Tweet
Firaxis in their infinite incompetence has shipped Civilization 4 with an entirely outdated and insecure version of the zlib compression library (ZLIB1.DLL)!
Firaxis in their infinite incompetence has also shipped Civilization 4 with an entirely outdated and insecure version of the python programming language (PYTHON24.DLL)!
Zlib Insecurity Details:
------------------------
The zlib library file is located in the Civ4 main installation folder (generally c:\program files\firaxis games\sid meier's civilization 4).
The version that ships with Civ 4 - 1.2.1 - contains two different security vulnerabilities (not to mention is itterly out of date):
1) http://www.kb.cert.org/vuls/id/238678
"Un-handled error conditions in the zlib compression library may allow an attacker to cause a denial-of-service condition.
There is a vulnerability in the error handling mechanisms of the decompression functions in the zlib compression library. The decompression functions inflate() and inflateBack() fail to handle certain error conditions properly. If an un-handled error condition is raised, the application linked to zlib may abruptly and abnormally terminate. This vulnerability may be exploited locally or remotely depending on the application being attacked.
This issue exists in zlib versions 1.2.0.x and 1.2.x, other versions are not vulnerable."
2) http://www.kb.cert.org/vuls/id/680620
"A buffer overflow in the zlib compression library may cause any application linked to zlib to improperly and immediately terminate.
There is a buffer overflow in the zlib data-compression library caused by a lack of bounds checking in the inflate() routine. If an attacker supplies the inflate()routine with a specially crafted compressed data stream, that attacker may be able to trigger the buffer overflow causing any application linked to zlib, or incorporating zlib code to crash. According to reports, the buffer overflow is caused by a specific input stream and results in a constant value being written into an arbitrary memory location. This vulnerability may be exploited locally or remotely depending on the application being attacked.
This vulnerability only affects zlib versions 1.2.1 and 1.2.2."
As you can see, Civ4 is clearly vulnerable, as zlib1.dll is required by and called by the main executable, Civilization4.exe.
This version of zlib shipped with Civ4 (1.2.1) is 2 versions (and 3 months) out of date - the current version, as of July 18, 2005 (3 months before the game was RTM'ed) is 1.2.3. 1.2.3 was released to specifically address these two security vulnerabilities.
These two (latest) zlib library vulnerabilities were widely publicized back in July:
Nor is this the first time the zlib library has been known to be insecure, and it is highly irresponsible and rather incompetent of the firaxis code managers and developers to have allowed this to slip past them especially considering the amount of media attention these flaws were given.
Python Insecurity Details:
--------------------------
The Python library file is located in the Civ4 main installation folder (generally c:\program files\firaxis games\sid meier's civilization 4).
The version that ships with Civ 4 - 2.4.1 - contains the aforementioned zlib vulnerabilities (it includes the zlib library source), not to mention several security vulnerabilities of its own:
2.4.2 fixes numerous security related bugs, including cross site scripting vulnerabilities etc.
As you can see, Civ4 is clearly vulnerable, as python24.dll is required by and called by the main executable, Civilization4.exe.
The latest version of Python is 2.4.2 (September 28, 2005 - a month prior to the game being RTM'ed), and version 2.4.1 (that ships with the game) was released March 30 2005. 2.4.2 specifically addresses both its own security vulnerabilities from 2.4.1, and includes updated zlib 1.2.3 source code.
Firaxis should be ashamed and highly concerned that all of their third party code libraries, but most especially the insecure zlib and Python ones, were out of date at the time the game was RTM'ed.
Unless and until a patch for Civ 4 is released by Firaxis/Take2 containing updated third party code libraries (ZLIB1.DLL version 1.2.3, PYHTON24.DLL version 2.4.2, etc, the following solution is provided:
Solution:
---------
Update zlib:
1) Locate zlib1.dll in the c:\program files\firaxis games\sid meier's civilization 4 folder, and rename it zlib1.dll.old.
2) Download zlib version 1.2.3 from: http://www.zlib.net/zlib123-dll.zip
3) Save the zip file as you see fit, and uncompress it or copy the uncompressed zlib1.dll file to the c:\program files\firaxis games\sid meier's civilization 4 folder.
Update Python:
1) Locate python24.dll in the c:\program files\firaxis games\sid meier's civilization 4 folder, and rename it python24.dll.old.
2) Download python version 2.4.2 from: http://www.python.org/ftp/python/2.4.2/python-2.4.2.msi
3) Install Python 2.4.2, locate the python24.dll file in the c:\python24 folder, and copy it to the c:\program files\firaxis games\sid meier's civilization 4 folder.
4) Uninstall Python 2.4.2 (this step is optional, unless you want to keep the entire Python programming package installed)
Again, it cannot be stressed enough how incompetent and irresponsible Firaxis and Take 2 have been in regards to shipping Civilization 4 with insecure outdated third party code libraries, and they should be held to task for doing so.
