Home » News » Unity has a giant security flaw that needs “immediate action” to patch
unity
News

Unity has a giant security flaw that needs “immediate action” to patch

Games using version 2017.1 or later need to be patched.

Any game or application using Unity version 2017.1 or later has a highly severe security vulnerability that will need “immediate action” to be patched out.

The vulnerability was first discovered in June of this year, and means that users were “susceptible to an unsafe file loading and local file inclusion attack depending on the operating system.” Those who would exploit the vulnerability could execute local code or grab info at “the privilege level of the vulnerable application”.

Last week, Unity advised that developers will need to patch existing games and applications built using 2017.1 or later, and update their version of the Unity Editor when it comes to creating new games and applications.

While the tools will work for most existing games and applications, those that use tamper-proofing or anti-cheat solutions will need to, “rebuild your project with the patched update for your version of the Unity Editor and redeploy to maintain these protections,” Unity advised. “Patching your existing application isn’t possible because it will trip the tamper protection.”

Unity was careful to point out that despite the vulnerability being very severe — earning a CVSS score of 8.4 out of a possible 10 — “there is no evidence of any exploitation of the vulnerability nor has there been any impact on users or customers.”

Developers needing to access Unity’s new tools can do so here.

Tags

This article may contain affiliate links, meaning we could earn a small commission if you click-through and make a purchase. Stevivor is an independent outlet and our journalism is in no way influenced by any advertiser or commercial initiative.

About the author

Steve Wright

Steve's the owner and Editor-in-Chief of Stevivor.com, the country’s leading independent video games outlet. Steve arrived in Australia back in 2001 on what was meant to be a three-month working holiday before deciding to emigrate and, eventually, becoming a citizen.

Stevivor is a combination of ‘Steve’ and ‘Survivor’, which made more sense back in 2001 when Jeff Probst was up in Queensland. The site started as Steve’s travel blog before transitioning over into video games.

Aside from video games, Steve has interests in hockey and Star Trek, playing the former and helping to cover video games about the latter on TrekMovie.com. By day, Steve works as the communications manager of the peak body representing Victorians as they age.