So someone can make a MOD that is in fact a virus.
That's all?

Since I don't see other way how this could affect players?

You need either deliberatly corruped zlib archive or malicious Python code.

Right?

What a hysterical and alarmist post (the OP).

The "vunerability" can - at worst - cause Civ to crash. Ooooooh, I'm soooo scared!

Now, if Civ was a virus checker, or some kind of firewall or system tool, it may be different. But it's not. It's Civ. Duh!

would this explain when i had crashes that rebooted my pc ..in event manager all it mentioned was `windows security center has activated`???? could this be the cause of the reboots???????

I would imagine that the versions of these programs that shipped are the versions that were used for final testing before the game went gold. If they'd updated them the day before they went gold, they'd have had to spend another months doing QA and testing.. the OP should revoke his silly post.

These third party code libraries have nothing to do with Microsoft or Windows.

These security vulnerabilities are in third party code modules that are required and used by the game, and installed with the game.

It is entirely the fault of Firaxis that they used outdated known-to-be-insecure third party code modules.

Microsoft didnt code the game or RTM the master CD - that would be firaxis/take2.

Reading works...you should try it.

True enough - the fact that the game was shipped with outdated known-to-be-insecure third party code modules is pretty insignificant. Especially when flaws in those outdated insecure code modules can be used to either crash the using application (Cv4) or take control of the system (Windows) via arbitrary code execution

Heck, the zlib flaws were so insignificant, that they received absolutely no attention from industry news media. Thats why there isnt a link to say, a CNet news story about them.

And thats understandable, because absolutely no one uses zlib in their products these days. Certainly not the huge vast majority of programs out there.

Mitigation to firaxis? Obviously you chose the wrong word/phrase here - you meant "in apologism for".

I bet the "Civ 4 ships insecure" part indicates where the insecurity originates, but, that would require reading...and comprehension.

It doesnt matter where the files are located - they are insecure, as is any program that makes usage of them. You do understand that...right? (no..apparently you dont, hence the apologism)

Regardless, the second flaw - http://www.kb.cert.org/vuls/id/680620 - in particular is of the "buffer overrun" variety. Perhaps you should have taken particular note of this:

"According to public reports, this vulnerability can be exploited to execute arbitrary code, but we have not confirmed this."

"can be exploited to execute arbitrary code"



"A vulnerability has been reported in zlib, which can be exploited by malicious people to conduct a DoS (Denial of Service) against a vulnerable application or potentially execute arbitrary code."

"or potentially execute arbitrary code"

Reading works - you really should try it.

Of course, you also need to work on that "reading comprehension" aspect too.

See, when arbitrary code is able to be executed, that means your system can be controlled - not just the original application DoS'ed..

Less reactionary apologistic responding, more reading and reading comprehension.

Next.

One of two things could possible happen:

1) Civilization 4 crashes.
2) Someone is able to get (potentially remote) control of your Windows system, and do as they wish with it.

Your "wenner" is fine. Your PC may not be.

Next.

Updating the files will at least reduce the exposure to the known vulnerabilities that the previous (included) versions have.

As well, it may/will reduce potential/actual instability related to other bugs and flaws.

And yes, the MSS and BINK library modules are also out of date. The Bink library in particular is absurdly out of date - 2 years in fact (updates are free to license holders)

Take note that the MSS version shipped with Civ 4 is from September 7 2005 - whereas the latest available version of zlib - 1.2.3 - is from July 7 2005.

If they could include third party code from September in time for the RTM, certainly, they could include third party code from July - 2 months prior to that.

Ah yes, nothing like 100% Pure Genuine Incompetence.

Next.

You are not a genius.
You are not smart.
You do not know what you are talking about.

Civ4 is in fact a "system program" - it is a program, that runs on a system. Generally called an "application".

Civ 4 is in fact a "point of responsibility" since in fact it:

1) runs on the system
2) has network code and access functionality

Civ 4 does in fact "marshall resources" - many of them in fact, to do what it does as an application - video, sound, RAM, hard disk, I/O, network, etc.

Your ignorance is very relevant.

The likelihood of someone playing Civ 4, and not running Windows, is extremely low (since in fact, its required)

Next.

About as irresponsible as shipping an application containing third party code libraries with very well known security vulnerabilities that can:

1) Crash the application
2) Provide complete system control to an attacker

Yes, its not realistic, i only only provided all the substantiation to show it is.

