WARNING! Civ4 Ships With Critical Security Vulnerabilities!

[CivIndeed]

First off lets not start with insults. The question I have for you is how is the Civ 4 engine using these shared libraries.

Wouldnt that question best be directed at Firaxis? I didnt code the game, nor have I decompiled their main executable.

I could only provide generic presumptive statements about their usage (scenario/world user modification capability, data compression for saving/loading/network transmission, pre-rendered video playback, sound output handling, etc etc)

Sure if the user can get direct access to the shared libraries through the Civ 4 engine then your examples would work.

Im not exactly sure what you mean by "direct access to the shared libraries through the Civ 4 engine", but all the libraries are loaded at run time by the main executable.

The "user" simply needs Civ 4 loaded with the insecure code modules to be vulnerable.

After that, the zlib library simply has to be passed the specially crafted/corrupted compressed data stream from the main executable.

The only question is as to where/how Civ 4 uses the zlib library. The two most obvious and likely aspects are game saving/loading, and multiplayer data transmission. This determines for example, whether its locally or remotely exploitable, or both.

How does the Civ 4 engine handle the packets that are being sent. Does the engine pass them to the dll's to be handled or do they do any checking on thier own.

Since the entire point of using such external code libraries is for them to handle the specialized processing of data/functionality, its highly unlikely that the main executable does more than basic checking to verify that what is being sent/received to/from the library is in a format that is expected/required.

Since a specially crafted compressed data stream is in fact..a compressed data stream, that main executable would of course pass it along just like any other compressed data stream - its the library itself that handles the actual processing of the stream, whereupon the library fails to handle it properly due to the programming error/oversight, etc etc.

Again, Firaxis knows best how they use the libraries, and all questions about the details of how Civ 4 is specifically vulnerable in terms of data/code process should be directed at them (third parties could of course figure it out, given sufficient time and resources - thats in fact what many exploiters and security research companies do).]

Remember, the outdated insecure zlib code exists in (at least) both the ZLIB1.DLL, and the PYTHON24.DLL

Feel free to send an email to Firaxis (and 2K/Take Two) about it asking for specifics/a response. I certainly have.

I haven't received any response other than a generic form email stating they (both Firaxis and 2K) received the email.

 

[CivIndeed]

Going on 4 weeks, and the game keeps getting better and better. Great job guys! keep up the good work!

It doesnt bode well that they havent responded back to me in any specific way in regards to this problem.

At this point, I'm just hoping they delay the release of the initial patch in order to include the latest third party code libraries.

If the patch doesnt include the updated files, I certainly will make sure to bring it up to them, and the public, again.

 

[CivIndeed]

Stop spreading misinformation. The vulnerability can't be exploited because:

1. Civ4 is not running as a server application. There's no way that a malicious user may send some data to crash your PC through Civ4.

In fact, Civ 4 is indeed "running as a server application" whenever it opens up a listening port.

Regardless, and additionally, all connections made from the Civ 4 PC to a multiplayer server (of any kind, WAN or LAN), are bidirectional. That means data can be sent in either direction over an outgoing connection.

Even if bidrectional communications on a single connection were not possible, a listening port would have to be opened in such a case, in order receive information back from the other end of the connection, at which point, it becomes a "server".

2. The flawed library is only used by Civ4. There's no way that it may affect other (server) applications running on your PC.

Civ 4 would be the "server" application in this case, assuming it opens a listening port.

Again, regardless, it doesnt have to be exploited over a current active network connection. It could also be exploitable locally, via a file load (saved game, mod, multiplayer email, etc).

There was never an assertion that the inclusion of the flawed zlib libraries affected "other server applications" (or even other applications in general).

The fact that other applications are highly unlikely (though not impossible) to be affected by the flawed zlib libraries in the Civ 4 folder, doesnt change the fact that Civ 4 is vulnerable.

I suggest you read the original (and intervening) posts again.

Bottomline: Installing/running Civ4 does not make your PC less secure on the internet. Case closed.

Well, actually, it does, as does installing/running any application in general, but especially applications with known-to-be vulnerable code.

You didnt make much of a case, considering the uninformed incorrect assertions/refutations.

PS

For people who don't understand the difference between vulnerability and risk, your keyboard is the biggest vulnerability of your PC because anyone can do virtually anything to your PC with the keyboard. However PC keyboard is not generally considered a security risk, because the vulnerability can only be exploited by someone having physical access to your PC, and by definition having physical access = already being compromised.

This coming from the person that doesnt know what a "server" is, and insists that Civ 4 "isnt a server application"? Amusing.

I'm sure this thoughtful insight will be valuable to someone....somewhere...sometime...

Next.

 

[CivIndeed]

If it works for you, that's cool. I think some may find it patronising and confrontational, which is a shame when there's a message in there which deserves the attention of all. The whole "dude" and "next" thing personally makes me cringe.

