Originally posted by Error404
Very very interesting answers... really! But you forgot just a thing or two...

1. First of all: you've to be connected. It could be. But it could be not. And if I'm not connected what's the vulnerability? *None at all*. Maybe you'll find this solution a bit crude but I find it very interesting...

2. We are talking about vulnerabilities of DOS attack. Not a dark person controlling my computer secretly and doing what he/she wants from the other corner of the world without possibility of my defence. Someone could make a non-right-handled-error-request to my civ4.exe application (that must be running - *must be*, it's not enough to have it installed) and make it crash. Do you realize how many *billions* other program could make it???? (I mean a DOS attack)

3. Even if I'm connected and I'm running my cIV game in singleplayer, this hacker have to bypass my firewall - a very restrictive firewall I do not autorize any program to access internet if I'm not the one using it. So a DOS attack directed to the civ4.exe application is completely harmless without my will.

In conclusion, the only possibility remaining is when I'm playing an on-line game.

And what could be happen? My computer will crash. Ok, I lived 30 years with Windows that makes it possible every single moment of my life, I can stand it. ehehe

P.S.
However, as I said in my first post, those news you brought are usefull indeed and I've already updated everything. I was only complaining about the tone you used to say it... let's say just a little bit catastrophic for me...

P.P.S.
I'm sorry for my - not so bright - english, it's not my native language...

Originally posted by Cambo67
CivIndeed, you certainly know how to antagonise people....

You also show a complete ignorance of how software actually works, and what can be accessed via the 'Net.



Cambo
(PC Engineer & MilSim programmer)

Originally posted by Stromprophet


I love this part.

You can talk all you want about these technical issues. (Which I don't give a crap I've been playing a lot and nothing has happened, even if it did I make enough money in a week to buy a brand new computer and I wouldn't give a crap.)

More specifically about playing the game.

Unless you are Kaak, or Eyes. Or someone who played on the ladders for Civ I, II, and III and actually achieved number 1. I don't want to hear it.

I wonder, did you ever even play against the best players? I did. WhoTF are you? This kind of freaking nonsense is what makes something enjoyable less appealing.

B.S. Mechanical Engineering, M.S. Mechanical Engineering
Purdue University
Project Manager/System Designer

Originally posted by seebs
Mr. Indeed does not seem to understand how the zlib buffer vulnerability works.

It would allow any of the compressed files the game uses to be specially altered to, uhm, change the behavior of the game.

Admittedly, this could be an issue for some mods, so they should fix it.

Originally posted by Darg
Dear god.. people like indeed shouldn't be allowed access to the outside world.

In fact that's a great idea. If you're so scared of DoS attacks then go disconnect your computer from the net and don't ever plug it in again. Please!

I sure as hell know that running Morpheus or Limewire opens my computer up to a hell of a lot more security vulnerabilities then Civ4 ever could and I have no problem using it.

If worst comes to worst I get a trojan that Norton can't fix and I have to format my C Drive.

So what? I have all my programming projects and graphics work backed up.

Jesus.. I hate people like you. And I'm a nice kinda guy.

Originally posted by Cambo67
Well, I suppose, if you think you are such an expert on all this, perhaps you could supply an example programme which shows how these dangerously insecure libraries can be exploited....

Originally posted by Once
WARNING! CivIndeed ships with critical insecurity vulnerabilities!

Originally posted by CivIndeed


Oh, clearly.



Perhaps you need a refresher course on "Hurried Reading" - or perhaps you should simply take the time to do the minimal reading necessary to respond appropriately.

"There is a buffer overflow in the zlib data-compression library caused by a lack of bounds checking in the inflate() routine. If an attacker supplies the inflate()routine with a specially crafted compressed data stream, that attacker may be able to trigger the buffer overflow causing any application linked to zlib, or incorporating zlib code to crash. According to reports, the buffer overflow is caused by a specific input stream and results in a constant value being written into an arbitrary memory location. This vulnerability may be exploited locally or remotely depending on the application being attacked."

"A remote attacker be able to exploit this vulnerability by supplying the inflate() routine with specially crafted compressed data. As a result, applications linked to the zlib library may abruptly and abnormally terminate resulting in a denial-of-service condition. According to public reports, this vulnerability can be exploited to execute arbitrary code, but we have not confirmed this."

Remotely exploitable (depending on the application), and allows a DoS scenario, and/or an arbitrary code execution.

That would be "zombie making".

It all depends on how the zlib functionality is used. Network data compression? File Save/Load? Mod/scenario processing? general data compression within RAM?



And it is insecure.



Well, obviously, to frustrate deep thinkers such as yourself.

And to practice my straw-man identification and mockery skills.



I'd like to know what standard you are applying in order to make this claim.

But, there are many people, who would insist that Conquests, their most recent Civ code release prior to Civ 4, is still extremely buggy, and remains unpatched, to this day.

There is a pretty long extensive list of all the still-unpatched bugs and errors in Conquests somewhere "these parts".



Probably. The released version of this game is clearly and most definitely unfinished (regardless of the understandable reason why in terms of 2K's schedule shift).

I doubt the outdated insecure third party code library issue will be addressed in this first patch, which will only make the situation worse for them.



Good luck with that. Firaxis is a small company, and Take Two/2K is handling their support, and they arent much bigger. Reports ive read elsewhere indicate an utter lack of interest beyond listening to the issue, and providing ignorant/insufficient response back - standard tech support stuff there. Not to mention a 7-10 day "lag" from 2K to Firaxis communicating the issues.

Remember, they dont even have forums of their own - the Civ 4 site links to this one, and CivFanatics.

There is a good chance they are reading messages and threads here because of that, though, dont expect them to respond here at all. Perhaps they posted here in the past, i dont know, i cant say as ive really spent much time here - i created this account merely to inform tyhe public of the significant security issue the release of the game has presented.



Love is a temple.

Originally posted by Raion
If your brain was not where you sit, you would know that it is Microsoft's fault.

There have been court cases because -- Microsoft does not release enough info to program the computer properly, so therefore, before these court cases blaming Microsoft -- you can expect other third party programs never to work as they should or could because of Microsoft.

So quit blaming anyone else for the fact that Microsoft does not really release enough info to properly program a computer --- all bought up with the court cases.

Therefore and only therefore, it is Microsoft's fault!

So get your hearing and head checked, because you are not making any sense with any of this thread!

Why do you think Microsoft was sued by -- Europe -- and others recently?

Because simply no one can make a program as good as Microsoft because they are hiding vital infomation needed to make the programs work as well!

It is Microsoft's fault!

Write that out --- 5000 times until it sinks into your head, and quit talking from where you sit in the chair on your computer!