Google has recently disabled by default its 1990s era NPAPI in Chrome 42. But it currently has a different problem with Unity Web Player, which largely mitigates the issue with a bug. Until now, though: The company has said it takes measures to counter the problem. Unity Web Player: too popular to disregard its flaws #security TweetĪdded to the trouble is the fact that it had been reported to Unity six months ahead of current disclosure, apparently without any reaction from Unity Technologies. Exploiting this vulnerability in Internet Explorer, for example, allows an attacker to read locally stored files, which is as bad as it gets. The vulnerability allows the malicious Unity app to bypass cross-domain policies in place that prevent apps from accessing URLs and other resources from outside websites or the local file system. The newly-disclosed bug is very dangerous on its own, for apparent reasons.Īccording to a researcher who discovered the flaw, an attacker exploiting the vulnerability would first have to lure the victim to the attacker’s site hosting the malicious Unity app, or inject the app onto a legitimate site or onto a Facebook game. In fact, there are no reports – so far – of any large-scale exploitations of Unity bugs on the web.
UPDATE UNITY WEB PLAYER DOWNLOAD
Even if every download doesn’t lead to installation and regular use, that figure is quite formidable.
This creates an extra route for an attack as the actor can attempt to inject a malicious app into a Facebook game.ĠDay in Unity Web Player: partially mitigated, still unsafe #security TweetĪccording to Unity Technologies, the player has been downloaded more than 125 million times. Facebook also uses the Unity Web Player in many of its games and has an SDK it offers to embed Facebook features in games. Unity Web Player is, true to its name, a browser plugin which allows the running of games and other apps created with Unity development tools. It is used mainly to develop video games for PC, consoles, mobile devices and websites however, it is also actively used by non-gaming businesses to create real-time interactive visuals right in a browser window – domestic designers, furniture manufacturers, 3D planning, construction apps, and many others.
UPDATE UNITY WEB PLAYER UPDATE
With a recent update to version 5.0 lots of feature limitations had been removed, so its popularity climbed.
UPDATE UNITY WEB PLAYER FREE
Unity Technologies is the developer of a namesake cross-platform game engine that became extremely popular in recent years, largely due to its intuitive UI and WYSIWYG-based development process, as well as the existence of a free version for hobbyist and indie developers. As Threatpost reports, the zero-day allows an attacker to use a victim’s credentials to read messages or otherwise abuse their access to online services.
A serious zero-day has been disclosed in Unity Web Player, a visualization browser plugin developed by Unity Technologies alongside its game engine.
0 kommentar(er)