Sarcastic Mockery, Dude.

Next.

 

[CivIndeed]

Accepting a risk does not mean the security of your system is meaningless. It just mean that the risk is not important enough to justify taking action.

And..who said otherwise? I certainly didnt. You need to reparse what i said.

Even if Civilization was the game of the year, he wouldn't be installed on a lot of machines in comparaison to, say, Windows, IE or IIS. Ever heard of a worm spreading to a quake server? Me neither. And there's a lot of them out there. But still not enough for someone to bother exploiting them.

I havent heard of a worm spreading to Mars either - that doesnt mean it hasnt happened.

I certainly am not going to claim or make the presumption of being perfectly informed. There is a Big Universe out there.

And a rather "large wild untamed internet" as well.

Linux is not a significant player in the desktop market (2-4% market share by most estimates), yet, there are plenty of security vulnerabilities in the Linux kernel, as well as the bundled apps/utils in every distribution version.

Yet there are many available published exploits, both in terms of source code and compiled utilities for those vulnerabilities.

Ironically, perhaps you arent aware of it, but there are vulnerabilities in Quake (different versions):

http://www.securityfocus.com/swsearch?sbm=/&metaname=alldoc&query=quake

That got 36 results....

Lets see what a Google search brings up...

http://www.securiteam.com/securitynews/5DP091FFFU.html

"If an attacker joins a server and sends a too big message any client in the server will automatically disconnect showing the "CL_ParseServerMessage: Illegible server message" error."

http://www.securiteam.com/exploits/5KP040A55I.html

"A security vulnerability has been found in Quake 3 Arena. The vulnerability allows an attacker to cause the server to crash"

http://www.xatrix.org/article.php?s=1519

"A vulnerability has been reported in some versions of the Quake II server. While variable expansion is normally performed on the client side, a modified client may pass unexpanded variables such as $rcon_password to the server. The server will expand these variables within it's local context, potentially leaking sensitive information to the remote attacker."

http://www.frsirt.com/english/advisories/2005/1538

"A vulnerability has been identified in Quake 2 Lithium II Mod, which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to a format string error when processing specially crafted nicknames, which could be exploited by remote attackers to compromise a vulnerable system."

Heck, those are just the first few from a Google search:

http://www.google.com/search?hl=en&lr=&q=quake+security+vulnerability&btnG=Search

"Results 1 - 10 of about 155,000 for quake security vulnerability. (0.22 seconds)"

Yeah, well, at least you can count on no one exploiting any security vulnerabilities in quake.

Certainly for say, cheating. Or retaliation. Or out of boredom. Etc etc.

How do i know? Because I've never heard of any security vulnerabilities in Quake, therefore there arent any.

Besides, even if there were, im going to insist they have never been exploited, because i havent heard of it.

Ah yes, this just keeps getting better and better.

The biggest problem you could have is probably someone exploiting this to cheat in the game. Again, it sucks, I hope Firaxis fix the issue, but it certainly nothing to be alarmed of, and it won't change much in the grand scheme of things.

No, the biggest problem you could have is 100% system compromise. Please read ..anything...i posted.

Well, thats true. Whether or not Civ 4 is insecure doesnt make God exist or not.

Changes nothing about the fact that Civ 4 is insecure as shipped.

The vast majority of information security incidents deemed of mention are worms. They are the main problem.

Thats your assessment and opinion at least. I cant agree to either of those statements, of course.

They may be the main problem for large networks and network providers and corporations and entities, not not necessarily at all for individual users and consumers.

Worm related incidents may even get the most mainstream media coverage, but that doesnt make them the "main problem".

Focusing of that is good security. Focusing on flushing your system of all vulnerability whatsover make no sense, since they are so many of them; the vast majority of commercial and opensource software out there are subject to buffer overflow.

If your system is already wormed, you are already compromised. If you want to prevent potential worming, then it becomes necessary to focus on removing any/all security vulnerabilities that are remotely exploitable and allow for arbitrary execution of code.

Which is exactly the potential situation with one of the two zlib flaws - its potentially remotely exploitable and allows for arbitrary execution of code.

This zlib buffer overflow vulnerabikuty is exactly the kind of security vulnerability one wants to eliminate, if one is specifically worried about "worms".

Ah, the irony. I almost feel sorry for you.

Again, if you have a good reason to keep your system real tight, you shouldn't be running an application like Civ IV anyway. For the rest of us, the risk is really, really minimal.

Coming from the guy that is worried about wormable security vulnerabilities, it sure is ironic to for you to insist the risk is "really, really minimal", considering, again, that the second zlib flaw, is a buffer overflow type, is potentially remotely exploitable, and allows for arbitrary code execution.

