| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 Sep 2013 09:09:02 +0200 From: RBS Research <research@...kbasedsecurity.com> To: bugtraq@...urityfocus.com Subject: An Analysis of the (In)Security State of the GameHouse Game Installation Mechanism January 2013, we encountered the latest version of RealArcade installer provided by GameHouse (a division of RealNetworks) on a system during an audit. Considering its historical vulnerabilities and recent reports about vulnerabilities in game clients/installers, we decided to take a closer look at its current security state. It was uncovered that not only was it still affected by almost two year old, publicly known vulnerabilities allowing command execution, but also new issues incl. unsafe permissions and a use-after-free. The full paper describes the flaws in the GameHouse game installer implementation for Windows, and how it exposes users’ systems. While not responsive (except a classic response from support - see timeline in report), GameHouse did silently address some of these issues in a site update around May 2013, but other concerns still remain. Blog: http://www.riskbasedsecurity.com/2013/09/an-analysis-of-the-insecurity-state-of-the-gamehouse-game-installation-mechanism/ Paper: http://www.riskbasedsecurity.com/reports/RBS-GameHouseAnalysis-Sept2013.pdf -- Carsten Eiram Risk Based Security Twitter: @RiskBased / @CarstenEiram
Powered by blists - more mailing lists