Pages: [1] :: one page |
|
Author |
Thread Statistics | Show CCP posts - 0 post(s) |
xarjin
Center for Advanced Studies Gallente Federation
43
|
Posted - 2013.06.07 20:47:00 -
[1] - Quote
I Hope i'm posting this in the right forum and the CSM council will take this seriously given the potential gravity of the situation.
The problem is as stated in the topic and ccp appears to be completely ignoring the issue. Major antivirus software vendors have started flagging the in game browser as an identity theft risk because it's based on a highly vulnerable version of google chrome from 2009
There's been a thread on reddit about it, a months old and similar years old threads on the eve issues and bug reporting forum as well as posts i've contributed to.
https://forums.eveonline.com/default.aspx?g=posts&m=3087670#post3087670
1) How am i even qualified to assert that the facts stated are plausible.
I'm a trained and certified IT Business Systems Analyst and Network Engineer with over 15 years experience and a long list of completed security related projects and have administered global network infrastructure projects
I also served as a volunteer member of the network infrastructure management and development team for The Gentoo Linux Project one of the most widely used and respected Linux distributions available today
My oDesk profile
2) Are these "security" issues are really that bad
Remote code execution exploits are as bad as a security vulnerability in human designed software can possibly be for the end user. this class of software exploits allow anyone who is knowledgeable enough to design malicious websites that both target those exploits with the intention of using the vulnerable software to remotely compromise the host computers the software is installed on.
For malicious websites to succeed in compromising vulnerable web browsers requires that vulnerable software to have it's own memory footprint on the computer it's installed on as well as at least one running process. The in game browser can be launched multiple times by opening tabs as it's based on google chrome.
Within the eve online game when anyone starts the in game web browser within eve online it launches in it's own process completely isolated from the eve online game process.
TL;DR anyone could hack the IGB using a combination social media and social engineering to raise the public profile of a malicious website and make every last eve online subscriber install a remote keylogger or trojan viruses by browsing the thoretical website.
I do not want to see this happen to our beloved eve subscriber community as the fallout from an incident such as this would be catastrophic.
CSM8 Please for the benefit if every last person that plays eve. Get this fixed yesterday
Quote:this really needs to be addressed by the dev's given that antivirus vendors have started flagging ccp's IGB exe file as a security risk. https://forums.eveonline.com/default.aspx?g=posts&t=239089also this should serve as an eye opening concern. The denial of service exploit previously used as an example is far less of an issue that remote code execution exploits. Since the IGB runs in it's own process anyine usng IGB that potentially visits a malicious website is vulnerable to remotely having their computer hyjacked by a trojan. http://msisac.cisecurity.org/advisories/2013/2013-053.cfmMS-ISAC ADVISORY NUMBER: 2013-053 DATE(S) ISSUED: 05/21/2013 SUBJECT: Multiple Google Chrome Vulnerabilities Could Allow for Remote Code Execution OVERVIEW: Multiple vulnerabilities have been discovered in Google Chrome that could allow remote code execution, bypass of security restrictions, or cause denial-of-service conditions. Google Chrome is a web browser used to access the Internet. Details are not currently available that depict accurate attack scenarios, but it is believed that some of the vulnerabilities can be exploited if a user visits, or is redirected to a specially crafted web page. Successful exploitation of these vulnerabilities may result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. SYSTEMS AFFECTED: Google Chrome for Windows, Mac and Linux versions prior to 27.0.1453.93 RISK: Government: Large and medium government entities: High Small government entities: High Businesses: Large and medium business entities: High Small business entities: High Home users: High |
Tarunik Raqalth'Qui
Anomalous Existence Disavowed.
121
|
Posted - 2013.06.07 23:22:00 -
[2] - Quote
Considering that malicious advertisements (malads?) inside legit pages/sites are a thing, this should be a higher priority. Furthermore, considering that DDoS attacks seem to be a part of the shady side of the Eve metagame already (to go with RMT + botting), it is not a far leap to more insidious attack methods. |
Alona Gene
The Scope Gallente Federation
0
|
Posted - 2013.06.08 00:39:00 -
[3] - Quote
I agree, this needs to be given a much higher priority by CCP. By CCP knowing of this vulnerability, they are morally and professionally obligated to fix it.
In my opinion, keeping the IGB secure and patched is much more important then content even.
CSM, please bring this to light to CCP and support our safety.
