It probably means that you should try uninstalling the game and re-installing the game after all the updates. It may have something to do with that, perhaps, and it is worth a try at least.

Okay I will try and be humorus about all of this Critical Security problems other people see!

However, if one had an OS that does not need constant updating and the Government to help solve Critical Security Problems as Microsoft is doing now, then I would try and blame other programmers, but to lumpsum all other programmers into saying that it is them and not the programmers from Microsoft first, is like trying to say that -- why don't everyone run Linux?

And I am reasonably sure that other software vendors distinctly go by what Microsoft does report on doing to make their programs.
So, without checking out the entire reason for a *.dll which is not an Executable program in the first place, then how can one assume that since the *.dll runs by other Executable programs - that first it is not the other program that is making the security issue instead of the *.dll programs!

To me, it all seems a little moot when such Critical Security Problems exist to such a high degee with the OS first, instead of with add-on programs -- that are added-on because of the way the OS is made in the first place.

Just to me though, it is like saying that there was no Big Bang that started off this Universe first, when that is the most developed theory one can come up with!

In other words, I can write a program that calls a number of functions provided by the OS, so therefore, my program would not be wrong and the Security Problem issue, it would be the OS instead, since mainly calling routines in the OS is done by the third-party program.

Yes, Drivers can be an issue, such as with hardware, but these program do not seem to be that sort of problem.

They are made to interface with the existing OS, and call the OS, or else no one would have API programming in the first place. They are not separated from the OS, but are called into action with the OS, and third party programs can not be enacted without a proper OS system.
It is impossible to me to think that way!

I defy anyone to make a program that does not call routines in the OS to make it work in the first place -- it can not be done!
Therefore, my attempt at humor may be wrong, but still, it seems to be common thinking that somehow the OS is separated from all the issues when it clearly can not and never can be separated out -- until one has a different OS to begin with!

It seems to be bantering by the person as to my way of thinking, and that is all I can say about any of it!

With over 700 function calls involving the OS and perhaps even thousands, then it is entirely possible that all the issues with any security rests within the OS of the system, instead of with the other programs!

And let me add also:

Blaming Civ IV for shipping with a third=party programs to allow modding the game such as python or with zlib that only decompresses files is only bashing Civ IV!

All programs need updates because it is the OS from Microsoft first that needed the update for the security problem.

Would it help to communicate the real structure needed for you to understand the issue?

zlib library had to be updated to a new version since it makes calls into the OS of your computer, and those calls had to be updated since the OS has the security issue in the first place. Now a new zlib library can be downloaded since our code had to be fixed because the OS had to be fixed in the first place for the security issue that was involved.

Gee, python had to update their program for scripting the python langauge used in the game to allow modding of the game, because again, there was bugs found in the OS from Microsoft. These issues affected the API calls that we had made to make our program work in the first place, and has nothing to do with our program. Since our program, Python, has to be updated to fix programming problem calls into the OS which had the Security Issues, we release another version which is fixed and can be downloaded for -- free!

And also zlib Library is --- free!

Both do not have to be used with the game Civ IV, merely Civ IV did use those third party programs to make the game -- allowed to be modded by -- free -- and again I say -- free programs that anyone can use to mod the game of Civilization IV.

So, I did take programming, and I do know that what I say is what everybody else says, but does not always communicate anymore --- it is the darn OS again with the Security Problem and since they changed that -- we have to change our program.

Now, since CivIndeed you do not know what you are really talking about -- I think that you perhaps are the one that should be not allowed to post anymore, since it is you, who think that you are smarter than everyone else here, but have not proved one iota of anything since you posted this thread!

Also since zlib library and also python are separate programs that anyone can use in programming a program and not necessarily in Civ IV --

Get off the soapbox, you really do not know what you are talking about, and I am being nice, since you will not agree, but I do know at least that :

I have used zlib before with another game and program, and I can use Python anytime I want to!

So bashing Civ IV is not going to be done by you or others who seeminly do not know anything of what you are talking about!

If you can not accept that -- then:
Like others


Take your computer in to a computer technician to repair it!

Go see a phychologist if needed!

I agree that all programs need updates, but they really should have shipped with current versions of python and zlib. The current version is such that an end-user mod could include a file which used the flaws in this version of zlib to run arbitrary code on your machine. That's not so good; data files shouldn't have risks like that.

ZLIB1.DLL and PYTHON24.DLL are mentioned in your OP. How can BINKW32.DLL be updated?

[q=CivIndeed]I doubt the outdated insecure third party code library issue will be addressed in this first patch, which will only make the situation worse for them.
[/q]

Quoted For Truth, so I can ram it back down your throat when the build notes for the first patch are released.

CivIndeed, thank you for informing us about this. While I think the chance of someone exploiting the security vulnerabilities is very low, you have done the right thing and I feel I need to give you thumbs up, especially with so many people here insulting you.