Tracking records of security vulnerabilities is one thing, but it doesn't mean that the threat is real, and that you begin some kind of crusade against Firaxis, and that you should tell people who don't know better that they have been put in danger.

It does mean the threat is real. Civ 4 is really insecure. Civ 4 did really ship with outdated insecure zlib libaries. The zlib security vulnerabilities are real, and the worst of them allows for remote exploiting with arbitrary code execution. The public in general, and current and potential Civ 4 owners/users, have a right to know that Civ 4 contains known-to-be-insecure code that could easily have been avoided, and how to address the situation as least temporarily.

In fact, i have a moral and ethical obligation to inform the public as such.

The vast majority of vulnerabilities are never exploited.

And you know this..how?

Considering that there are easily accessible lists of vulnerabilities tracked in many different ways, with specific details given about them, and often proof of concept and/or exploit code provided as well, i find this a curiously risky statement to make.

It took me all of about 10 seconds to get a list of many different Quake security vulnerabilities.

The Google search alone had 155,00 hits.

Finding a security vulnerability and informing the developpers is all cool, but accusing this same developper of "incompetence" because they did what everybody does anyway, in an application that nobody expect to be secure to begin with, is stretching it. A lot.

Its not an accusation. Its a fact. And, i know this is going to be hard to swallow, but, just because there are a lot of incompetent people doing incompent things, or competent people doing occasionally incompent things, doesnt mean they arent incompent or not doing incompetent things.

I expected it to be secure. Not perfectly secure, but reasonably secure. Like, for example, not shipping your product with utterly outdated insecure third party code libraries with security vulnerabilities that in the worst case scenario allow for a remote complete system compromise.

Im a somebody, arent I?

In case you are wondering, am I actually a information security professional, working in a real security shop, so I have hands on experience on this kind of stuff.

No, i wasnt wondering, but since you offered, i have to say, i question your competence level, utterly, especially when it comes to security.

Stating that you believe "worms" are the main problem, but then minimizing a remotely exploitable vulnerability that allows for arbitrary code execution (perfect worm scenario), is a bit ludicrous.

I wouldnt want you anywhere near a system i used or managed or owned.

But dont take that too personally, thats true for 99.99% of the human race.

There are new vulnerabilities found in dozen of applications every day, and for the vast majority of them, the dangers are incredibly remote. There's no reason to crap in your pans over something like this.

"Incredibly remote", eh? Ah, the ironic unintended pun. Yeah, about as "incredibly remote" as the zlib buffer overflow vulnerability exposed in a networked application.

Next.

 

[ZouPrime]

I havent heard of a worm spreading to Mars either - that doesnt mean it hasnt happened.

Oh god...

Listen up CivIndeed. Try to read what we say instead of focusing on what your next answer will be. For some reason you seem to don't understand what others posters are trying to make you understand.

Nobody is saying that there's no vulnerability. Of course there is. What we are saying is that there is up to no risk. You understand the difference between the two right?

I doubt you do, because my compaison to Quake completely flew over your head. Yes, there's a lot of security vulnerability for all kind of version of quake. I know that. But how many of them have been exploited in a worm? It never happen. What do happen is people using this to exploit the game. But you do agree that it's not a big problem to society if this happen? Won't be the first time, isn't it?

The poster who talked about doors and locks got it. You're screeming because your neighbor's front door isn't locked. Sure it sucks, but it's not a reason to whine about it for days. There are thousands of unlocked door out there and unless you have something valuable to protect, it's not a big deal if you forget about it once in a while.

You found a vulnerability? Good for you. Now that your 15 minutes of glory has passed, you can go back to where you came from. I'm sure Firaxis will take care of it, and they even may want to credit you in the end. But don't raise hell over this if you don't understand all the ramifications around the issue.

 

[Gaias]

Have you tested this personally and can do all the things that you listed?

 

[dosage0]

Its too bad they shipped the game with old drivers and hopefully they will update them next patch. But until unlawful geek hackers with too much time start attacking my machine while im playing Civ 4 multiplayer, it wont keep me up at night.

Besides, the game wont run correctly in the first place.

Anyhow, thanks for finding the bug and reporting it.

Rob

 

[Noitazilivic 4]

ZouPrime, do you understand the basic concepts of network security at all? This action by Firaxis is indefensible and the only correct response is "They need to explain this and rectify it immediately," not "Oh, it's not really all that bad, what could go wrong?"

No one's asking for heads to roll or the company to be boycotted. No semi-literate idiot has started an online petition saying "omg fixaris makes u get hax0red." Instead, a significant security vulnerability has been identified but the company has not acknowledged the issue. Brushing it under the rug is the height of irresponsibility.

 

[CivIndeed]

Shipping with the libraries that you test with is a standard procedure throughout the industry.

