Mojang Patches Bug After Exploit Is Made Public
After seeing that Minecraft developers failed to address a serious security bug he reported nearly two years ago, a Pakistani programmer has decided to release an exploit for the vulnerability. Minecraft developer Mojang released a new version of the game on Friday to address the issue.
In the summer of 2013, while analyzing the “network internals” of the popular game Minecraft, Ammar Askar discovered a vulnerability that could be exploited to cause a server to crash by sending it malformed packets.
The expert reported his findings to Mojang, which Microsoft acquired in September 2014 for $2.5 billion. Askar provided the company with details on the flaw, along with a proof-of-concept demonstrating his findings.
The researcher says he attempted to contact the company several times over the next three months to learn about the status of a patch, but Mojang ignored most of his emails. The developer released two major versions of the game since being informed of the vulnerability, but none of them addressed the issue.
On Thursday, Askar decided to make his proof-of-concept (PoC) exploit public to force the company to take action.
“I thought a lot before writing this post, on the one hand I don’t want to expose thousands of servers to a major vulnerability, yet on the other hand Mojang has failed to act upon it,” the expert wrote in a blog post. “Mojang is no longer a small indie company making a little indie game, their software is used by thousands of servers, hundreds of thousands people play on servers running their software at any given time.”
The vulnerability, which allows malicious clients to force the server to run out of memory, affects Minecraft 1.8.3 and previous versions. Mojang addressed the vulnerability on Friday morning with the release of Minecraft 1.8.4, which also fixes other security flaws, minor bugs, and performance issues. Mojang advises gamers to update to the latest version as soon as possible.
“Mojang was made aware of the Minecraft server’s vulnerability and promptly worked to fix the issue with the release of Minecraft version 1.8.4 today. The version update fixes the reported security issues in addition to some other minor bug fixes and performance tweaks,” a Microsoft spokesperson told SecurityWeek.
In an update to his initial blog post, Askar said he probably should have given Mojang a final notice before releasing his exploit. It turns out that the developer had attempted to patch the vulnerability, but their fix wasn’t effective against the expert’s PoC.
*Updated with statement from Microsoft