Unreal Vulnerable to DoS Attack


An interesting story up on Bluesnews today.  It appears that there is a potential risk in all Unreal games leaving users open to Denial of Service, DDoS, and Bounce attacks online.  Compounding the issue, the problem is not isolated to new releases, but to all Unreal games from the original Unreal to the recent Unreal 2.Read on for some specifics.

Blues states:

The report outlines the problem, which affects dozens of games from Unreal through Unreal II, and describes how the author of the report held off on publicizing this for almost three months to give time for Epic to devise a fix. I contacted Epic's Mark Rein to ask about this and he was very frank about how this had indeed been brought to their attention, but had unfortunately fallen through the cracks. He sent along a list of changes for the next planned UT2003 patch which will now address these vulnerabilities, and says it's likely that a small patch will be issued to address these in the original version of Unreal Tournament as well. As for other games using the Unreal engine, he says that fixes like this are always made available to licensees, who will then be able to issue patches of their own should they so choose.

Three months is a disturbing amount of time for this revelation to have passed without a pre-emptive fix.  I'm not remotely suggesting that Epic ignored the problem, but it does raise questions as to how serious and inherant a problem this is with the engine.   Mark Rein goes on to say:

I won't sugar coat this. We f*cked up on this. Yes this is real and yes this was brought to our attention and yes we should have fixed it by now. We are working on fixing this now and we will have this fixed in an upcoming patch before too long.

You know, I just have a ton of respect for this guy.  When it hits the fan, this guy is there to step up and take the flack.  - Elysium


I can understand with Epic being pretty busy with UT2003 and UT2 why they haven't got round to fixing it yet and I have to say it's pretty refreshing to see some one step up to the plate and say "Sorry Guys our fault we're working on it!" not enough of that going on at all!

Here's the thing, though.  The vulnerability has been in the engine since 1998 and yet nobody has noticed this.  What gives?  They've had a lot longer than 3 months to identify and fix the problem.  Saying "We f*cked up on this" doesn't begin to describe the problem; not only is Epic affected, but all of the developers who have been licensing the engine for the last 5 years are now in trouble, too.

In their defense, it's a pretty strange place to go looking for DoS vulnerabilities.  How many people have checked around in Morrowind or Tiger Woods 2003 for that kind of vulnerability.  If it was a subtle fairly obscure opening, you might very well have no idea to even suspect such a thing.  Look at it this way, it took eight years for anyone to notice the problem, not just Epic.

- Elysium

What the heck is the vulnerability anyways? I mean is it that a hacker could possibly use all machines playing unreal online to perform a DOS attack? Or is it that someone could DOS your machine. I have yet to find the actual vulnerability, the site that originally had the link took it down. I mean I really don't see the big deal, although I am sure there is some Candian conspiracy brewing to bring all UT2K3 sessions on my PC to their knees MUHAHAHAHAHAHA!!!