(If only reading were pervasive..goes into repeat mode)

And therein lies the Problem. They were able to ship the Miles Sound System library (MSS32.DLL), released on September 7, 2005. Thats just over a month before Civ 4 was RTM'ed.

The "fixed" version of the zlib library (1.2.3) was released on July 18, 2005 - 2 months prior to the release of the version of MSS they included.

If they could adequately test the third party sound output library in a month, they certainly could have tested a third party compression library released two months prior to that.

Should it be fixed? Yes, it should.

Indeed.

Can it be exploited? Maybe...

Not maybe - yes. The only question is as to how many different ways Civ 4 can be exploited, which depends on the extent to which they use zlib (and remember, the PYTHON24.DLL library contains vulnerable zlib source as well, so that means multiple attack vectors).

Simple question though, if you're concerned about a door being unlocked, do you go yelling down the street "hey that door's unlocked!" or do you quietly report it to the authorities or find out who owns the the unlocked door and tell them?

Reading works. Again, it was reported to firaxis (and Take 2/2K) - they havent responded back in any specific manner.

The flaws are in third party code libraries, and have already been acknowledged by the authors of those libraries, with appropriate fixes provided months ago.

Furthermore, the zlib flaws are well known and received significant industry media coverage, so the known-to-be-insecure versions of zlib are easily identified (it took me a few minutes on a whim to identify version/issues), and therefore easily exploitable.

Additionally, again, i have a moral and ethical obligation to inform the affected parties, especially when the developer/publisher has taken no steps to acknowledge or rectify the situation, and when there are solutions available to the affected parties that they can apply themselves to immediately address the security vulnerabilities.

Actually in this case it's more like there is a brand of door with a lock which may be defective if an intruder has the right tools.

Civ 4 is insecure. The vulnerabilities are well known. The developer and publisher of Civ 4 neglected to acknowledge the problem, or immediately address the situation (which they easily could with a quick fix "patch" that updates the appropriate third party files)

Also, insulting people's reading skills is not the way to win their hearts.

Not a concern of mine, obviously a concern of yours. Again, i suggest you read the previous posts, you seem to have missed much of what was already stated based upon your comments.

Next.

Moderator Action: Its a concern of mine - please stop being so patronising.

I'll do as i wish, regardless of both your and any other persons' obtuseness and/or apologism/minimization of the situation.

You'll just have to further express your inferiorityism.

 

[ainwood]

@CivIndeed - just because you haven't got any feedback from Firaxis / 2k doesn't necessarily mean that they are ignoring the issue. Unfortunately, it is one bug of many that they get reported, and I haven't really seen any feedback to specific people on other bugs. Lets hope that the patch does the talking rather than individual feedback. Yes, the personal touch is nice, but is often a luxury.

 

[CivIndeed]

Well, there is also this:
If game passes QA testing with one type of libraries and is close to relase, why risk shipping it with newer libraries that are neither tested, or could have some serious bugs?

(repetition mode)

Shipped with MSS dated September 7, 2005.

Didnt ship with ZLIB dated July 18, 2005.

If enough time to test September MSS, then enough time to test July ZLIB.

1.2.3 (latest) version of ZLIB is purely a bugfix release, specifically to address the security flaws.

What if those updates had bigger security vulnerabilities or even bugs?

What if aliens really coded the libraries with secret alien code designed to take over the world?

The fact is, the 1.2.3 release of zlib is a maintenance release, intended to fix a few bugs, most specifically the security vulnerabilities.

One need only go to www.zlib.net to immediately see that.

Lets try some simple "logic"

Given: Assuming bugs:
1.2.3=bugs
1.2.2=bugs + known security bugs

Now, what rational person is going to choose 1.2.2? Right.

They could not know/test that with time left before relase.

They most certainly could and should have known that version 1.2.3 of zlib existed (they used a more recent MSS version from September, and the zlib flaws were well covered in the industry media in July) that it was a maintenance release specifically released to address the security vulns, and yet, due to clear irresponsible incompetence, they used 1.2.2.

Using old libraries is actually "playing safe".

Yes, thats right, shipping your software product with outdated third party code libraries that contain known security vulnerabilities, the worst of which can allow an attacker to remotely exploit YOUR game program and take over the players system, is "playing safe".

Ah yes, another staggering intellect.

EDIT:
Hell, I know I did srew myself up few times installing NEWest video drivers, which later made me some things unplayable.

Unfortunate perhaps, but irrelevant.

Next.

 

[player1 fanatic]

(repetition mode)

Shipped with MSS dated September 7, 2005.

Didnt ship with ZLIB dated July 18, 2005.

If enough time to test September MSS, then enough time to test July ZLIB.

So?
Not everyone has enought time to test everything.
We are talking about games here. Sound system has priotiry.

