i wrote a long response which was lost when I was re-prompted to log in so in summary form:

Thanks for the warning. I have updated the DLLs.

But get a grip on risk assessment before shooting your mouth off like a social inadequate.

Raion, if you really think it's not possible for an application to introduce a security vulnerability on top of those kindly provided by the OS, remind me not to use anything you write

Whoops, double post effectively. And I don't seem to be able to edit or delete my 2nd one.

Getting close to 16 posts here myself

I believe the issue is that someone can make a mod that *does* use the insecure functions, and then that mod could basically do anything (install a virus, install another program that takes over your computer, etc). While I do not like the tone or language of CivIndeed's posts anymore than anyone else, I do think he's right.

Exactly! In a moddable game, these security holes matter. What happens when someone does a mod which is "just like Blue Marble, only I improved some graphics", and you download it, and it installs new software on your machine? That's possible with the current install. If the patch fixes it, that would be good.

or you could just do the DLL upgrade suggested by the OP

And "it is possible" is a long way from "anyone knows how to do it"

It's really very sad that this thread is still going on. CivIndeed has obviously found something of little relevence anyway, blown it wildly out of proportion and is now milking the issue as best he can.

Of course now he's going to go on about how a security exploitation can never be out of proportion and so on...
Jesus christ man take your damn pills. It's a very very minor security issue that they have now fixed in the patch. Please tell me every other program ever written that uses the old zlib.dll file so I can go to its folder and change it immediately.

The fact is many many programs are bound to have used the old zlib.dll file and if you installed those programs then you have that file on your computer. Oh no! it's going to burn! quick! go find them and change them all!! Or else the world will explode and we'll all die from DoSes!!!!!

!!!!

AND STOP SAYING NEXT YOU ARROGANT LITTLE *****!

The problem is not just having that file somewhere. The problem is that it's used in loading mod files. This is not a hard exploit to make.

I don't much care for his tone, but I don't think he's blown it out of proportion at all. This is a serious issue that ought to be taken seriously.

The attitude I've seen in this thread towards security fixes helps me understand why Windows machines spend so much of their time running as part of botnets, though.

If the game is the only program that is using the function calls into the game, the game is not going to run any functions it does not support. There is no way to make the game use functions within the python.dll that it does not support. One would have to know and have the source code of the game to make it happen.

Those two files mentioned are only used within the game, it does not relate to anything else, files downloaded, or anything else. You can not create a virus that would run anything, because the game is the only thing using those files.

Now, since they are separate programs that can be used with other programs, and mainly since Python.dll is used totally for the python program -- that is the program that would have to be running first before it could be used for mischeivous reasons.

It simply can not be done, and I am flat out telling you that it can not be done.

First, the virus or malicious program has to get through IE first, then it has to get through the other program, so if your computer is that messed up, like it may be with other security issues, then it is not the game of Civ IV which is not calling those commands anyway, it was your entire computer system.

And if you were that concerned about security, you would not be using Microsoft OS's in the first place.

It is impossible to have a virus work that can not be called in the first place. It is not magic, it is programming, and first a reason why it would be able to happen has to be the logic behind any statements that are made!

It can not be done within the game of CIV IV, first because Civ IV is not tranmitted that way across the Internet in Multi-player or files that are only read into the game.

THe game of Civ IV is programmed in C++ and only reads files programmed with the scripting language of Python to use in the game.

Same with Zlib Libraries that one would use to program a game with, if the file was used at all.

Even with Windows programming and their numerous *.dll files that make up a Windows program, there are thousands of functions calls within those *.dll's that are never ever used. If they are never used, the entire game or program would not work, in the first place, if a virus was loaded into the game. THe program would not work, you would notice it, and hence it would not be a bug, but a virus that made the program not work. Then you would have to determine that, and just uninstall the game and re-install the game -- thus getting rid of any virus that would overwrite the game code in the first place. Since that is all Checksum-med when the game runs --- hence it is impossible to do, unless one went through all that trouble.

In fact if anyone ever could do that, then your computer would be useless, for those type of people would be doing that, and not the way they do it now through e-mail programs.

And if you are worried about e-mail files then set the darn Outlook to only download -- text and not graphics like it can be:

And Download files from forums such as Apolyton, where files are checked first before being posted!

Now, to aggravate this total unlogical line of reasoning and say that people who work computers do not know what they are doing, is to say the entire Industry does not know anything.

Obviously it does know, because it has even told Microsoft about another -- bug -- or security issue within their OS.

And believe me when I tell you -- making a program that does not involve the OS is darn = near impossible. First you never ever get it done, since all calls to making text and anything the OS does which is not magic would have to be programmed.

You end up with another OS in your system, and it would not be Microsoft anymore.
In fact all programs you try and run, would not work anymore, since you had to create a new OS and all programs to work on your computer. You would not read harddisk -- unless it was programmed by the program not using the OS in the first place.

