Anarchy Online and Age of Conan Vulnerabilities Fixed 24
dachshund writes "The Baltimore Sun reports that security firm Independent Security Evaluators has disclosed vulnerabilities in the popular MMORPGs Age of Conan and Anarchy Online. The flaws (which have since been patched) allowed a malicious user to read files from and take control of another player's computer. The full details of the attack are available, including a video (hi-res MOV) showing how the targeted player's client can be crashed, and how an attacker can save and run scripts on the victim's computer."
For AoC's sake (Score:1, Troll)
I Wonder if this happened... (Score:1)
Anarchy Online? (Score:1)
Re: (Score:3, Informative)
There's a graphics update due to be released (if ever), that would revamp the game entirely. Lots of players are waiting on it.
Ahem (Score:3, Informative)
Ahem. It was IIRC the first major MMO where they just went ad-supported and otherwise let most people pay for free. Because the player base which was willing to pay for their game, had started small and was imploding.
(And if anyone wonders why, read the two reviews on Something Awful. I can personally vouch that every single problem in there was true, and a lot more. And yes, that was after the devs had proclaimed it 110% fixed and working as intended.)
According to MMO Charts, it peaked at a mere 60,000 sub
Re: (Score:2)
Well, it's not really entirely free. You can play Anarchy for free without any expansions, i.e. the "original" game. With one expansion it is IIRC 5 bucks a month, and if you want the full game, you pay the usual full price.
Anarchy isn't the most popular MMORPG, and never was. It has its issues. Let's not even talk about the dated graphics (that was already dated when it went live), it had much bigger issues with balance and exploits, and given that it was originally concepted as a PvP oriented game, that i
Re: (Score:2)
I'd be hard pressed to name an MMO that didn't launch before it was ready. That includes the current MMO darling child, World of Warcraft, which not only had horrid server problems for months after launch, but was also missing features printed in the manual (World of Warcraft Game Manual, p. 133, para 2 "Battlegrounds") for a good seven months after launch [worldofwarcraft.com].
Re: (Score:2)
WoW was surprisingly ready for release for an MMORPG. It was not without its issues and a lot of people had troubles, but generally it did work. The skills were in place, they (mostly) worked, so did the quests, etc.
This is of course to be seen relative to other MMORPG releases, not on an absolute scale. It was certainly not "finished". But it did not contain a game breaker like so many other MMORPGs at release day, which includes random and frequent crashes, skills that don't work (or get redone entirely a
Re: (Score:2)
It may not have had client crashes, but s
Let's put this in perspective (Score:2)
Let's put this in perspective. WoW was missing some features, but the ones in the game worked pretty damned well. AO, by contrast, off the top of my head had:
- massive graphics glitches. E.g., more often than not doors would turn into a swirly graphical glitch, so you can't see what awaits you on the other side. (And virtually any mission in the game consisted of lots of rooms connected by lots of doors.)
- collision code problems where you'd suddenly fall through and start swimming in the ground. Or would r
Re: (Score:2)
Just a nitpick: That isn't a bug, but a game design problem.
WoW had its share of problems, too. Heck, I'm going to copy and paste some of yours, as they were present in WoW at launch.
- Collision code problems where you'd suddenly fall through landscape to your death, fall endlessly through a featureless area with no floor; walls; or ceiling, or get stuck in the landscape itself. The second latter
Re: (Score:2)
Erh... no. Just ... no.
Anarchy was already in decline long, long before AoC came along. Personally, if you ask me, they killed it when they ended the war between Clans and Omni, mashing them together and creating some alien threat.
Anarchy was a pretty good MMORPG with a cyberpunk-esque atmosphere with a quite unique blend of different character classes (I mean, where else can you play a bureaucrat?), but it was killed entirely when they shifted the focus away from PvP to create yet another "gotta-get-them-a
Re: (Score:2)
Re: (Score:2)
That game is still around?
Yeah, I guess the last dev forgot to turn off the lights when he left.
why isn't security a priority? (Score:2, Interesting)
It doesn't surprise me. With the exception maybe of blizzard, it seems most MMO games are wholly focused on preventing cheating and entirely disregard client security as a result. I would bet that many chat interfaces have gaping holes since they aren't "core" to the gameplay - plus it gives the attacker simultaneous access to the maximum number of players.
Imagine if someone nefarious had (or did) find this exploit first. Account stealing of even 10% of an MMO's playerbase would immediately compromise any f
Re: (Score:3, Insightful)
There is also the fact that a lot of MMO companies have to get updates for features or new content out posthaste, and in some cases, regression testing to check if new code broke older code falls by the wayside.
Even worse is that most MMO clients require administrative rights. I generally don't champion WoW, but this is something Blizzard got right -- the client (and the Warden) always runs in user mode unless it is downloading and updating a new patch (where it requires admin rights to write to the Progra
Re: (Score:3, Insightful)
People just aren't security oriented. It doesn't matter what environment you're in. Unless it's your main focus, you're not likely to care as much about security as whatever it is that's your focus. That's assuming you're even aware of security implications.
There's exceptions of course. Some people just are naturally inclined to think about security ("just because I'm paranoid, it doesn't mean they're not out to get me"). But that's a small percentage of the population. And probably a base talent to g
This happens in security-is-a-priority software (Score:2)
Look at the details of the exploit: exploitation of a web browser and then privilege escalation by clobbering a trusted processes' stack because it didn't check input. The list of well used programs which have NOT seen buffer overrun attacks is pretty darn small, and it will continue to be small for as long as programmers insist on managing memory.
I'm of the opinion that managing memory is like writing a cryptography library: you should leave the task to someone who is actually capable of doing it. If you
We'll see more like that soon (Score:4, Insightful)
Online games are the new entry point for exploits. With OSs being fixed and locked down, the current angle of attack are web browsers and their plugins (especially the latter gain a lot of attention lately, especially plugins that are most likely present in browsers like flash players and PDF-readers). This won't work forever either.
The next will be online games. They are fairly widely spread, they usually use standardized ports and they are also usually done with security as a minor concern, if any. I'd be especially wary of games that require a forwarded port to work properly, but any game communicating with a server is a possible attack vector.