MSS seems more important to test first.

Better ship with one tested, then one not tested and possible more buggy (or not working at all)

1.2.3 (latest) version of ZLIB is purely a bugfix release, specifically to address the security flaws.

Do you know that bugfix releases have greatest chance of adding new bugs?

By fixing something, there is always a chance of breaking somthing else.
Better used flawed but tested version, then untested fix.
Some of WinXP security fixes come to my mind (that made more problems then they solved).

Lets try some simple "logic"

Given: Assuming bugs:
1.2.3=bugs
1.2.2=bugs + known security bugs

Now, what rational person is going to choose 1.2.2? Right.

Ore lets try this:
1.2.2=stable + known security bugs
1.2.3=broken, but without those security bugs

Of course, now we now that 1.2.3 is not broken. But you can't know this without testing.
Right?

They most certainly could and should have known that version 1.2.3 of zlib existed (they used a more recent MSS version from September, and the zlib flaws were well covered in the industry media in July) that it was a maintenance release specifically released to address the security vulns, and yet, due to clear irresponsible incompetence, they used 1.2.2.

Or they choose not to use libraries untested with game.
At least not until future patch?

Yes, thats right, shipping your software product with outdated third party code libraries that contain known security vulnerabilities, the worst of which can allow an attacker to remotely exploit YOUR game program and take over the players system, is "playing safe".

Or even worse, shipping game with untested libraries that could even not work.

Ah yes, another staggering intellect.

Ah...
Thank you.
You too...

 

[Stagh]

I have read CivIndeed's first message and installed the two new DLLs (after backuping the old ones). By the way, I verified that the URLs given by CivIndeed were addressing the actual official files and not some modifed versions including virus or Trojans.

Currently, everything works fine on my computer (except that Civ4 is still sluggish but it is another matter) and I am happy to know that there are two less potential vulnerabilities on my computer.

By the way, I thank CivIndeed for the information he provided.

What I do not understand is the point of most messages of this topic. People seem unhappy that someone has revealed two Civ4 potential threats (even if they are remote). What is wrong saying that there are vulnerabilities? At the least, people have the necessary information to decide whether or not to upgrade the DLLs. It is then a personal choice.

 

[Roach]

Sarcastic Mockery, Dude.

Next.

When selling a message the way you deliver it is just important as the message itself. Whilst what you are saying all likelyhood may be valid, your constant belittling and sarcasm to other peoples different outlooks on the problem makes you seem like you are trying to hard to prove your point (sate your ego perhaps?)

Your first post was direct and to the point and brought up an important issue. Since then its been little more than a petulant display of rudeness to people who dont quite share your view on the 'magnitude' of the issue. Thanks for the heads-up.

Given the vulnerability, I am half tempted to leave my computer open to the Hackers hoping that the constant BSOD and hard crashes will be transferred to their machine.

 

[CivIndeed]

Oh god...

Listen up CivIndeed. Try to read what we say instead of focusing on what your next answer will be. For some reason you seem to don't understand what others posters are trying to make you understand.

"We"? Are you speaking for the other members of the "We Are Worried About Worms But Vulnerabilities That Are Remotely Exploitable And Allow for Arbitrary Code Execution Dont Really Concern Us" group?

Ironically, it is you, and several others (and not just here at CivFanatics, but Apolyton as well), that have reading dysfunction.

Your statement is probably better addressed...to you.

Nobody is saying that there's no vulnerability.

I never said anybody was saying that.

You really should improve your straw man skills - they are insufficient as well.

However, actually, several have said as much (though not here at CivFanatics per se). As well, several have attemped to minimize the severity of these flaws in addition to claims that they cant be exploited, etc etc.

But you would have to read (or be capable of reading comprehension), to ascertain that.

Of course there is. What we are saying is that there is up to no risk.

The second sentence there makes no sense. Are you claiming there is no risk?

I sure hope that isnt your claim.

You understand the difference between the two right?

I cant say i do, considering i cant understand what idea you were attempting to convey, due to your mangled syntax.

I doubt you do, because my compaison to Quake completely flew over your head. Yes, there's a lot of security vulnerability for all kind of version of quake.

Odd, you didnt seem to indicate you knew of any Quake vulnerabilities - just the opposite in fact as per the implication of your "worm" comment.

But, its good to see that in fact, now, you concede lots of different vulnerabilities in different versions of Quake.

I know that.

You didnt seem to know that before. Im going to add a "now" to the end of that for you.

But how many of them have been exploited in a worm? It never happen.

I dont know. How are we to ascertain that? I didnt realize a worm was the only possible method to remotely exploit a vulnerability.

You do realize you can remotely exploit a remotely exploitable vulnerability, without the use of a "worm", right?

Regardless, what makes you think they werent exploited, besides your desire for it never to have happened for the purpose of minimizing the critical nature of these zlib flaws in Civ 4?