It is so darn impossible, that other people have started programming new OS's because of that reason -- it is called --- Linux -- and that is entire other Operating System, so is the MAC computer.

Now, seemingly pointy heads can not understand the concept of computer programming in the first place, I guess. I am not being hard, just factual.

First again the game of Civ IV only calls functions it uses in the game. You would get a error message in the game from the OS, saying it can not comprehend your function call and it would not know what it was doing anymore.

Thus the game would simply crash! (Because a program is a program is a program that follows a logical sequence of line execution!)
Next the game of Civ IV has a one-line python command in this game --- its self, so one can edit one line in the python scripting language to try it out. If you like to give yourself or computer a virus -- go right ahead, but frankly -- I think that anyone else being able to do so, with files that are Checked Out before downloading if on a forum is going to be impossible.

If you download the file on your own, and do that, then it was your own fault.
If you accept e-mails that have attachment files you are the one doing it.

It was never ever in the game to begin with:

Hence it is impossible!

Thank you for your programming attention!
But there are courses one can take in College on all of this!
And I have taken those courses!

Function calls called by the program is the only thing that will work -- useless calls to functions that will not be called -- can not do anything -- hence, they will not work.

Now, go learn python scripting language and the calls used in the game -- and apply some XML programming and try and use commands (functions calls) that are not used -- and you will not be able to get those functions to work at all -- in the game!

Otherwise the game does not use python or zlib to allow you to play over the Internet. It uses C++ programming language to do that!

I should say that the game will not understand your command into the game if using the one--line python editor in the game. The game may not crash, so I should have said that the game will give:

Error --- Error --- Error ---- Error -- until you get the command corrected so the game can understand your programming. It will sit there and the game will not do anything, because first it has to understand the command that you tried to program into it.

This is done thousands of times in a a day where programmers get:

Error- --- error --- error -- until the code is corrected!
It is not magic, it is programming!

The computer unfortuneately at this time -- is the most stupid thing on this Planet. It is a tool, and only understands --- program lines that will work with it. The computer is so -- stupid --- that people have thrown it against the wall -- or shot the darn thing.
That is because --- humans are able to think -- and the computer --- can not!
It reads lines of programming to make it work, and does not work like a human! It has no intelligence -- one can not give it any intelligence in that sense -- that all has to be programmed into the computer --- hence a game comes out -- that can beat you, because first -- it was programmed that way!

It will never ever be magic though!
It simply will not be that way!

Thank you for your attention, even if you have to add some words in the previous post I typed in a hurry, because believe me:

#define WIN32_LEAN_MEAN // also put in separate file
#include // Windows Header file needed
// C RunTime Header Files
//#include
//#include
//#include
//#include

//Global Variables
HWND hWnd;
HINSTANCE hInst;
char g_szClassName[] = "Timeancy"; // the main Windows ClassName
char g_szWindowName[] = "Time";

// Forward declarations of functions used in this code module
//BOOL InitInstance(HINSTANCE, int);
LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM);


// Step 4: the Window Procedure
LRESULT CALLBACK WndProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam)
{
// PAINTSTRUCT ps;
// HDC hDc;

switch(msg)
{
// case WM_ACTIVATEAPP:
// break;
// case WM_CREATE:
// break;
// case WM_PAINT:
// hDc = BeginPaint(hWnd, &ps);
// // TODO: Add any drawing code here...
// RedrawWindow( NULL, NULL, NULL, RDW_UPDATENOW );
// EndPaint(hWnd, &ps);
// break;
case WM_KEYDOWN: // VK_ precedes all key presses-for alphabet or numbers use case 'A':
switch ( wParam )
{
case VK_ESCAPE: // the Esc key closes down the program
DestroyWindow ( hWnd );
break;
}
case WM_CLOSE:
DestroyWindow(hWnd);
break;
case WM_DESTROY:
ShowCursor ( TRUE );
PostQuitMessage(0);
break;
default:
return DefWindowProc(hWnd, msg, wParam, lParam);
}
return 0;
}

That is programming, not typing out sentences in English!

I've said this before, I'll say it again, dude what are you smoking?!? If I understand you correctly you are saying that Civ4 does not call the functions in the libraries that have the security problems. That may be true, we don't know, because we don't have the C++ source code, as I think you said. *But*, can the modifiable Python code in the .py files call those functions?

Raion, that's 2 very, very long posts to prove you don't know what the issue is.

Go and read about buffer overruns.

Well, as for my line of reasoning, I do not think that anyone could call a routine function call that could do that, if the file is downloaded from a place such as Apolyton for a mod. (just a file that someone who was malicious tried to pawn off on someone in e-mail could but only if the person downloaded the file, but not a mod file from a forum site downloaded)!

