So, no Python patch. Which is about what I would have expected.

Its hard to blame an abstract object per se, however, firaxis is responsible for their code as shipped (which includes third party code), and 2K has some responsibility as well.

So yes, firaxis (and 2K) are to blame for shipping their game with outdated insecure third party code libraries.

Its not arguable (though some attempt to as some strange form of apologism).

You are going to need to completely rephrase and re-express this idea.

The vulnerabilities in the third party code libraries that ship with Civ 4 have absolutely nothing to do with Microsoft (though Microsoft has used zlib itself in several software products).

In fact, the security vulnerabilties affect many different software vendors across many operating systems (there are 2, this is just one of them):



No, it would help if you could communicate in a structure called "Standard English".

You utterly dont understand the nature of these vulnerabilites - they exist in third party code integrated into many different applications and operating systems, either as a library, as into the application/OS source itself.

In this case, its a zlib library (DLL) shipped with Civ 4 and installs in the Civ 4 folder that essentially only Civ 4 would ever make usage of.

"Our" code?

The rest is completely nonsensical. You clearly dont understand that these flaws are OS independent (many different apps/OSs use zlib) and exist in third party source code/libraries that either were incorporated within app/OS code, or in an an external library.

I dont follow this. Python updated their program because of OS bugs?

The python folks disagree with you:

"Upgrade Windows build to zlib 1.2.3 which eliminates a potential security vulnerability in zlib 1.2.1 and 1.2.2."

The security vulnerabilities are in zlib - code from zlib.net - not OS bugs in Windows coded by MS.

You are highly confused. I suggest you try reading comprehension as well.

"We"? Who is it that you think you represent and are speaking on behalf of?

This should be amusing.

Yes, changes to code libraries often/sometimes result in API call changes - though certainly not always.

Regardless, python was updated to alleviate the security vulnerabilities brought into it by using the insecure flawed prior zlib source.

"Our"?

Yes, its true, programs are often updated - including Python. Python had to include updated zlib source code (because the zlib source they were using before..was insecure).

Yes, its true, a newer version of Python is available than the one that ships with Civ 4. Adn it contains the fixed zlib 1.2.3 source ode. It was even released weeks before Civ 4 was RTM'ed.

Yup, its "free".

Yup, zlib is "free" too. Is irrelevant to the fact that the zlib library that shipped with Civ 4, and the python library that shipped as well, were both outdated and contained the same flawed insecure zlib code.

You sure seem focused on "free."

Its true "both do not have to be used with the game Civ IV" - However both were and are.

.....

Are you going to mention "free" again?

"We"?

HINT: the flaws in the zlib source/code shipped with Civ 4, are flaws in the zlib source/code in the zlib and pythin libraries, not in MS Windows.

I need a chorus line for this.......

Logic, you gotta get this thing!

Irony - this coming the person claiming that the security vulnerabilities are in Windows - but not in the zlib source/code. And from the person saying Civ4 (and firaxis apparently) cant be blamed for shipping outdated insecure third party code.

I know, Microsoft forced Firaxis to ship those outdated insecure third party code modules.

This is a classic example of rationalized apologism.

Painful.

I certainly have proved that Firaxis shipped Civ 4 with outdated insecure third party code libraries.

And that rational reality really upsets liberal subjective emotionalists.

Ah yes, silence the soothsayer. Ill add "socialist" to the list....

Next.

Irrelevant. The zlib DLL and python DLL that ship with Civ 4 contain insecure zlib code.

Truth does tend to bother many. But hey, dont hold back! Show me that "meanness".

Uh..ok. I like spaghetti. I have eaten it before! I can eat it anytime i want to! One time...at sarcasm camp...

Hey get this - many many software applications (and operating systems) use zlib in some form or another.

If informing the developer, publisher, and public about security flaws and bugs in software products is "bashing", then i recommend a "bash party".

Bash away, dudes.

Oh yeah, that made sense - about as much as the rest...


But that isnt "free". eh? And since you are the advocater of all things free, you should be recommending that everyone get those "free update downloads", and install them, for "free".

Did you forget about "free"?

Go read a dictionary. Go take a basic logic course. Etc etc.

Next.

You'll have to obtain it from another program (copy it from an install), or obtain the SDK from RAD Games Tools (paid for license).

If the Firaxis developers have any degree of competence, they'll provide it with a patch (hopefully the first one).

It certainly wont "upset" or "anger" me if they release updated third party code libraries in their first patch.

Thats a Good Thing (TM).

If in fact the third party code libraries are updated to the latest versions in the first patch, it would only make me a "bad prognosticator" - nothing more.