Firaxis in their infinite incompetence has also shipped Civilization 4 with an entirely outdated and insecure version of the python programming language (PYTHON24.DLL)!
Zlib Insecurity Details:
------------------------
The zlib library file is located in the Civ4 main installation folder (generally c:\program files\firaxis games\sid meier's civilization 4).
The version that ships with Civ 4 - 1.2.1 - contains two different security vulnerabilities (not to mention is itterly out of date):
1) http://www.kb.cert.org/vuls/id/238678
"Un-handled error conditions in the zlib compression library may allow an attacker to cause a denial-of-service condition.
There is a vulnerability in the error handling mechanisms of the decompression functions in the zlib compression library. The decompression functions inflate() and inflateBack() fail to handle certain error conditions properly. If an un-handled error condition is raised, the application linked to zlib may abruptly and abnormally terminate. This vulnerability may be exploited locally or remotely depending on the application being attacked.
This issue exists in zlib versions 1.2.0.x and 1.2.x, other versions are not vulnerable."
2) http://www.kb.cert.org/vuls/id/680620
"A buffer overflow in the zlib compression library may cause any application linked to zlib to improperly and immediately terminate.
There is a buffer overflow in the zlib data-compression library caused by a lack of bounds checking in the inflate() routine. If an attacker supplies the inflate()routine with a specially crafted compressed data stream, that attacker may be able to trigger the buffer overflow causing any application linked to zlib, or incorporating zlib code to crash. According to reports, the buffer overflow is caused by a specific input stream and results in a constant value being written into an arbitrary memory location. This vulnerability may be exploited locally or remotely depending on the application being attacked.
This vulnerability only affects zlib versions 1.2.1 and 1.2.2."
As you can see, Civ4 is clearly vulnerable, as zlib1.dll is required by and called by the main executable, Civilization4.exe.
This version of zlib shipped with Civ4 (1.2.1) is 2 versions (and 3 months) out of date - the current version, as of July 18, 2005 (3 months before the game was RTM'ed) is 1.2.3. 1.2.3 was released to specifically address these two security vulnerabilities.
These two (latest) zlib library vulnerabilities were widely publicized back in July:
Nor is this the first time the zlib library has been known to be insecure, and it is highly irresponsible and rather incompetent of the firaxis code managers and developers to have allowed this to slip past them especially considering the amount of media attention these flaws were given.
Python Insecurity Details:
--------------------------
The Python library file is located in the Civ4 main installation folder (generally c:\program files\firaxis games\sid meier's civilization 4).
The version that ships with Civ 4 - 2.4.1 - contains the aforementioned zlib vulnerabilities (it includes the zlib library source), not to mention several security vulnerabilities of its own:
2.4.2 fixes numerous security related bugs, including cross site scripting vulnerabilities etc.
As you can see, Civ4 is clearly vulnerable, as python24.dll is required by and called by the main executable, Civilization4.exe.
The latest version of Python is 2.4.2 (September 28, 2005 - a month prior to the game being RTM'ed), and version 2.4.1 (that ships with the game) was released March 30 2005. 2.4.2 specifically addresses both its own security vulnerabilities from 2.4.1, and includes updated zlib 1.2.3 source code.
Firaxis should be ashamed and highly concerned that all of their third party code libraries, but most especially the insecure zlib and Python ones, were out of date at the time the game was RTM'ed.
Unless and until a patch for Civ 4 is released by Firaxis/Take2 containing updated third party code libraries (ZLIB1.DLL version 1.2.3, PYHTON24.DLL version 2.4.2, etc, the following solution is provided:
Solution:
---------
Update zlib:
1) Locate zlib1.dll in the c:\program files\firaxis games\sid meier's civilization 4 folder, and rename it zlib1.dll.old.
2) Download zlib version 1.2.3 from: http://www.zlib.net/zlib123-dll.zip
3) Save the zip file as you see fit, and uncompress it or copy the uncompressed zlib1.dll file to the c:\program files\firaxis games\sid meier's civilization 4 folder.
Update Python:
1) Locate python24.dll in the c:\program files\firaxis games\sid meier's civilization 4 folder, and rename it python24.dll.old.
2) Download python version 2.4.2 from: http://www.python.org/ftp/python/2.4.2/python-2.4.2.msi
3) Install Python 2.4.2, locate the python24.dll file in the c:\python24 folder, and copy it to the c:\program files\firaxis games\sid meier's civilization 4 folder.
4) Uninstall Python 2.4.2 (this step is optional, unless you want to keep the entire Python programming package installed)
Again, it cannot be stressed enough how incompetent and irresponsible Firaxis and Take 2 have been in regards to shipping Civilization 4 with insecure outdated third party code libraries, and they should be held to task for doing so.
well acting as it is all fault of Firaxis is like accusing them of some of the late Windows vulnerabilities... 
ehm... not Debian, Mac O.S.X! Ehm... no no no... Unix, yes yes UNIX is perfect... 
)
Comment