Announcement

Collapse
No announcement yet.

WARNING! Civ4 Ships With Critical Security Vulnerabilities!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • WARNING! Civ4 Ships With Critical Security Vulnerabilities!

    Firaxis in their infinite incompetence has shipped Civilization 4 with an entirely outdated and insecure version of the zlib compression library (ZLIB1.DLL)!

    Firaxis in their infinite incompetence has also shipped Civilization 4 with an entirely outdated and insecure version of the python programming language (PYTHON24.DLL)!

    Zlib Insecurity Details:
    ------------------------

    The zlib library file is located in the Civ4 main installation folder (generally c:\program files\firaxis games\sid meier's civilization 4).

    The version that ships with Civ 4 - 1.2.1 - contains two different security vulnerabilities (not to mention is itterly out of date):

    1) http://www.kb.cert.org/vuls/id/238678

    "Un-handled error conditions in the zlib compression library may allow an attacker to cause a denial-of-service condition.

    There is a vulnerability in the error handling mechanisms of the decompression functions in the zlib compression library. The decompression functions inflate() and inflateBack() fail to handle certain error conditions properly. If an un-handled error condition is raised, the application linked to zlib may abruptly and abnormally terminate. This vulnerability may be exploited locally or remotely depending on the application being attacked.

    This issue exists in zlib versions 1.2.0.x and 1.2.x, other versions are not vulnerable."


    2) http://www.kb.cert.org/vuls/id/680620

    "A buffer overflow in the zlib compression library may cause any application linked to zlib to improperly and immediately terminate.

    There is a buffer overflow in the zlib data-compression library caused by a lack of bounds checking in the inflate() routine. If an attacker supplies the inflate()routine with a specially crafted compressed data stream, that attacker may be able to trigger the buffer overflow causing any application linked to zlib, or incorporating zlib code to crash. According to reports, the buffer overflow is caused by a specific input stream and results in a constant value being written into an arbitrary memory location. This vulnerability may be exploited locally or remotely depending on the application being attacked.

    This vulnerability only affects zlib versions 1.2.1 and 1.2.2."


    As you can see, Civ4 is clearly vulnerable, as zlib1.dll is required by and called by the main executable, Civilization4.exe.

    This version of zlib shipped with Civ4 (1.2.1) is 2 versions (and 3 months) out of date - the current version, as of July 18, 2005 (3 months before the game was RTM'ed) is 1.2.3. 1.2.3 was released to specifically address these two security vulnerabilities.

    These two (latest) zlib library vulnerabilities were widely publicized back in July:

    .xyz is for every website, everywhere.® We offer the most flexible and affordable domain names to create choice for the next generation of internet users.


    Nor is this the first time the zlib library has been known to be insecure, and it is highly irresponsible and rather incompetent of the firaxis code managers and developers to have allowed this to slip past them especially considering the amount of media attention these flaws were given.

    Python Insecurity Details:
    --------------------------

    The Python library file is located in the Civ4 main installation folder (generally c:\program files\firaxis games\sid meier's civilization 4).

    The version that ships with Civ 4 - 2.4.1 - contains the aforementioned zlib vulnerabilities (it includes the zlib library source), not to mention several security vulnerabilities of its own:

    The official home of the Python Programming Language


    2.4.2 fixes numerous security related bugs, including cross site scripting vulnerabilities etc.

    As you can see, Civ4 is clearly vulnerable, as python24.dll is required by and called by the main executable, Civilization4.exe.

    The latest version of Python is 2.4.2 (September 28, 2005 - a month prior to the game being RTM'ed), and version 2.4.1 (that ships with the game) was released March 30 2005. 2.4.2 specifically addresses both its own security vulnerabilities from 2.4.1, and includes updated zlib 1.2.3 source code.

    Firaxis should be ashamed and highly concerned that all of their third party code libraries, but most especially the insecure zlib and Python ones, were out of date at the time the game was RTM'ed.

    Unless and until a patch for Civ 4 is released by Firaxis/Take2 containing updated third party code libraries (ZLIB1.DLL version 1.2.3, PYHTON24.DLL version 2.4.2, etc, the following solution is provided:

    Solution:
    ---------

    Update zlib:

    1) Locate zlib1.dll in the c:\program files\firaxis games\sid meier's civilization 4 folder, and rename it zlib1.dll.old.
    2) Download zlib version 1.2.3 from: http://www.zlib.net/zlib123-dll.zip
    3) Save the zip file as you see fit, and uncompress it or copy the uncompressed zlib1.dll file to the c:\program files\firaxis games\sid meier's civilization 4 folder.