In fact, isnt it possible that Quake clients/servers were "wormed", and you simply dont know about it?

Isnt it possible that there were "worms" that did what they needed to do, then removed themselves and all traces of themselves, from the effected systems?

If you didnt know about the zlib flaws, if you didnt know that Civ 4 shipped with outdated insecure vulnerable zlib code in two different library modules, why should anyone believe your claim that it "never happened"?

I certainly would never make such a claim, and im clearly far more informed than you are on these issues, and yet i know my actual specific knowledge of specific vulnerabilities is quite limited, though, obviously, i can easily search for and obtain information about them.

I dont have perfect knowledge. Do you?

Dont you think it would be far better to say something like "i am unaware of any worms that targeted Quake server/client code" rather than "it never happen"?

Regardless, I'm sensing some absurdity here. You actually believe there isnt any "insecurity" unless you are specifically aware of a specific security vulnerabiluty actually being exploited.

Thats pretty amusing. And you say you are an "information security professional", eh?

What do happen is people using this to exploit the game.

I cant understand this, its nonsensical.

Are you saying that you are aware of specific exploits of the Civ 4 vulnerabilities? Because thats what it appears to say.

But you do agree that it's not a big problem to society if this happen? Won't be the first time, isn't it?

I'm not sure i follow you. Are you (once again) attempting to minimize the severity of the security vulnerability posed by the flaws in Civ 4's zlib code libraries?

Yes, its true, the security vulnerabilities in Civ 4 wont stop us from instituting democracy in Iraq.

If you are attempting to claim that a potential "worm" exploiting the zlib flaws in Civ 4 wont have a big impact on society, ill reference you back to your own comments that "worms" are the "biggest threat".

I'll also remind you of the loss and cost to many corporations for the Code Red, etc worms, not to mention individuals loss of time and money dealing with it on their home/personal PCs....

You really need to check your own statements for consistency with previous "thoughts" (not to mention readable standard english)

The poster who talked about doors and locks got it. You're screeming because your neighbor's front door isn't locked.

I'm not "screeming" at all. I'm not sure if you realize this, but, i own a copy of Civ 4 - thats how i was able to determine the outdated insecure third party code library situation.

The correct analogy would be that i bought a certain model of door, that has a certain old model of remote controllable electronic lock made by another company with a known flaw, and, within short order, realized the lock on the door is the old model, and that due to its fla, would allow somehow to either unlock the door standing right next to it, or, somewhere down the street, and, understanding the severity of the issue, i then disseminate the information back to the door company, as well as to forums where door purchasers tend to spend time, about the problem, and how to get a new lock from the lock company to replace the old faulty model on the door.

Sure it sucks, but it's not a reason to whine about it for days.

Im sensing that it really bothers you that i post here, especially to respond to you, so I'll make sure i take the time to do it as often as possible.

Its probably also not a reason to engage in in rationalization, minimization, and apologism for days either (just a hint for the sake of consistency).

Of course, if that were to cease, then i wouldnt be able to enjoy the utter lack of reading skills, amusing claims of professional capacity, and mangled english.

Eh?

There are thousands of unlocked door out there and unless you have something valuable to protect, it's not a big deal if you forget about it once in a while.

Im sure you are the arbiter of everyone elses security situation. Its good that "everyone" has such a well spoken representative such as you speaking on their behalf.

Oh, wait, im sure you were just speaking for yourself here, considering that you obviously have nothing valuable to protect.

(You might eventually get the idea, that one silly straw man, deserves another. If you dont know what a straw man is, that wont surprise me. Look it up)

You found a vulnerability?

No, i didnt. I did find a program shipping with outdated known-to-be-insecure insecure third party code libraries that creates a security vulnerability for the program itself, and ultimately for the system of the players.

Good for you. Now that your 15 minutes of glory has passed, you can go back to where you came from.

Dont be so bitter. One day, you might even master Standard English, sentence construction, positional consistency and integrity, sarcasm, the straw man fallacy, and the credentialization fallacy.

But I'm sure it'll take somewhat longer than 15 minutes.

I'm sure Firaxis will take care of it, and they even may want to credit you in the end.

You must have a contact inside. You know, i hear they are in dire need of a Code Security Professional, and with your obvious self-claimed credentials, you are the perfect choice.

But don't raise hell over this if you don't understand all the ramifications around the issue.

I'm sure you'll be there with more silly attempted self-credentialization without substantiation, just to tell me what you think those are.

Just remember not to "whine about me whining" - that would be ...amusing.

Love is a temple.

Next.

 

[CivIndeed]

Have you tested this personally and can do all the things that you listed?

Who are you asking this of/to?

If you are attempting to ask something of me, could you be more explicit in your asking?