So, I just do not see the problem -- the game is still only going to call the functions that is used within the game, and those are listed over at CivFanatics where python programming (which is a scripting language) can be learned about.

The only way that I know of (and no, I do not know everything) is that malicious software comes through Internet Explorer loopholes or e-mail, mainly because they are trying to take over your computer (which also is done by being on the Internet) then the game of Civ IV is your least worry about any of that, even playing mutliplayer -- and that is just the game sending data about the game play and nothing else.

And Internet Explorer is quite a bit of different programming (like Outlook) than a computer game programmed in C++ language! (Its more of a Document type file programming outlet than a hard-coded game program and Documents are used only by IE!)

The only software downloaded by some with on-line gaming is from the Developer of the Software as found in one-online game lately because people were cheating, and from Sony Software about iTunes or something, that people are sueing about to remove that software -- all reported over at the BBC website recently.


Look in Technology on the left side link.

A mod file is probably going to be loaded up to a forum site for any of it, so again -- if someone says to download this file into your computer and it is not from a forum site -- then it is that person taking the chance, and I would not do it. I would say, like the people here say --- upload to the mod page -- that is where the file belongs!
Then players can downloaded from the mod page after that.

I am not advanced in Python programming to talk about Buffer -- Overruns or Underruns -- simply put - again the game is using C++ programming for that -- not python programming.
The game was not programmed in python, it was programmed in C++, and python is merely read-in to use in the game after the function call is checked to see if it understands what Call was made. It is all explained somewhat above!

And the two programming languages are not going to mix -- unless the C++ programming -- Calls -- the python programming, which is only read!
And only Calls required for the game to work. Otherwise -- Error!

So to me, malicious code has to have a way into your computer first -- and that can not be done through a game, unless the Developer of the game did that in the first place -- and I am reasonably sure that Firaxis just does not do that kind of programming -- as the online game Developers did -- and that was because the online players (which is only an online game) were cheating. Sony did it because -- again people were being criminals downloading free songs and such -- but still Sony may have to remove that software off of those computers!

Look at the News about it all!

And if you get an e-mail from the FBI with an attachment -- do not open it, or think it is from the FBI -- it is a virius program -- and the FBI does not send out e-mails to people -- they probably usually just break down the door, and take the computer and equipment out of the person's place of living -- never to be seen again!

When I typed "Documents" type files, that does not only refer to text files -- it is a term used in programming that the even perhaps like this forum text -- is a kind of Document file, it is a programming term and means more than just text files. A hard-coded program like Civ IV is more of a programming program that may read a Document file -- like python -- but again -- if the game does not understand the code in the first place -- it will either give an error message- -- through Windows OS - which is the OS reporting the error message -- or simply crash the game.

The game can not do what it does not understand -- and all the hoops one would have to jump through would mean that by the time anyone could program something like that -- the next version of Civilization game would be coming out!

To do that -- simply that would not be possible to do!

LOL @ FBI comment

ok your point is valid, that there has to be a call into the expoitable function by the game.

We know that the vuln in zlib isin the deflate() function being called with a malformed data stream.

We can make guesses about when deflate gets called - probably the only reason it's used.... maybe it's used when opening a saved game? I've seen one of those posted on here in threads, not an official download.

So we have to deliver a compressed file that the game tries to use. Doesn't strike me as impossible given the moddable nature of the game, and for all I know, joining a multiplayer game where a mod is in use might auto-download it ala UT. Anyone know?

Agreed that many people will only download files from forums. But are the forum mods here checking out the files with that in mind? If someone had come up with a payload that could insert a rootkit, would they even know? And what about anyone who gets one from another source?

And I think Python is used as the scripting language isn't it? So mods all use that too surely afaik? I haven't read about the vuln to be able to think up a scenario though.

I think the risk is low, as I said before, but don't dismiss it just because it's a game.

Thanks for the clarification, but you're not the only programmer on the forum

Well, I hope that I am not the only programmer on this forum. The online game is -- Warcraft -- or which again the Developer of the game did the software, not any player of the game -- online.



I still highly doubt if that could be done with Civ IV as only 12 online is allowed in a game -- not thousands like a regular only made to be played online game -- like Warcraft.

I just do not download such files, so I have not had a problem, or open an attachment in an e-mail, since Outlook even thought that my Attachment with my e-mail about my Internet Bill contained a Virus. It did not -- it contained -- the bill and how much I owed - by being on the Internet in the first place.

So -- to me -- always it is the OS in your system doing all of that in the end in the first place -- and people thinking that the FBI sends out e-mails to individuals!

Well, back to trying to learn python programming - as I do not play -- Internet online games, don't intend to die playing a game, and do not get music off the Internet unless it is free -- and there is quite a bit of free music on the Internet:



which is also CNET -- where Gamespot has a review by a couple of hundreds on Civilization IV.
(and other games also being all -- CNET).