EA Origin vuln puts players at risk

[Winter]

New article on EA Origin accounts

A flaw in EA's Origin game store puts its 40 million or so users at risk of remote execution vulnerabilities
The vulnerability was described by security researchers Luigi Auriemma and Donato Ferranta of ReVuln, in a paper released on Saturday.

...

At the time of writing, EA had not responded to our requests for further information. This news comes alongside the abrupt departure of EA chief executive John Riccitiello. ®

 

[Crysta]

Well, guess that's good news for most of us at least. Glad they never hooked UO into it.

 

[Lord Frodo]

Origin works by using uniform resource identifiers (URIs) to authenticate and initiate games on players' machines. The attack works by spoofing the URI via an URL on a third-party website, so that when a person clicks it, Origin silently opens and loads a file onto the users' machine.

And this affects UO how.

 

[Winter]

.. And this affects UO how.

It doesn't. But if you had read the rest of the article, you would see that it affects any log in or link to Origin.... like the Origin store, accounts linked to Origin, etc. Or isn't that relevant?

"But the way the software authorizes players can also be used to hijack computers and install malicious software, the researchers found.
"The Origin platform allows malicious users to exploit local vulnerabilities or features, by abusing the Origin URI handling mechanism," they write. "In other words, an attacker can craft a malicious internet link to execute malicious code remotely on victim’s system, which has Origin installed."

 

[Llewen]

EA should have swallowed it's pride and made an agreement with Valve to use Steam as it's digital content delivery vehicle. There was no reason to reinvent the wheel and force their clients to have multiple instances of similar systems installed. And that's not even considering the horrific farce the Origin content delivery system has been since day one.

 

[Lord X]

EA should have swallowed it's pride and made an agreement with Valve to use Steam as it's digital content delivery vehicle. There was no reason to reinvent the wheel and force their clients to have multiple instances of similar systems installed. And that's not even considering the horrific farce the Origin content delivery system has been since day one.

Not to mention that at least with Steam, there would be a little bit of advertising for UO.

 

[Aurelius]

It doesn't. But if you had read the rest of the article, you would see that it affects any log in or link to Origin.... like the Origin store, accounts linked to Origin, etc. Or isn't that relevant?

"But the way the software authorizes players can also be used to hijack computers and install malicious software, the researchers found.
"The Origin platform allows malicious users to exploit local vulnerabilities or features, by abusing the Origin URI handling mechanism," they write. "In other words, an attacker can craft a malicious internet link to execute malicious code remotely on victim’s system, which has Origin installed."

For clarity though, the issue as described is entirely with the Origin 'platform software', there has been absolutely NO demonstration that simply using the Origin store webpage is compromised in any way. There's a possible method, which might work but needs a fair amount of other things happening to function.

 

[Aurelius]

EA should have swallowed it's pride and made an agreement with Valve to use Steam as it's digital content delivery vehicle. There was no reason to reinvent the wheel and force their clients to have multiple instances of similar systems installed. And that's not even considering the horrific farce the Origin content delivery system has been since day one.

While I agree they should have been less keen ion 'inventing the wheel' and making their own store, just to quote from the full paper about the Origin insecurity that kicked this conversation off,

"As we have demonstrated for Steam in our previous paper, Steam Browser Protocol Insecurity, almost the same design problem applies for Origin "

 

[Winter]

For clarity though, the issue as described is entirely with the Origin 'platform software', there has been absolutely NO demonstration that simply using the Origin store webpage is compromised in any way. There's a possible method, which might work but needs a fair amount of other things happening to function.

I disagree with your first statement in that there is never a demonstrated vulnerability until someone actually makes a virus/trojan out of it. So, that statement really makes no sense in that the vulnerability is still there.

Now, I do agree that it would take a fair amount of work and just the right amount of clicking to get the vulnerability to work, but all it takes is one exploit to spread it even further if the exploit designers are clever - it's a shotgun approach, but happens all the time when there are hundreds of million users. Or in this case, 40 million Origin store users.

I'm just saying, the more these kinds of vulnerability get noticed, the faster a fix gets posted. Account Center down for maintenance? Probably not this, but who knows?

 

[Llewen]

While I agree they should have been less keen ion 'inventing the wheel' and making their own store, just to quote from the full paper about the Origin insecurity that kicked this conversation off,

"As we have demonstrated for Steam in our previous paper, Steam Browser Protocol Insecurity, almost the same design problem applies for Origin "

Good catch, but from years of experience with both Valve and EA, I trust Valve to quickly, and competently, fix a vulnerability far more than i do EA. But anyway, enough EA bashing. I'm sure that the upcoming account management maintenance includes a fix for this vulnerability. Even EA isn't going to let something like this go without doing everything possible to fix it as quickly as possible.

 

[Aurelius]

I disagree with your first statement in that there is never a demonstrated vulnerability until someone actually makes a virus/trojan out of it. So, that statement really makes no sense in that the vulnerability is still there

Now, I do agree that it would take a fair amount of work and just the right amount of clicking to get the vulnerability to work, but all it takes is one exploit to spread it even further if the exploit designers are clever - it's a shotgun approach, but happens all the time when there are hundreds of million users. Or in this case, 40 million Origin store users.

I'm just saying, the more these kinds of vulnerability get noticed, the faster a fix gets posted. Account Center down for maintenance? Probably not this, but who knows?

Fair enough, but as it's still only at 'proof of concept' and is a variant on a similar technique they identified for Steam, but which seems to have been either disabled or not been 'exploited' as a vulnerability (as far as anyone seems to know), I'm not overly concerned for folks who only use the online 'store' part of Origin - but if I had downloaded the full package I'd certainly be disabling the less secure elements until I was certain EA had addressed them.

 

[Aurelius]

Good catch, but from years of experience with both Valve and EA, I trust Valve to quickly, and competently, fix a vulnerability far more than i do EA. But anyway, enough EA bashing. I'm sure that the upcoming account management maintenance includes a fix for this vulnerability. Even EA isn't going to let something like this go without doing everything possible to fix it as quickly as possible.

I agree, the track record of EA on fixing things properly is not impressive, but as I just posted in reply to Winter, I don't feel too concerned just yet as a simple 'buyer' on the Origin stores... and as you say, even EA can't afford this sort of potential for another bad publicity day, especially right on the heels of Sim City