Announcement

Collapse
No announcement yet.

WARNING! Civ4 Ships With Critical Security Vulnerabilities!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • :blink:

    right, ok.

    Not entirely sure how that's relevant to anything I said, but carry on...

    always it is the OS in your system doing all of that in the end in the first place
    It's not. Why is Outlook part of your OS?

    and do a search on here for Firefox or Apache or IIS etc.


    are they part of your OS too? No.
    Last edited by choddo; November 25, 2005, 18:31.

    Comment


    • Originally posted by Raion
      So -- to me -- always it is the OS in your system doing all of that in the end in the first place --
      Yes, the OS truly is the Alpha and the Omega. It all makes sense now!

      Comment


      • Thanks for the link. But if using a Microsoft OS, then in the beginning and in the end --- you have to make calls (call functions) that occur within the OS, unless you make a new OS, and run that instead. Then Microsoft's OS would not be required on your system.

        Yes, the program may try and separate itsself as much as it can, and that is what the python.dll is for. But even with that, within the python.dll, the darn thing still has to make calls to the OS, to make it work. No one has the time to re-code everything used to make the computer work -- it takes too long, is not done, unless one is working with a different OS, and not Microsoft.

        This is why even with Microsoft -- Include files -- which calls *.dll from Windows included, always have to eventually go through the OS time and time again. And there are thousands of those routines within Microsoft's Windows OS called whatever.dll file it is, and one can not even make a Windows without calling Microsoft's programming OS to create the window, make the handle to the window, and have anything show up on screen.
        So, even with python using python.dll to make most of its language up, that is why there is a version to download for ---- Windows, and also, different versions for different types of computer running Solaris, Linux, or Mac, or anything else. The version for Windows must be downloaded, or else Microsoft will not know what the program is doing, and Microsoft is your Big Daddy with a computer that has Windows' OS - es!

        Sid and Jeff are just your humorus Civilization IV Big Daddies!

        Comment


        • I think we're talking at cross purposes, but I'll make one last futile attempt to communicate

          Yes, I know that any vulnerability in the Operating System (of which linux has had its share) will then be a problem for any and all applications that call it.

          However

          The problem in zlib and many other programs has NOTHING to do with Windows. It is a coding error in the application itself where a data buffer is not properly handled and therefore either the pointer returned to the calling app is corrupt or potentially code can be inserted into the data and that gets executed instead.

          The only way for an OS to avoid the latter problem is to implement things like AMD's non-execution flag on certain memory addresses, which lets the computer know that a certain location is not intended to be program code, which Vista does and to a certain extent, XP SP2 does as well.

          The fact Windows has its share of holes is irrelevant although I think it's the point you're trying to make?

          You can code a leaky, insecure piece of software on UNIX or linux too. I'd argue the only OS today that stops you is Z/OS on IBM mainframes which has a similar system to the AMD one I mentioned.

          Comment


          • I am not saying that those files do not have problems in those files. I am saying that saying that the game has a problem is wrong to me. Yes, those files have a problem and new ones can be downloaded. But again, it is only called by the game for what is needed in those files, and that may not affect anything, since you are not using those files on the Internet. To me, first someone would have to do a search for those files to know if they were even on the computer, then affect those files with a security problem, then cause something else to happen, while those files are not really part of the game executable file at all. So to me, those files are not a problem, and saying that with the game, the game has a problem is not all correct. Only those files have a problem, but it would have to be proved to affect the game, then what?
            Your computer or just the game could have a problem then -- seems like an aweful waste of time to even come up with anything like that! At least to me!
            Heck, people will read an e-mail that says it was sent by the FBI and be affected? Same thing but only different.
            First someone would have to send someone something, then what, it was used in the game? It would be easier to have the human make the mistake like the e-mail from the FBI! The game is just some more code!
            I just do not see what is so difficult to understand about that!
            The game uses those files, not sending anything over the Internet or some virus that was not checked out first if you download something -- like a mod? Most of anything that has ever happened has been sent by e-mail usually, or being on the Internet in the first place.

            Not playing a game in single player. And even in multiplayer, those files are not being used - it would have to go through the game first!

            It still is proven that your OS has more security problems!

            Comment


            • I just do not see what is so difficult to understand about that!
              That it's wrong?

              For example;
              To me, first someone would have to do a search for those files to know if they were even on the computer
              Not if the payload was delivered as a Civ4 mod. Then you'd know they must have the files in order to even bother downloading the mod.

