{"id":4066,"date":"2015-06-16T20:29:04","date_gmt":"2015-06-16T20:29:04","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=4066"},"modified":"2019-11-15T13:58:15","modified_gmt":"2019-11-15T11:58:15","slug":"0day-in-unity-web-player-partially-mitigated-still-unsafe","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.za\/blog\/0day-in-unity-web-player-partially-mitigated-still-unsafe\/4066\/","title":{"rendered":"0Day in Unity Web Player: partially mitigated, still unsafe"},"content":{"rendered":"<p>A serious zero-day has been disclosed in Unity Web Player, a visualization browser plugin developed by Unity Technologies alongside its game engine. As Threatpost <a href=\"https:\/\/threatpost.com\/zero-day-disclosed-in-unity-web-player\/113124\" target=\"_blank\" rel=\"noopener nofollow\">reports<\/a>, the zero-day allows an attacker to use a victim\u2019s credentials to read messages or otherwise abuse their access to online services.<\/p>\n<p><strong>Unity: 125 million<\/strong><\/p>\n<p>Unity Technologies is the developer of a namesake cross-platform game engine that became\u00a0extremely popular in recent years, largely due to its intuitive UI and WYSIWYG-based development process, as well as the existence of a free version for hobbyist and indie developers. With a recent update to version 5.0 lots of feature limitations had been removed, so its popularity climbed.<\/p>\n<p>It is used mainly to develop video games for PC, consoles, mobile devices and websites; however, it is also actively used by non-gaming businesses to create real-time interactive visuals right in a browser window \u2013 domestic designers, furniture manufacturers, 3D planning, construction apps, and many others. <a href=\"http:\/\/unity3d.com\/showcase\/gallery\/non-games\" target=\"_blank\" rel=\"noopener nofollow\">This gallery<\/a>\u00a0provides a full\u00a0picture.<\/p>\n<span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"1160\" height=\"653\" src=\"https:\/\/www.youtube.com\/embed\/CLPBFlA1DAw?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span>\n<p><a href=\"http:\/\/unity3d.com\/webplayer\" target=\"_blank\" rel=\"noopener nofollow\">Unity Web Player<\/a> is, true to its name, a browser plugin which allows the running of games and other apps created with Unity development tools. Facebook also uses the Unity Web Player in many of its games and has an SDK it offers to embed Facebook features in games. This creates an extra route for an attack as the actor can attempt to inject a malicious app into a Facebook game.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>0Day in Unity Web Player: partially mitigated, still unsafe #security<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FqA3s&amp;text=0Day+in+Unity+Web+Player%3A+partially+mitigated%2C+still+unsafe+%23security\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>According to Unity Technologies, the player has been downloaded more than 125 million times. Even if \u00a0every download doesn\u2019t lead to installation and regular use, that figure is quite formidable.<\/p>\n<p>In fact, there are no reports \u2013 so far \u2013 of any large-scale exploitations of Unity bugs on the web. The newly-disclosed bug is very dangerous on its own, for apparent reasons.<\/p>\n<p><strong>The bug<\/strong><\/p>\n<p>According to a researcher who discovered the flaw, an attacker exploiting the vulnerability would first have to lure the victim to the attacker\u2019s site hosting the malicious Unity app, or inject the app onto a legitimate site or onto a Facebook game. The vulnerability allows the malicious Unity app to bypass cross-domain policies in place that prevent apps from accessing URLs and other resources from outside websites or the local file system. Exploiting this vulnerability in Internet Explorer, for example, allows an attacker to read locally stored files, which is as bad as it gets.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>Unity Web Player: too popular to disregard its flaws #security<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FqA3s&amp;text=Unity+Web+Player%3A+too+popular+to+disregard+its+flaws+%23security\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>Added to the trouble is the fact that it had been reported to Unity six months ahead of current disclosure, apparently without any reaction from Unity Technologies. Until now, though: The company has said it takes measures to counter the problem. But it currently has a different problem with Unity Web Player, which largely mitigates the issue with a bug.<\/p>\n<p><strong>NPAPI<\/strong><\/p>\n<p>Google has recently disabled by default its 1990s era NPAPI in Chrome 42. It is an old API that is notorious for crashes and poses some security concerns on its own, so no surprise Chrome developers decided to start getting rid of it.<\/p>\n<p>Currently the users should manually re-enable this API, otherwise Unity Web Player will not run. The plugin disabling also affects Java and Silverlight plugins, \u2013 now they are off by default too. Still, unless you suddenly happen to run Chrome below version 42 (the current one is 43.0 and the browser is updated automatically), a vulnerability is there.<\/p>\n<p>Also, it works as an ActiveX element in Internet Explorer. An experience with the latest Firefox and freshly updated Unity Web Player showed that either the vulnerability was no longer present or that the test tool wasn\u2019t working properly. Regardless, this situation shows that it is extremely important to keep your software updated, especially the web-related one.<\/p>\n<p>Technical details on the vulnerability and the possible ways of exploitation can be found <a href=\"https:\/\/threatpost.com\/zero-day-disclosed-in-unity-web-player\/113124\" target=\"_blank\" rel=\"noopener nofollow\">at Threatpost<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A serious zero-day has been disclosed in Unity Web Player. We provide a full breakdown of what it means and how you can protect yourself.<\/p>\n","protected":false},"author":209,"featured_media":15350,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3021],"tags":[957,2314,2315],"class_list":{"0":"post-4066","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-0day","10":"tag-unity","11":"tag-unity-web-player"},"hreflang":[{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/0day-in-unity-web-player-partially-mitigated-still-unsafe\/4066\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/0day-in-unity-web-player-partially-mitigated-still-unsafe\/4066\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/0day-in-unity-web-player-partially-mitigated-still-unsafe\/4066\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.za\/blog\/tag\/0day\/","name":"0day"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/4066","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/comments?post=4066"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/4066\/revisions"}],"predecessor-version":[{"id":24582,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/4066\/revisions\/24582"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media\/15350"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media?parent=4066"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/categories?post=4066"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/tags?post=4066"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}