Security threats Toolkit

Research firm posts own Half-Life patch

Tags:
Fix,
Waiting Months,
Pivx,
Security Hole

Winston Chai CNETAsia

Published: 31 Jul 2003 11:55 BST

A security research firm has released its own patch for critical flaws in a popular computer game after waiting months for the game's creator to do something.

Earlier this week, US-based PivX Solutions issued an advisory warning of three high-risk buffer-overflow vulnerabilities it discovered in Half-Life, a popular first person shooter (FPS) game.

Although released several years ago, Half-Life has remained popular due to its modifications, commonly referred to as “mods”. Variants based on Half-Life’s original engine such as Counter Strike and Day of Defeat have found favour with gamers worldwide. According to online gaming sites, Half-Life has captured about 65 percent of the online FPS market with over 10 million players.

The firm said in a statement these flaws make computers and the 30,000 servers running the game susceptible to a denial-of-service attack. In such attacks, servers can be taken over by hackers so that they contantly send requests to other servers, making the targets so busy they can't respond to legitimate requests. In addition, they also allow "limitless and complete code execution by an attacker", PivX added.

"These bugs affect both clients and servers, so everyone that plays or serves Half-Life is vulnerable," said Luigi Auriemma, a senior security researcher with the company.

PivX explained it had alerted Valve, the developer of Half-Life, to this issue in April this year. Valve at first responded by saying a patch was in the works but has failed to provide an update so far.

"Due to the severity of these vulnerabilities, PivX waited much longer than the industry standard of 30 days for a patch to be created and distributed by the vendor. However, after 100 days and no patch or fix from Valve, despite repeated inquiries, PivX has decided to release these vulnerabilities with our free fix," the firm said.

PivX's Preparation V patch is currently available for download on the firm's Web site.

This is not the first time the firm has identified security loopholes in computer games. In November last year, PivX also uncovered a vulnerability in multiplayer games that support GameSpy, a programme which allows game clients to find and connect to online game servers.

Affected games include Electronics Arts' Battlefield 1942, Quake, Quake 2, Half-Life, Tribes, Return to Castle Wolfenstein and Medal of Honour: Allied Assault, the firm said in a security advisory.