And another thing - wouldn't you expect Apolyton to report about this? I am subscribed to the RSS feed but I haven't seen the news item about this security problem. There are tons of news about various gaming sites giving Civ IV high scores though

It is possible that mods haven't noticed this thread. Please PM them about your finds, and also remember to make an analogue thread on CivFanatics when you find something as important as this (many people frequent only one site).

I don't know that I would expect them to fix this. I normally don't see things like this fixed quickly by developers. Why should they bother? In principle, since they control the data set, it's not their problem... Although I think this should be carefully considered, given that they allow mods.

Hey, I'll make a bet with you then.

If it is addressed in the patch, by the devs, You owe me a line in you sig for a week. I give you a line in my sig for a week if it is not addressed.

The same offer goes to you, CivIndeed. If this is addressed in the patch, though, I want you to change you nick to UncivilisedIndeed for a fortnight, in addition to a line in your nick for a week.. If it is not addressed, I offer you a line in my sig for a a fortnight.

Your first contribution to the thread is a wish to ram something back down someone's throat? Just because he pointed out a problem with a game?

I only returned to the thread to post an update about 1.08 patch.

It changed zlib1.dll to version 1.2.3 and binkw32.dll version to 1.8.6.

That's it.


EDIT:
By the way patch was for short available at automatic update, but then got "canceled" (maybe because of some error in autopatcher?)
I think that downloadable version of patch can still be found in Apolyton directory.

Re: WARNING! Civ4 Ships With Critical Security Vulnerabilities!

It cannot be stressed enough how incompetent and irresponsible you have been in exagerrating the problem in regards to insecure third party code libraries, and you should be held to task for doing so.

Somewhere in there, is an idea, formed in legible English, just waiting to be properly expressed....

Yeah, its looking more and more that way for you..indeed.

Oh, i know. That is very clear.

Yes, it says "may" there. I see you are working on your reading comprehension. You realize that "may be" and "maybe", do not have the same meaning, right?

If you read security bulletins/reports/advisories you will notice very consistent usage of the words "may" and "could.

"We" refers to CERT at the time they published the advisory. CERT didnt confirm themselves this specific behavior - they are just passing along the information.

Not quite. CERT was indicating that they hadnt confirmed (for themselves) whether or not it was possible to execute arbitrary code by exploiting the vulnerability. Thats it.

It didnt address the issue of whether or not they knew whether exploit code existed in one form or another, or whether an exploit had even taken place - it was simply a statement that they (CERT) hadnt confirmed one of the specific behaviors of exploiting the flaw.

Not "maybe" - "may". Please consult www.m-w.com for the difference.

Not random factors. Different factors, depending on how apps use the zlib code (as to whether its local, or remote, or both, etc), and in what form.

You still seem confused about the firewall issue. For example, if you already have established a multiplayer connection to the PC/device that sends the malformed data, the firewall isnt going to be able to do anything about that - it will of course, pass all the packets, since they would be "legit".

Indeed. It is. Computer and network security are a very "big deal". And increasingly becoming more so, and, for good reason.

Its why Microsoft for example paused all their developers/programmers programming a few years ago to "train" and "institutionalize security programming" into all their code folks.

Its why Microsoft bought and released free to the public a leading Anti-Spyware solution.

Its why Microsoft is beta testing a consumer AV/AS/Enhanced Firewall/Backup product for soon release.

Its why Microsoft enables Automatic Updates by default with SP2, and makes a "big deal" about their monthly release cycles, etc etc.

Yes, i would very much agree that its a "big deal".

Now you are getting it.

I'm sure you'll provide me with plenty of material...

Im sure its a well reasoned logical one....

Or maybe not....

Well, since you didnt notice the bugs/errors, they must not exist. And if you never notice Civ 4 being DoS'ed or your PC controlled, you must not be vulnerable.

Seems like sound logic to me.

Yes, i can say i encounted a few bugs in Conquests 1.22, and yes, they certainly affected my gameplay with differing degrees of severity.

Cant say it does. However, the Civ 3 (and expansion bugs) were frustrating and annoying at times, depending.

Of course, i probably play the game more thoroughly and completely than one such as yourself, so im sure im exposed to more of the bugs, not to mention that im obviously more observant than one such as yourself in general.

I know some folks that are "fairly happy" with colostomy bags hanging out of them. I bet they can imagine being "happier".

Lots of people are happy and content literally playing with feces. It doesnt change the fact that they are playing with feces.

I've been told that a few times.

"Infotainment" and "Edutainment" work....

I'll try to get some colostomy bag folks to post here...to keep the crap going...

Yes, its true - i posted the pertinent information elsewhere as appopriate.

However, its not the "same thread" but rather "posted an identical post" (there being a difference between post and thread...this being part of your "schooling"..like theirs)

Luckily, we have an observant intelligent person as yourself available to serve us as such.

Absolutely nothing to do with it.

Just coincidental.

And yes, its a Bad Idea (TM) to leave it knowingly security unpatched.