Unity Uncovers Major 2017 Security Flaw in Dev Tool
▼ Summary
– Unity has identified a major security vulnerability in games built with its development tool since 2017, allowing attackers to execute code and steal confidential information.
– The vulnerability impacts games on Android, Windows, Linux, and macOS, but there is no evidence of exploitation or user impact.
– Unity has released fixes for all major and minor Unity Editor versions from 2019.1 and a binary patcher for applications built since 2017.1.
– Developers are advised to update their Unity Editor, recompile and republish their applications, and encourage users to keep devices and software updated.
– Microsoft Defender and Valve have implemented protections, and developers like Obsidian have responded by temporarily removing affected games.
Unity has identified a significant security flaw impacting games and applications built with its development platform since 2017. This vulnerability, if left unaddressed, could allow malicious actors to run unauthorized code on affected systems and steal confidential information. The issue spans projects developed for Android, Windows, Linux, and macOS, making it a widespread concern for developers and users alike.
According to a security analysis, any application compiled using a Unity Editor version containing the vulnerable runtime code is potentially at risk. An attacker could exploit this weakness to execute commands on a target machine and exfiltrate sensitive data without the user’s knowledge.
Larry Hryb, Unity’s director of community and advocacy, emphasized in an official blog post that there is currently no evidence of the vulnerability being actively exploited. He also confirmed that no users or customers have reported any negative impact so far. The company has already rolled out comprehensive fixes and made them accessible to all developers using the platform.
Hryb credited security researcher RyotaK for responsibly disclosing the flaw and collaborating with Unity’s team to resolve it. In response, Unity has issued updates for every major and minor version of the Unity Editor, beginning with the 2019.1 release. Additionally, the company introduced a binary patcher tool designed to secure applications that were already built and published as far back as 2017.1.
Developers who have released games or software using Unity 2017.1 or later for Windows, Android, or macOS are urged to review the company’s official guidance. Unity strongly advises downloading the patched update corresponding to their Editor version, recompiling their projects, and republishing the corrected applications. End users are also encouraged to keep their devices and software up to date, enable automatic updates where possible, and use current antivirus protection.
Beyond Unity’s own measures, Microsoft Defender has been updated to identify and block exploitation attempts related to this vulnerability. Valve has also taken action by releasing an update for the Steam client, adding extra protective layers for its users.
Several development studios have already responded to the security advisory. For example, Obsidian Entertainment temporarily removed certain titles from digital storefronts as a precaution while applying the necessary patches.
(Source: Games Industry)