Next.

No problem.

As far as probability of exploitation goes, ill just throw out the fact that its the #1 selling game (at some period), its been marketed heavily, its gotten very good reviews, its been highly anticipated, and it contains extremely popular third party code libraries, two of which contained zlib vulnerabilities that got widespread induistry media attention earlier this year, because of the widespread usage of zlib.

It's also become faster and easier for exploits/exploit utils to be created and circulated.

When it comes to network multiplayer games, one doesnt need to look far to see the utility advantage (cheating, knock the competition offline) in exploiting one of these for DoS purposes.

They may have. However, i can tell you that i reported this vulnerability to Firaxis and 2K as best i could (lack of appropriate emails, and they never responded back in specific acknowledgement), and to several tech media sites and other venues i thought would have significant interest in this story.

I didnt recieve a single response from anywhere (other than generic email responses from 2K and Firaxis).

At the very least, its a good story with lots of tantalizing goodies and aspects (especially for some of the news sites oriented towards "gotcha" news). But yet, nothing.

Yes, i noticed that as well. Lots of promotion/mention about the very glowing reviews.

It doesnt surprise me - even has the look and feel of an RTS, so regardless of its glaring deficiencies and problems (it was utterly shipped early and unfinished), it was bound to get very positive reviews.

Its an RTS world, and they became RTS interface girls.

Possible, but highly improbable. Its remained on the first page of this forum, and ive checked back at least once a day.

Not bothering with the PMs - i have no desire to establish a relationship per se (venues such as these tend to have ..how shall i say....personality defect folks running/managing them) with "management". I dont have much usage for such ...hierarchy.

For example, the fact that one must "create an account" to post at most sites, is laughable. Childlike.

I made an identical posting at CivFanatics to begin with, for maximum exposure, so thats already taken care of.

Im not going to be unhappy if they update the two insecure libraries (zlib, python) at the very least, in the first patch.

Of course, ive now seen that they released a patch, and unreleased it. Some sort of Really Obvious Bug "slipped through".

I'm trying not to laugh. Really. Sort of.

Looks like they not only rushed the game to market ahead of schedule, but the patch as well.

I really truly wonder about their code management system, not to mention their QA process in coordination with 2K.

I've now see at least one report that they updated zlib1.dll to 1.2.3 - but not the python24.dll, in the released/pulled original patch.

Not looking good so far.

Again, it will be a Good Thing (TM), if they update those two libraries at a minimum.

Unfortunate, but predictable as per their previous incompetence. A half ass attempt at best. Looks like they missed the other problem child zlib-flawed library.

In fact, im not even sure 1.8.6 is the latest - i think it is, but im not 100% sure right now.. I'll have to look into that. You can check yourself by right-clicking it, choosing properties, then the version tab, and then highlight file and/or product version. If it says "1.8g", then thats the latest.

Yeah, it was pulled. Good to know it appeared via the updater though.

I'll try and snag a copy if i can find it and dissect it for my own "amusement".

Re: Re: WARNING! Civ4 Ships With Critical Security Vulnerabilities!

And a fine job you are doing, with the "look mom, i can post!" post.

Keep the pressure on, bother-man!

Krill, I was reading the manual and found out that you were a beta tester. Your "ramming down the throat" argument is easier to understand now. I really think they should have given beta testers custom titles, this is very confusing.

Yes that's one.

Delete this thread!

Oh, I will tell anyone why to delete this thread!

First, python.dll is used in the game. If the game does not call certain functions within the python.dll which it probably does not, then there is no security issue.

Second, zlib file decompresses files. Since it is highly unlikely that zlib will be used to Zip files across the Internet, this will not happen, and thus no security issue.

Since those files are only used in the game on the computer, and not while anyone is on the Internet using
other programs that may use those files, the point is irrelevant, hence meaningless.

Read the word:

Meaningless!

and that is what this thread is!

Seconded!



Cambo

Anyone else think this guy only gets out on day release?

For what it's worth, I did bother to update the DLLs you picked out as there is a small risk that there could be a network delivery or mod-based exploit based on those vulnerabilities so thanks for bringing it to our attention but before being so aggressive, you need to appreciate the idea of risk assessment.

Can you find any report anywhere, of anyone finding a way to run code based on that zlib buffer overrun? That's assuming of course that it is used in some way to decompress network delivered code (maybe dynamic mod updates or a phished-style application auto-patch?)

And Raion, I don't know what you're smoking mate, but it is entirely possible for an application programmer to introduce security flaws in an application that are independent of and in addition to anything in the OS.

I look forward to CivIndeed's next 16-post-in-a-row tirade.