Its so unrealistic, that there are no security advisories abouit the zlib flaws, there was no widespread industry media reporting of them, and the zlib.net page itself, doesnt make it clear that the latest version fixes the two vulnerabilities.

"Crap reporting" is what you may get when Civ 4 crashes, and the Windows Error Reporting Tool pops up to tell you as such. "Crap reporting" indeed.

Next.

How about having Civ 4 running when you are there, playing online, and suddenly it either crashes, or, better yet, seemingly starts to "play itself". Of course, for many of you, thats probably a net benefit scenario - the attacker will probably play the game better than you can.

Heck, everybody knows no one ever leaves an application running and then walks away! Impossible!

Besides, everyone also knows that security vulnerabilities only exist when someone ISNT sitting at the PC!

Is so "meaninless", that a new version of zlib was released to specifically address the flaws, CERT has security reports for it, and the industry media reported on it, because most programs use it.

Yup, meaningless.

Next.

Another bright star of cogitative reasoning

Depends. Depends on where/how/when Civ 4 uses the zlib and python libraries.

It could be that zlib is used for saving/loading games. It could be that zlib is used to compress/decompress data transmitted in network multiplayer...

Thats the thing - we dont know, only Firaxis does. Only they can specifically respond as to how/when/where zlib and python are used in Civ 4. In fact, its their responsibility to do so.

However, until they do so, we simply have the facts of the security vulnerabilities themselves to guide us, and we already know what they are:

1) Can crash Civ 4.
2) Can take remote control of the system that Civ 4 is running on.

If Firaxis has information they wish to provide that informs the public as to the specifics for how these flaws affect Civ 4 and could be taken advantage of, its up to them to provide it (and fix it hopefully as well).

They have yet to even acknowledge the problem publicly (or privately), much as was the case until yesterday in regards to a patch for all the obvious known bugs otherwise in the game.

A responsible competent company would both provide information to the public, and fix the issue(s).

Of course, a responsible competent company would never have shipped the game with the utterly outdated and known-insecure third party modules to begin with.


Next.

Yes, its rather hysterical indeed, that a company would ship a product with utterly outdated and insecure third party code libraries.

I know im laughing. And screaming.

The vulnerabilities (yes..plural..reading works, try it) can cause Civ 4 to crash..OR..can provide an attacker with complete control of the system due to the arbitrary memory execution aspect of the buffer overrun vulnerability.

Reading works. Really. Try it.

So let me get this straight...Civ 4..is not a Word Processor, its not a Food Processor, and its not a Summons Processor?

Wow, brilliant observational skills there.

Oh, i get it, you are one of those silly ignorant people that believes, for some bizarre reason, that only specific applications/services, can be "insecure", and other applications/services are "magically protected by the ignorance shield of the gnomes".

Right.

NEWSFLASH: Any/all Operating systems/OS Services/OS applications/OS Utilities/Software of any kind.... can be, is...and are, insecure.

For example, Microsoft has even in the (recent) past released security updates for Word and Access.

But hey, the "magical security dwarves" tell you that only "Security" software, can be insecure (the irony), so, hey, you are "ok dude".

Next.

Its possible, though, the info you are providing would indicate a different direction to focus on for the source of the crashing/rebooting.

Its possible that its a zlib flaw in another program with out of date zlib source code/libraries.

Or it could be caused by one of the many many many security vulnerabilities in just about every piece of software out there, gone unnoticed/undiscovered, or, most likely, unpatched.

Not enough information to know that your crashes reboots orignated from the Civ 4 third party libraries, but my guess is that is completely unrelated.

You would imagine eh? Its obviously the case. So, they used old version of third party code libraries for their final testing before RTM eh?

Genius i say! another stater of the obvious!

That added a lot of insight.

Strangely enough, they were able to use Miles Sound System version 7.0c - dated September 7, 2005. Yet, they werent able to use zlib version 1.2.3 (the latest version with the security fixes) - dated July 18, 2005.

So, how is it that they could obviously use a third party code library from ONE month prior to RTM, but they couldnt use another third party code library from THREE months prior to RTM, but instead used a version from SEVEN months prior to RTM, eh?

Obviously, QA lead time wasnt an issue, considering that the version of the Miles Sound System code library they used was released just over a month before Civ 4 was RTM. If one month was enough, certainly 3 months was enough, eh, genius?

You should revoke your ignorant post, but not before conceding in utter embarassment your ignorance and inability to read or comprehend what you read.

Next.