Dude, they shipped with several third party code libraries, and dude, every single one of them was out of date dude!

Dude, they picked the versions so long before they shipped, that they included a version of the Miles Sound System library that was released ONE month before they RTMed the game, dude.

Yet, dude, they couldnt include the latest secured version of the zlib library that was released THREE months before they RTMed, dude.

Dude, thats how incompetent and irresponsible they are, dude.

Its not like its that difficult for them to include the latest available versions of the third party code libraries when they RTM, dude!

Stop the damn ignorant apologism, dude!

Very very interesting answers... really! But you forgot just a thing or two...

1. First of all: you've to be connected. It could be. But it could be not. And if I'm not connected what's the vulnerability? *None at all*. Maybe you'll find this solution a bit crude but I find it very interesting...

2. We are talking about vulnerabilities of DOS attack. Not a dark person controlling my computer secretly and doing what he/she wants from the other corner of the world without possibility of my defence. Someone could make a non-right-handled-error-request to my civ4.exe application (that must be running - *must be*, it's not enough to have it installed) and make it crash. Do you realize how many *billions* other program could make it???? (I mean a DOS attack)

3. Even if I'm connected and I'm running my cIV game in singleplayer, this hacker have to bypass my firewall - a very restrictive firewall I do not autorize any program to access internet if I'm not the one using it. So a DOS attack directed to the civ4.exe application is completely harmless without my will.

In conclusion, the only possibility remaining is when I'm playing an on-line game. And what could be happen? My computer will crash. Ok, I lived 30 years with Windows that makes it possible every single moment of my life, I can stand it. ehehe

P.S.
However, as I said in my first post, those news you brought are usefull indeed and I've already updated everything. I was only complaining about the tone you used to say it... let's say just a little bit catastrophic for me...
P.P.S.
I'm sorry for my - not so bright - english, it's not my native language...

Isn't there is also an option of making Civ4 MOD with malicious Python code or with corrupt zlib archive?



Agreed here.

Let's just hope developers noticed this.

Please be more civil.
Your warnings are infomative, but you are just being too rude to everybody.

CivIndeed, you certainly know how to antagonise people....

You also show a complete ignorance of how software actually works, and what can be accessed via the 'Net.



Cambo
(PC Engineer & MilSim programmer)

I love this part.

You can talk all you want about these technical issues. (Which I don't give a crap I've been playing a lot and nothing has happened, even if it did I make enough money in a week to buy a brand new computer and I wouldn't give a crap.)

More specifically about playing the game.

Unless you are Kaak, or Eyes. Or someone who played on the ladders for Civ I, II, and III and actually achieved number 1. I don't want to hear it.

I wonder, did you ever even play against the best players? I did. WhoTF are you? This kind of freaking nonsense is what makes something enjoyable less appealing.


B.S. Mechanical Engineering, M.S. Mechanical Engineering
Purdue University
Project Manager/System Designer

Here, have some cheese to go with the whine.

Really, none of those listed were all that bad. Sure, not up to date, but didn't see anything in there to create zombies, so chill. They ship with what they ship.. just thank god they aren't M$... we'd wait 2 months to get a patch that wouldn't fix the original problems and then would create others.

Another clever genius. This time, a real connoisseur of facetious sarcasm and mockery.

Werent "that bad" eh? Another reader with fantastic reading comprehension skills.

Yeah, its true enough, having the application crashed, and/or the entire system compromised and remotely controlled..yeah...that isnt "all that bad".

What was i thinking?

They ship what they ship eh? Really? Another fantastic contributer of the obvious. That added a lot. A real voice of thoughtful reason. Next you'll be telling me "Civ 4 is Civ 4..."

Its true they arent Microsoft. They also arent General Electric, or IBM. Genius observational skills i say! So, who else arent they?

Well, at least we dont have to wait for a patch from Firaxis (obviously, we all already have one), and we can sure as heck know that the patch we all already have, will be the first and only one issued for the game.

Next.

Why, thank you for the kind words. Sarcasm is a skill and I am glad you appreciate the way it just rolls on out.

Having the application crash or a DoS attack on your PC is NOT giving control of it to someone else. I didn't see anything in the notes (which were hurriedly read) about making a zombie of the machine, but if its there, then that IS a serious issue. And I will happily admit to it.

And yes, 'they ship what the ship' is apparently something that needs to be said. A number of people seem to want them to wave a magic wand and make the code perfect. Can't be done. 'It is what it is' is a profound truth that some people cannot grasp.