              And you'd know with a few minutes testing with a decent debugger exactly when deflate() gets called while opening mods (if at all). 30 minutes work for a decent hacker. The tough bit would be designing a datastream that executes your code.

              Your computer or just the game could have a problem then -- seems like an aweful waste of time to even come up with anything like that!
              "My computer having a problem" might be exactly what the attacker is trying to achieve
              But again, it is only called by the game for what is needed in those files, and that may not affect anything, since you are not using those files on the Internet.
              What does that even mean? What is "using a file on the internet"?

              Using Windows doesn't make you a security ignoramus who shouldn't be allowed to care about anything else running on it.

              I use Windows because it delivers applications that aren't available elsewhere, so I'd still like to know if I've got a security exposure through something like a game.

              Comment


              • Originally posted by Krill
                [q=CivIndeed]I doubt the outdated insecure third party code library issue will be addressed in this first patch, which will only make the situation worse for them.
                [/q]

                Quoted For Truth, so I can ram it back down your throat when the build notes for the first patch are released.
                So "strange" that Krill has been noticeably absent from further response since Patch 1.09 was released.

                Could it be, because they in fact, did not mention in the "build notes" (or readme file), that they had updated ZLIB1.DLL to the latest version, but neglected to update PYTHON24.DLL?

                Ah yes, nothing quite like a silent undocumented partial fix to make ones incompetence meter go "zing".

                I keep looking through the README.HTM for a mention of this "silent ZLIB1.DLL fix" (hence the world "silent"), but i cannot find it.

                Perhaps you, in your "Beta Testing Badness", can direct me to the portion thereof to support your "ramming claim", eh?

                I almost feel somewhat bad for you - but then i realize, that if in fact you were a beta tester, that i have you, among so many other incompetent (but perhaps well intended) people, to thank for such a poor RTM build.

                I'm sure you'll claim that you told them about all the obvious unmissable bugs, but they just wouldnt listen to you, but you decided to allow them to use your name anyway, because, you know, integrity means nothing to you.

                I await your further integrity-filled silence.

                Next.

                Comment


                • Originally posted by Raion
                  It still is proven that your OS has more security problems!
                  Its also been proven that the earth orbits the sun.

                  Its also utterly irrelevant to the fact that Civ 4 shipped with insecure third party code libraries, and that the 1.09 patch partially fixes the issue by installing the latest fixed version of ZLIB1.DLL, but not the latest zlib-secured version of PYTHON24.DLL, thus leaving one of the two exposed exploitation vectors.

                  If it wasnt a security issue, why bother updating ZLIB1.DLL to the latest security fixed version?

                  Did they update the library out of incompetence, or perhaps maybe malicrous intent, perhaps to make you and others claiming it wasnt insecure or a "real issue", etc etc, look foolish?

                  Next.

                  Comment


                  • civindeed

                    A lot of other people in this thread are complete bastards..push hard enough and your crap will come back at you. deal with it.

                    Comment


                    • It is not a security problem within using the game!
                      They simply do it because they know that you do not make any sense in what you are saying but other people also may think that way!

                      Afterall you can imagine anything on a computer but being able to do what you imply - and make it into a virus -- that calls into concern -- a security issue -- then why be on the Internet at all!

                      Simply being on the Internet -- can be more of a security problem with people trying to use your computer.

                      Yes, I been through it - I have not virus protection software -- simply because if on the Internet at night -- if I see data coming over the Internet that should not be coming into my computer -- by watching the data stream -- I simply disconnect!

                      No, I have not had any virus on my computer come in -- because simply I disconnect and break their connection -- and the only reason that they were finding computers is that -- I was on the Internet first -- and if other people who can do the same thing are so blind - as to allow data into their computer by leaving it on all the time -- or opening up questionable e-mail -- -then get all the protection you really need -- to run your computer -- but don't forget that in the first place -- it was through the OS that first it was allowed to happen or through human error.

                      Yes, Dave, it always has been human error!

                      Hal 9000

                      Movie -- 2001: A Space Odyssey!

                      Simply put, if Microsoft really cared about connection issues, everyone in the world would have their own IP address -- something only recently that they have even thought about!

                      First it has to get through the main server allowing your Internet connection -- and then your computer!

                      But if downloading a mod, and you are concerned if it would contain a virus -- simply put -- don't do it!

                      Or what to see if anyone else reports a problem first before using any mod!

                      The computer game of Civilization IV simply does not have that problem -- it only calls into that program -- what it needs to run the program -- it can
                      t make up anything -- it is a program - -a set of commands written in C++ computer language.

