0Day in Unity Web Player: partially mitigated, still unsafe

A serious zero-day has been disclosed in Unity Web Player. We provide a full breakdown of what it means and how you can protect yourself.

A serious zero-day has been disclosed in Unity Web Player, a visualization browser plugin developed by Unity Technologies alongside its game engine. As Threatpost reports, the zero-day allows an attacker to use a victim’s credentials to read messages or otherwise abuse their access to online services.

Unity: 125 million

Unity Technologies is the developer of a namesake cross-platform game engine that became extremely popular in recent years, largely due to its intuitive UI and WYSIWYG-based development process, as well as the existence of a free version for hobbyist and indie developers. With a recent update to version 5.0 lots of feature limitations had been removed, so its popularity climbed.

It is used mainly to develop video games for PC, consoles, mobile devices and websites; however, it is also actively used by non-gaming businesses to create real-time interactive visuals right in a browser window – domestic designers, furniture manufacturers, 3D planning, construction apps, and many others. This gallery provides a full picture.

Unity Web Player is, true to its name, a browser plugin which allows the running of games and other apps created with Unity development tools. Facebook also uses the Unity Web Player in many of its games and has an SDK it offers to embed Facebook features in games. This creates an extra route for an attack as the actor can attempt to inject a malicious app into a Facebook game.

According to Unity Technologies, the player has been downloaded more than 125 million times. Even if  every download doesn’t lead to installation and regular use, that figure is quite formidable.

In fact, there are no reports – so far – of any large-scale exploitations of Unity bugs on the web. The newly-disclosed bug is very dangerous on its own, for apparent reasons.

The bug

According to a researcher who discovered the flaw, an attacker exploiting the vulnerability would first have to lure the victim to the attacker’s site hosting the malicious Unity app, or inject the app onto a legitimate site or onto a Facebook game. The vulnerability allows the malicious Unity app to bypass cross-domain policies in place that prevent apps from accessing URLs and other resources from outside websites or the local file system. Exploiting this vulnerability in Internet Explorer, for example, allows an attacker to read locally stored files, which is as bad as it gets.

Added to the trouble is the fact that it had been reported to Unity six months ahead of current disclosure, apparently without any reaction from Unity Technologies. Until now, though: The company has said it takes measures to counter the problem. But it currently has a different problem with Unity Web Player, which largely mitigates the issue with a bug.

NPAPI

Google has recently disabled by default its 1990s era NPAPI in Chrome 42. It is an old API that is notorious for crashes and poses some security concerns on its own, so no surprise Chrome developers decided to start getting rid of it.

Currently the users should manually re-enable this API, otherwise Unity Web Player will not run. The plugin disabling also affects Java and Silverlight plugins, – now they are off by default too. Still, unless you suddenly happen to run Chrome below version 42 (the current one is 43.0 and the browser is updated automatically), a vulnerability is there.

Also, it works as an ActiveX element in Internet Explorer. An experience with the latest Firefox and freshly updated Unity Web Player showed that either the vulnerability was no longer present or that the test tool wasn’t working properly. Regardless, this situation shows that it is extremely important to keep your software updated, especially the web-related one.

Technical details on the vulnerability and the possible ways of exploitation can be found at Threatpost

Tips