-Signed- |
xarjin
Center for Advanced Studies Gallente Federation
54
|
Posted - 2013.07.11 01:14:00 -
[4] - Quote
Bumping for Visibility given the serious nature of the topic.
Please CSM's look into this. |
Omega Flames
Last Resort Inn
26
|
Posted - 2013.07.11 01:48:00 -
[5] - Quote
it's been over a month, has any dev taken the time to verify whether or not this is true? |
xarjin
Center for Advanced Studies Gallente Federation
54
|
Posted - 2013.07.11 03:06:00 -
[6] - Quote
Omega Flames wrote:it's been over a month, has any dev taken the time to verify whether or not this is true?
It's already been confirmed that the IGB is vulnerable to exploits that were patched in chrome 4.x but no dev has commented on this which from an assurance perspective is troubling.
Enta Ozuwara wrote:People on Reddit were asking for some sort of proof. Since a Remote Code Execution would need to be carefully planned, I have instead run a DoS exploit fixed in Chrome 4.1. Result: Awesomium.exe crashes
The linked quote above is only a denial of service vulnerability that makes the browser crash which is fairly harmless but if a vulnerability that exists in chromium 4.x still works then every other exploit newer than this also will succeed.
Many of them are serious sandbox violations.
If you browse this website with the IGB it clearly displays the browser version as chromium/chrome 3.x and also shows that the IGB posesses the ability to use host system java binary which alone is a known high security risk is left outdated.
http://www.whatismybrowser.com
Chome with no secure sandbox leaves the host system completely vulnerable to remote compromise. |
Omega Flames
Last Resort Inn
27
|
Posted - 2013.07.11 03:18:00 -
[7] - Quote
xarjin wrote:Omega Flames wrote:it's been over a month, has any dev taken the time to verify whether or not this is true? It's already been confirmed that the IGB is vulnerable to exploits that were patched in chrome 4.x but no dev has commented on this which from an assurance perspective is troubling. you posting stuff does not a confirmation make especially not in something of this technical of a nature. |
xarjin
Center for Advanced Studies Gallente Federation
54
|
Posted - 2013.07.11 03:20:00 -
[8] - Quote
Omega Flames wrote:you posting stuff does not a confirmation make especially not in something of this technical of a nature.
Noted i am both experienced and qualified to diagnose issues if such a technical nature. It only remains to be seen if the dev's will actually do anything about it. so far they have done nothing for several years. |
Manhim
Cyan Ventures
2
|
Posted - 2013.07.11 08:09:00 -
[9] - Quote
Weird, I ran the same website as you did, it doesn't detect Flash nor Java. Probably because the IGB doesn't even have Flash or Java plug-ins to begin with so it cannot bridge to the executables on the computer (And I really don't know how you got this result on your IGB). |
Mag's
the united Negative Ten.
15147
|
Posted - 2013.07.11 10:11:00 -
[10] - Quote
I've never used the in game browser, because I have no control over it. I either alt tab out or had my laptop on next to me.
This thread comes as no surprise tbh, but thanks all the same.
Destination SkillQueue:- It's like assuming the lions will ignore you in the savannah, if you're small, fat and look helpless. |
|
xarjin
Center for Advanced Studies Gallente Federation
59
|
Posted - 2013.07.11 14:44:00 -
[11] - Quote
Manhim wrote:Weird, I ran the same website as you did, it doesn't detect Flash nor Java. Probably because the IGB doesn't even have Flash or Java plug-ins to begin with so it cannot bridge to the executables on the computer (And I really don't know how you got this result on your IGB).
If you only use internet explorer which less people do now than firefox or chrome you wouldn't have the correct flash plugin installed in your system. Also if you using a mac that may be another reason why it wasn't detected.
The mac client runs in an emulator. |
Manhim
Cyan Ventures
4
|
Posted - 2013.07.12 03:49:00 -
[12] - Quote
I'm using Windows 8 and I'm pretty sure that you need a working plug-in to support the binaries for the browser which I'm pretty sure doesn't support plug-ins.
It is indeed something that needs to be looked-at and this had been discussed at the Fanfest that CCP didn't knew what they wanted to do with it, since players where using it they couldn't really scrap it and updating it would be a hard thing to do (my first guess is that they might be using webkit libraries for more then just browser, but I could be wrong). |
|
|
|
Pages: [1] :: one page |
First page | Previous page | Next page | Last page |