerned about a door being unlocked, do you go yelling down the street "hey that door's unlocked!" or do you quietly report it to the authorities or find out who owns the the unlocked door and tell them? Actually in this case it's more like there is a brand of door with a lock which may be defective if an intruder has the right tools.

Also, insulting people's reading skills is not the way to win their hearts.

 

[player1 fanatic]

Well, there is also this:
If game passes QA testing with one type of libraries and is close to relase, why risk shipping it with newer libraries that are neither tested, or could have some serious bugs?

What if those updates had bigger security vulnerabilities or even bugs? They could not know/test that with time left before relase.

Using old libraries is actually "playing safe".


EDIT:
Hell, I know I did srew myself up few times installing NEWest video drivers, which later made me some things unplayable.

 

[CivIndeed]

You're clearly very technically experienced with this kind of thing, but maybe a more humble and patient style would find your argument many more supporters.

I'm not presenting an argument per se (at least not initially or originally). I'm presenting a fact (or series of facts) - Civ 4 shipped with outdated insecure third-party code libraries (which are both locally and remotely exploitable, and can be used to both DoS Civ 4, and/or engage in system takeover), and it was highly irresponsible and incompetent of Firaxis to do so.

However, obviously, apparently, many people are incapable of reading, or of comprehending the short direct Standard English such things as security bulletins and reports are composed of, and this can and does lead to the case of making a false "counter-assertion", or an incorrect "refutation", which then needs to be and is responded to.

I'm not concerned about my "style and presentation" or the "majority perception" of whatever "audience" exists. Facts are facts, logic is logic, reasoning is reasoning.

I'll leave the liberal subjective emotionalism...to..well..the liberals..subjectivists..and emotionalists (and/or whomever else is concerned about such things)

My take on it is that your comments are welcome and this information is important and valid, but it's up to each user to assess the risk and whether they want to adopt measures accordingly.

It doesnt matter whether my "comments are welcome" or not. I state what i choose to state when and how i state it. Obviously, some find them "unwelcome", some find them "welcome".

As far as risk assessment goes, i agree that ultimately, individuals can/do/should assess their risk - that doesnt mean that there arent inherent underlying generally calculable risks (or risk factors) that exist, and may or may not be factored into their final assessment (depending on the assessment capability of the individuals).

It goes without saying that there are going to be those that refuse to accept the facts as presented, and/or to "care" about the situation, and some/many of those people, often make sure to express themselves.

For those that do "care", I provided information about the problem, and even a workable temporary (perhaps permanent, depending on how Firaxis handles this) solution recommendation.

No one is being forced to do anything, not even read this entire thread (though, perhaps, some should be forced to take a Standard English reading/reading comprehension course or three).

I bow to your expertise in these matters, but it strikes me that most software seems to have some security vulnerabilities, even companies with the resources of Microsoft.

Yes, its true, virtually all software can be/is insecure. Its also true that Microsoft software has security vulnerabilities, and is shipped with security vulnerabilities (though i am unaware of a situation where the vulnerabilities were known beforehand, and outdated code (Microsoft or third party) libraries were shipped instead of more recent secured ones).

Its also true that its completely irrelevant.

It doesn't change the fact that Civ 4 shipped with outdated insecure third party code libraries containing security vulnerabilities that received widespread media attention back in July, due to the extremely widespread usage of the zlib code.

There are a total of 8 code files in the Civ 4 main folder.

Assuming every other file except the main executable was third party, how hard is it to check 7 different library files to verify version info? Or to read/scan a changelog from the libraries web site to see what bugs/issues were resolved? Or to read security related update information right on the home page of the libraries' web site?

Took me about 20 minutes (max) total, on a casual whim.

If all software shipped in a watertight way, then there would be no industry committed to finding new ways to thwart malicious intruders.

Not exactly true, and definitely irrelevant.

All software could be perfectly security and security design bug free, and there would still be a need for security software, since "malicious intruders" could enter the system using perfectly secured legitimate means.

Minimizing and rationalizing the actuality, extent, nature, and impact of the security threat posed by shipping the game with outdated insecure third party code libraries doesnt serve any purpose other than provide Firaxis with support for their current level of irresponsible incompetence.

Next.