More than 40 million users are at risk due to a flaw in EA Games' Origin digital distribution platform that could enable attackers to perform remote code executions. The attack, discovered by researchers at security firm ReVuln, gives hackers an entry point to exploiting any local issue or feature of any game available on Origin. Researchers credited the software security flaw to an underlying design problem.
Origin includes a store and a client where users can download and launch games, including several popular titles such as "Battlefield 3," "Crysis 3" and "FIFA 13." The client is seen as a competitor to Valve's Steam, in which ReVuln researchers uncovered a similar flaw last year. The flaw disclosure comes on the heels of other recent public relations challenges for EA Games, whose CEO stepped down following a rocky launch of the latest "SimCity" installment.
How the flaw works
When a game is run in Origin, there are three main launch stages, due to the platform's digital rights management technology: the game invokes Origin by providing possible command line arguments to the Origin process, the game process dies and the Origin process launches the actual game by providing the same command line arguments from the first stage. Origin communicates with games using the uniform resource identifier (URI) "origin://link." Games can also launch using custom command arguments. By creating an Origin link, an attacker can trigger local features and vulnerabilities.
"The Origin platform allows malicious users to exploit local vulnerabilities or features, by abusing the Origin URI handling mechanism," researchers Luigi Auriemma and Donato Ferrante wrote. "In other words, an attacker can craft a malicious internet link to execute malicious code remotely on victim's system, which has Origin installed"
In a proof of concept, ReVuln's team targeted "Crysis 3," a recent, high-profile Origin release, by exploiting a benchmark feature in its game engine to load a remote DLL. However, a hacker does not even need to have a specific target in mind to use the attack vector. If the attacker finds a set of games with a common vulnerability, he or she can bruteforce "Game ID" field in the URI to find any vulnerable game installed on the system. As a result, it is possible to perform a no-look attack on remote systems without any knowledge of the games installed.
"Using games as an attack vector is pretty difficult to spot," Ferrante told VentureBeat. "One of the reasons is that most people underestimate games as a possible way for attackers to compromise their systems."
Protecting against the flaw
Users can mitigate the issue by disabling the origin:// URI with third-party tools, according to researchers. This workaround prevents desktop shortcuts or websites with custom command line parameters from launching games, requiring users to launch games directly from Origin. Since the root cause is a design issue, this workaround is the only protection for users at the moment.
With issues that make remote code execution possible on two of the most prominent game distribution platforms, game developers may want to take extra precautions to secure their code against vulnerabilities. Additionally, distributors of comparable platforms may want to reevaluate their design to ensure they are not leaving vendors exposed to hackers. Although gamers may not think of these programs as software security threats, this exploit suggests attackers will continue to find new avenues of entry onto remote systems. To secure programs and prevent such attacks, developers can use source code analysis tools such as static analysis software.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.