 

[CivIndeed]

Its too bad they shipped the game with old drivers and hopefully they will update them next patch.

Not drivers, but rather third party code libraries that specialize in providing data processing/handling and other functionality.

But until unlawful geek hackers with too much time start attacking my machine while im playing Civ 4 multiplayer, it wont keep me up at night.

Thats probably a reasonable position to take, just make sure you know when the "attackers" are actually "attacking". What you think is a "regular" "Crash To Desktop" may in fact have been a DoS attack, or a failed remote arbitrary code execution attempt.

Of course, you can get a head start on avoiding any of that nonsense by downloading and copying the relevant DLL files as i recommended.

Besides, the game wont run correctly in the first place.

If the game is already crashing on you, then it may be difficult to ascertain a crash due to a DoS attack. Of course, maybe some of those CTDs you may have already experienced...were the result of a DoS.

Remember, the flaws are exploitable both locally, and remotely, potentially, depending on how and how much Civ 4 uses the zlib processing, and, the zlib flaws, exist in both the general zlib library (ZLIB1.DLL), and in the Python library as well (PYTHON24.DLL)

Since each library contains the 2 known flaws, thats 4 different attack vectors at the very least.

Something to think about.

Anyhow, thanks for finding the bug and reporting it.

Someone needed to. I just happened to be the someone.

I just hope Firaxis and 2K take the issue seriously enough to rectify it ASAP.

 

[CivIndeed]

@CivIndeed - just because you haven't got any feedback from Firaxis / 2k doesn't necessarily mean that they are ignoring the issue.

It also doesnt mean they are doing anything about the issue.

Considering that i have yet to get any specific private acknowledgement of the info about it that i emailed to them, and that there is no public acknowledgement of any kind about the issue, and that there is no patch available fixing the issue, i have to assume, rationally, that they in fact, arent doing anything about it.

Considering they could easily package, at the very least, the latest zlib DLL and the latest python DLL together, with an installer, and put it on their servers for download, for both manual download, and for whatever automated/semi-automated process the in-game update system uses.

Not that i want to necessarily add to the din about the general code state of this game as released, but, to be frank, they dont have to worry about testing - the game as released clearly has lots of issues (thats a euphamism) - it was released early and unready due to the schedule shift - and they obviously didnt care about testing before they released what they did release, because they released what they released knowing it simply wasnt as finished as they themselves wanted it to be.

They could even call it "Beta Security Patch 1.0.1" just to be safe (ah..the pun).

Unfortunately, it is one bug of many that they get reported, and I haven't really seen any feedback to specific people on other bugs.

Well, actually, it is a plethora of bugs - the outdated third party code libraries have many bugs other than just the security related ones that create the security issue, and every third party code library they included was outdated at the time the game was released.

Also, security vulnerability bugs (especially remotely exploitable ones) trump other bugs, and are clearly more important to address. Any person/company that insists otherwise, isnt a person or company anyone wants to do business with, ever.

Considering the number of users reporting CTDs, and considering that both zlib flaws allow for CTDs, it would be very smart of them to look into the situation as quickly as possible to see if their is a linkage, and issue a "beta security patch" ASAP.

Its just more irresponsible incompetence on display.

Lets hope that the patch does the talking rather than individual feedback. Yes, the personal touch is nice, but is often a luxury.

They could go a long way to convincing users they are serious about the security of their game and the security of the users system's by releasing a security specific patch as i described above.

Barring that, at the very least, they could issue a public statement saying something to the effect that they have been made aware of certain security vulnerabilities, etc etc.

I dont care in the least bit about some "personal touch" nonsense - its the complete lack of any kind of acknowledgement/statement/quick security patch on any level that is disappointing, to say the least, and is the reason why i mention the specific ways in which they havent responded.

They sure arent winning any "points" by waiting to release an acknowledgement/statement/patch, and the longer they wait..the more "points" they will lose...

 

[CivIndeed]

So?
Not everyone has enought time to test everything.

I would never have known this had you not told me. The fact that the game shipped with outdated buggy third party code, not to mention the buggy first party code of the game itself, speaks to that lack of testing, eh?

We are talking about games here.

Really? I thought we were talking about toasters on mars. I would never have known had you not made this...utterly brilliant..additive..statement.

You sure we arent just talking about one game, Civ 4? (aside from the Quake silliness)

Sound system has priotiry.

Actually, the Miles Sound System clearly and inarguably had the least priority, since it got the least amount of potential testing time due to the fact that the version that shipped with the game was released just over a month prior to the games release.

If sound was such a priority, and testing the sound system a priority, why would they wait so late (just over a month before game release) to acquire a more recent code library version of MSS?

Logic...you gotta get this thing.

MSS seems more important to test first.

Ah, genius. It comes in many interesting forms.