Well they apparently are not a company you want to do business with, among other things. So why do you? But you are correct: we are talking about Firaxis, which has done a fairly good job on patching previous games in the past.

I expect there will be a number of patchs from Firaxis. I'll be happy if there is just one and it fixes 90% of the issues. If they make it worse, I'll be calling them and complaining, not wasting time complaining on a Fan board.

Your personal attacks were well thought out and well delivered. I give you a 9 out of a possible 10... you were reaching a bit on the last paragraph.

CivIndeed:
It would be smart to listen to player1's advice. We appreciate the information, but personal attacks will catch up with you very quickly.

Mr. Indeed does not seem to understand how the zlib buffer vulnerability works. It would allow any of the compressed files the game uses to be specially altered to, uhm, change the behavior of the game.

Admittedly, this could be an issue for some mods, so they should fix it.

Dear god.. people like indeed shouldn't be allowed access to the outside world.

In fact that's a great idea. If you're so scared of DoS attacks then go disconnect your computer from the net and don't ever plug it in again. Please!

I sure as hell know that running Morpheus or Limewire opens my computer up to a hell of a lot more security vulnerabilities then Civ4 ever could and I have no problem using it. If worst comes to worst I get a trojan that Norton can't fix and I have to format my C Drive. So what? I have all my programming projects and graphics work backed up.

Jesus.. I hate people like you. And I'm a nice kinda guy.

Get some Prozac, dude.

Oh, clearly.

Perhaps you need a refresher course on "Hurried Reading" - or perhaps you should simply take the time to do the minimal reading necessary to respond appropriately.

"There is a buffer overflow in the zlib data-compression library caused by a lack of bounds checking in the inflate() routine. If an attacker supplies the inflate()routine with a specially crafted compressed data stream, that attacker may be able to trigger the buffer overflow causing any application linked to zlib, or incorporating zlib code to crash. According to reports, the buffer overflow is caused by a specific input stream and results in a constant value being written into an arbitrary memory location. This vulnerability may be exploited locally or remotely depending on the application being attacked."

"A remote attacker be able to exploit this vulnerability by supplying the inflate() routine with specially crafted compressed data. As a result, applications linked to the zlib library may abruptly and abnormally terminate resulting in a denial-of-service condition. According to public reports, this vulnerability can be exploited to execute arbitrary code, but we have not confirmed this."

Remotely exploitable (depending on the application), and allows a DoS scenario, and/or an arbitrary code execution.

That would be "zombie making".

It all depends on how the zlib functionality is used. Network data compression? File Save/Load? Mod/scenario processing? general data compression within RAM?

And it is insecure.

Well, obviously, to frustrate deep thinkers such as yourself.

And to practice my straw-man identification and mockery skills.

I'd like to know what standard you are applying in order to make this claim.

But, there are many people, who would insist that Conquests, their most recent Civ code release prior to Civ 4, is still extremely buggy, and remains unpatched, to this day.

There is a pretty long extensive list of all the still-unpatched bugs and errors in Conquests somewhere "these parts".

Probably. The released version of this game is clearly and most definitely unfinished (regardless of the understandable reason why in terms of 2K's schedule shift).

I doubt the outdated insecure third party code library issue will be addressed in this first patch, which will only make the situation worse for them.

Good luck with that. Firaxis is a small company, and Take Two/2K is handling their support, and they arent much bigger. Reports ive read elsewhere indicate an utter lack of interest beyond listening to the issue, and providing ignorant/insufficient response back - standard tech support stuff there. Not to mention a 7-10 day "lag" from 2K to Firaxis communicating the issues.

Remember, they dont even have forums of their own - the Civ 4 site links to this one, and CivFanatics.

There is a good chance they are reading messages and threads here because of that, though, dont expect them to respond here at all. Perhaps they posted here in the past, i dont know, i cant say as ive really spent much time here - i created this account merely to inform tyhe public of the significant security issue the release of the game has presented.

Love is a temple.

Yes.

You can safely (meaning the game will load and run) update ZLIB1.DLL, PYTHON24.DLL, and BINKW32.DLL

However, i recommend not to update the MSS32.DLL file to the latest version, as they game wont load (at least not on my system with an X-Fi Fatality and the latest drivers from the 15th, if i get bored enough i'll try to look into where the failure point is)