Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Mojang Updates Minecraft to Patch Server Crash Vulnerability

Mojang Patches Bug After Exploit Is Made Public

Mojang Patches Bug After Exploit Is Made Public

After seeing that Minecraft developers failed to address a serious security bug he reported nearly two years ago, a Pakistani programmer has decided to release an exploit for the vulnerability. Minecraft developer Mojang released a new version of the game on Friday to address the issue.

In the summer of 2013, while analyzing the “network internals” of the popular game Minecraft, Ammar Askar discovered a vulnerability that could be exploited to cause a server to crash by sending it malformed packets.Minecraft exploit published

The expert reported his findings to Mojang, which Microsoft acquired in September 2014 for $2.5 billion. Askar provided the company with details on the flaw, along with a proof-of-concept demonstrating his findings.

The researcher says he attempted to contact the company several times over the next three months to learn about the status of a patch, but Mojang ignored most of his emails. The developer released two major versions of the game since being informed of the vulnerability, but none of them addressed the issue.

On Thursday, Askar decided to make his proof-of-concept (PoC) exploit public to force the company to take action.

“I thought a lot before writing this post, on the one hand I don’t want to expose thousands of servers to a major vulnerability, yet on the other hand Mojang has failed to act upon it,” the expert wrote in a blog post. “Mojang is no longer a small indie company making a little indie game, their software is used by thousands of servers, hundreds of thousands people play on servers running their software at any given time.”

The vulnerability, which allows malicious clients to force the server to run out of memory, affects Minecraft 1.8.3 and previous versions. Mojang addressed the vulnerability on Friday morning with the release of Minecraft 1.8.4, which also fixes other security flaws, minor bugs, and performance issues. Mojang advises gamers to update to the latest version as soon as possible.

“Mojang was made aware of the Minecraft server’s vulnerability and promptly worked to fix the issue with the release of Minecraft version 1.8.4 today. The version update fixes the reported security issues in addition to some other minor bug fixes and performance tweaks,” a Microsoft spokesperson told SecurityWeek.

In an update to his initial blog post, Askar said he probably should have given Mojang a final notice before releasing his exploit. It turns out that the developer had attempted to patch the vulnerability, but their fix wasn’t effective against the expert’s PoC.

*Updated with statement from Microsoft

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.