It does eh? Well then, perhaps you should inform firaxis of that, considering the MSS library version they shipped with the game was released just over a month prior to the games release, therefore, it had the least priority and the least potential and real testing time.

Better ship with one tested, then one not tested and possible more buggy (or not working at all)

Therein lies the issue. If they could test and ship the MSS library file, in just one month, they certainly could test and ship the latest zlib library file, in 3 months.

Its a logic and math thing. You probably wont understand, and will keep repeating something about "yeah..see..sound is more important! sound is more important!"

Do you know that bugfix releases have greatest chance of adding new bugs?

Really? I heard from a secret friend, that new major releases, especially those with lots of new features and functions, have the "greatest chance of adding new bugs".

I better get a new secret friend.

Did you know that releasing a game with outdated insecure third party code libraries exposes your game, and your users, to unnecessary and significant security risks, not to mention adds to a growing real and potential general perception that the developer is increasingly incompetent?

By fixing something, there is always a chance of breaking somthing else.
Better used flawed but tested version, then untested fix.

And by not fixing something, something isnt fixed.

zlib was fixed. Several months prior to the release of Civ 4. Firaxis didnt bother to get the fixed version. Firaxis is incompetent and irresponsible.

By not shipping Civ 4 with the latest fixed version of zlib (and python), they created security issues for all their users/players.

There is still no fix from firaxis.

Some of WinXP security fixes come to my mind (that made more problems then they solved).

Go ahead and provide the KB numbers of those security fixes, as well as the source for your claim they they "made more problems than they solved".

Yes, occasionally some security updates cause nuance issues for some people, but, i just cant accept your claim that they "made more problems than they solved".

Ore lets try this:
1.2.2=stable + known security bugs
1.2.3=broken, but without those security bugs

zlib version 1.2.3 is broken eh? Care to tell everyone how? I mean, zlib provides a list of fixes in 1.2.3 for bugs in 1.2.2 and earlier.

I also notice that you indicated 1.2.3 is broken, but 1.2.2 isnt.

You do realize 1.2.3 fixes "broken" aspects of 1.2.2, right?

http://www.zlib.net/

"Eliminate a potential security vulnerability when decoding invalid compressed data
Eliminate a potential security vulnerability when decoding specially crafted compressed data
Fix a bug when decompressing dynamic blocks with no distance codes
Fix crc check bug in gzread() after gzungetc()
Do not return an error when using gzread() on an empty file"

See, those are several "broken" "thingeys" in 1.2.2.

But your "math" doesnt indicate this. Odd.

So, even though you can see a list of all the ways that 1.2.2 is "broken", but none of the ways 1.2.3 is "broken", you insist, 1.2.3 is broken, and 1.2.2 isnt.

Could you show me a list of the "broken" aspects of 1.2.3?

Yup, another skilled reader, with fantastic reading comprehension and logic application skills.

Of course, now we now that 1.2.3 is not broken. But you can't know this without testing.
Right?

First you have 1.2.3 listed as broken, then you say you know its not broken.

Which one is it? Broken..not broken?

Did you not remember what you typed just prior to that?

I hear pot really kills the short term memory. Are you on drugs?

Let me know what you decide about the "broken" versus "not broken" thing for zlib 1.2.3, as well as for 1.2.2 (you dont have 1.2.2 listed as broken in your "math", even though its utterly clearly and known to be "broken")

Or they choose not to use libraries untested with game.
At least not until future patch?

If they specifically chose not to use zlib 1.2.3, that would be a Very Bad Thing - it would mean they knew it existed, knew what security bugs it fixed, but didnt care about it, included an older highly insecure version, and then, to top it all off - didnt say a word to the users, knowing they were shipping insecure code.

Thats a Very Bad Thing (TM).

I prefer the idea that it was pure incompetence and/or ignorance, since they are less accountable as such, and, provides them with greater benefit of the doubt.

Or even worse, shipping game with untested libraries that could even not work.

Yeah, it took a very long time - a few minutes of downloading and file copying, even a few hours of play time, to determine that the new versions of both zlib and python, work just fine. The game loads and plays without any issues that hadnt already been noticed.

Yeah, certainly 3 whole entire months was utterly insufficient time for testing - they had a VERY STRICT testing regimen which required at least 6 months of testing (err..Aside from the Miles Sound System, that had such a high "priority", it needed only one month of testing), and as we can see, the results of that VERY STRICT testing regimen, are on display for the world today.

Civ 4 is a fantastically stable game, with hardly a bug, that works on many different hardware configurations and many different versions and revisions of hardware drivers, with fantastic performance, low resource (especially memory) usage, and rock solid application security!

Civ 4 is obviously the product of a sophisticated code version/build tracking process, matched only by the most stringent, severe, and strict QA process

Next.