                      I really do not know of any other way to make you think about how the program works!

                      Right now, no data is coming into my computer while typing this -- if there was -- there have to be a reason why data was continuing to come in -- if it was - I simply break the connection -- no more way to get into my computer -- and since it was never completed -- no way to have a virus enter into my computer!

                      Computer are not magic or automatic, they are a program, and anything concerning computers is first -- a program turns it on - and allows it to install the OS to run the computer -- it is not magic -- it is electronic circuits that contain a BIOS that allow first of all when powering up -- to start a program that allows the computer to run - in the first place. Without the BIOS nothing can happen in a computer to start Windows in the first place!

                      Now, when I post this, a verifying of data will come back to respond that all that I typed is being uploaded to the forum posting -- and again if the data stream is keeping running allowing a reasonable exchange of data - then someone else is trying to hack into my computer -- and the connection will broken -- by me!
                      Not allowing them to succeed in the first place!

                      It is bad enough to have Microsoft think that way sometimes with concerning their Rights to not allow anyone else to copy their software so they must know what is in my computer in the first place to see if it is a copy or original software that I have on my computer --- anything else -- is a violation of applicable FBI laws -- and is against the law!

                      I don't need an e--mail saying that it is from the FBI -- sort of silly to think that in the first place!

                      So, learn something about computers and leave the rest to the industry!

                      They work at it all the time!

                      Thus allowing people to play computer games and download mods or scenarios that do not have viruses in the first place!

                      And although things could be better always -- it ain't happening anytime soon!

                      Civilization players would jump on such a person in a Heartbeat!

                      Comment


                      • This guy made a big deal out of these outdated files like last week on civ fanatics, I believe.

                        Look, as other people have already said, it's really a non-issue.

                        If these files had been implemented in some other environment, i.e., not a video game, e.g., some sort of web service, then this would be noteworthy and would in fact have already been all over bugtraq as such things always are.

                        Given the fact that this IS, in fact, a video game, the implementation makes it impossible to induce arbitrary code execution, and if anyone cares to dispute that, they may feel free to link to a proof of concept code and prove me wrong.

                        This doesn't apply to downloading malicious code. That would be possible regardless of how current any given zlib or python build would be in this game. Don't download files you don't trust, and chillax about the game being released with non-current libraries. This is standard operating procedure in the programming community. Join it and see, if you care so much.

                        Comment


                        • Raion, you have no idea what you're talking about.

                          The buffer overrun can be used to hand arbitrary executable code off to the processor. If you put the right files in a mod, and a user tries to play that mod, you can run whatever code you want on their computer. You don't need access to the python program, you just need to know when it uses zlib and what for.

                          Yes, this is "just a video game". But it's a video game that lets people distribute files it will read using zlib, and that's enough to open the door.

                          Comment


                          • You can believe what you want to!

                            However, it has to get on your machine some how first!

                            And it can be always -- human error!

                            A computer is a dumb machine, and humans are suppose to think!

                            Now, really think it over!

                            How many viruses have been downloaded by a mod for a game?

                            Say none!

                            Comment


                            • Grrr...

                              Fools all.

                              Dont you realise that this vulnerability IS being exploited?!? Oh - and you think its a microsoft thing? No it isnt - Microsoft systems are not vulnerable since they dont use it and the vulnerability was reported across the linux and unix community

                              Thanks CivIndeed. Now you know how Jesus feels. At least they didnt nail you to a tree to stop you escaping the taunts (sheesh - they even called him illegitimate so you can also understand the wrath to come too)

                              You guys should read some of the stuff I read when i got suspicious about some of the unusual behaviour I saw.

                              As a programmer of some 10yrs I found the program behaviour was too inconsistent (highly variable). A little research brought me to here amongst other places that gave me a bit of education first (see http://www.gamasutra.com/features/20...tchard_pfv.htm for example) since I'm relatively new to online gaming.

                              The python vulnerability also enables cross site scripting. IT IS BEING USED so listen to the guy. patch 161 didnt seem to fix it either. I reckon that you need to at least get python24.dll out of the windows\system32 directory when you do an install of python 2.4.3 and then you can uninstall python.

                              Suckers... patch up and shut up. Be thankful that i dont swear at or curse you.

                              PS I dont know if civ will be able to handle python 2.5 but it would be good for the guys to consider it urgently. I may then consider buying warlords but not until then.

                              Comment

                              Working...
                              X