    Update Python:

    1) Locate python24.dll in the c:\program files\firaxis games\sid meier's civilization 4 folder, and rename it python24.dll.old.
    2) Download python version 2.4.2 from: http://www.python.org/ftp/python/2.4.2/python-2.4.2.msi
    3) Install Python 2.4.2, locate the python24.dll file in the c:\python24 folder, and copy it to the c:\program files\firaxis games\sid meier's civilization 4 folder.
    4) Uninstall Python 2.4.2 (this step is optional, unless you want to keep the entire Python programming package installed)

    Again, it cannot be stressed enough how incompetent and irresponsible Firaxis and Take 2 have been in regards to shipping Civilization 4 with insecure outdated third party code libraries, and they should be held to task for doing so.

  • #2
    Those are usefull news indeed thank you! I'll upgrade everything ASAP!

    But... well acting as it is all fault of Firaxis is like accusing them of some of the late Windows vulnerabilities...



    Ehi men!! Windows is vulnerable! Those Firaxis developers should have been chosen Debian!!! ehm... not Debian, Mac O.S.X! Ehm... no no no... Unix, yes yes UNIX is perfect...

    HTTP Error 404 - File or Directory not found
    Internet Information Services (IIS)

    Comment


    • #3
      I think you a being a little over-dramatic over this. Yes, the libraries ought to be updated - hopefully, these issues are addressed in the so-to-arrive patch.

      In mitigation to Firaxis, is should be noted that these libraries are installed in the Civ4 folder, and so are not used by any other software on your system, making the chances of them actually affecting your system securities _extremely_ remote! If the install routine put these libraries into the Windows folder tree, then, yes, there would be security concerns.



      Cambo

      PS. Thanks for spotting zlib. I had already updated MSS, Bink and Python ;-)

      Comment


      • #4
        Error404, _not_ Unix! Linux, yes, but not Unix. Especially not SCO OpenSewer 6.0

        (Just do a bit of reading around Yahoo! Finance SCOX message board, GrokLaw, etc to find out why)



        Cambo

        Comment


        • #5
          Originally posted by Cambo67
          Error404, _not_ Unix! Linux, yes, but not Unix. Especially not SCO OpenSewer 6.0

          (Just do a bit of reading around Yahoo! Finance SCOX message board, GrokLaw, etc to find out why)



          Cambo
          eheh just joking Cambo

          (Since I'm not aware of any really perfect O.S. )
          HTTP Error 404 - File or Directory not found
          Internet Information Services (IIS)

          Comment


          • #6
            Ummmmmmmm So whats going to happen???

            Is my wenner going to fall off????????


            Comment


            • #7
              Updating those files _may_possibly_ reduce some of the problems people have been having.

              You might also want to download the MSS and Bink files from www.radgametools.com - instructions for updating the required files are in a post somewhere. I'm trying to find it again ;-)



              Cambo

              Comment


              • #8


                seems to be the one ;-)



                Cambo

                Comment


                • #9
                  Civ4 is not a system program.
                  Civ4 is not a security gateway or point of responsibility.
                  Civ4 does not marshall resources.

                  These vulnerabilities are irrelevant.

                  You shouldn't be running Windows anyway...

                  Comment


                  • #10
                    The lead post in this thread is really ridiculously breathy and irresponsible. There is no realistic security threat. It's crap reporting.

                    Comment


                    • #11
                      Bah! Who leaves civ4 running when they're not there? This is meaningless.
                      Try http://wordforge.net/index.php for discussion and debate.

                      Comment


                      • #12
                        Hackers making warriors beat down my modern armor....now I know how they did it!

                        Comment


                        • #13
                          Dude they ship with what they get in before the game goes gold. They probably pick the programs they're going to use long before that. It's not like it's that difficult to update yourself. Stop the damn whining.
                          I used to be Darkknight.. many many moons ago. "CTP2 is almost out!!" time.

                          Comment


                          • #14
                            Will updating the dll libs allow Civ4 to be played?

                            I remember the bad old days of dll hell with the earlier versions of Windows. Update the dll and all sorts of strange things could happen.

                            Comment


                            • #15
                              Fire Microsoft!

                              Comment

                              Working...
                              X