Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Mojang Updates Minecraft to Patch Server Crash Vulnerability

Mojang Patches Bug After Exploit Is Made Public

Mojang Patches Bug After Exploit Is Made Public

After seeing that Minecraft developers failed to address a serious security bug he reported nearly two years ago, a Pakistani programmer has decided to release an exploit for the vulnerability. Minecraft developer Mojang released a new version of the game on Friday to address the issue.

In the summer of 2013, while analyzing the “network internals” of the popular game Minecraft, Ammar Askar discovered a vulnerability that could be exploited to cause a server to crash by sending it malformed packets.Minecraft exploit published

The expert reported his findings to Mojang, which Microsoft acquired in September 2014 for $2.5 billion. Askar provided the company with details on the flaw, along with a proof-of-concept demonstrating his findings.

The researcher says he attempted to contact the company several times over the next three months to learn about the status of a patch, but Mojang ignored most of his emails. The developer released two major versions of the game since being informed of the vulnerability, but none of them addressed the issue.

On Thursday, Askar decided to make his proof-of-concept (PoC) exploit public to force the company to take action.

“I thought a lot before writing this post, on the one hand I don’t want to expose thousands of servers to a major vulnerability, yet on the other hand Mojang has failed to act upon it,” the expert wrote in a blog post. “Mojang is no longer a small indie company making a little indie game, their software is used by thousands of servers, hundreds of thousands people play on servers running their software at any given time.”

The vulnerability, which allows malicious clients to force the server to run out of memory, affects Minecraft 1.8.3 and previous versions. Mojang addressed the vulnerability on Friday morning with the release of Minecraft 1.8.4, which also fixes other security flaws, minor bugs, and performance issues. Mojang advises gamers to update to the latest version as soon as possible.

“Mojang was made aware of the Minecraft server’s vulnerability and promptly worked to fix the issue with the release of Minecraft version 1.8.4 today. The version update fixes the reported security issues in addition to some other minor bug fixes and performance tweaks,” a Microsoft spokesperson told SecurityWeek.

Advertisement. Scroll to continue reading.

In an update to his initial blog post, Askar said he probably should have given Mojang a final notice before releasing his exploit. It turns out that the developer had attempted to patch the vulnerability, but their fix wasn’t effective against the expert’s PoC.

*Updated with statement from Microsoft

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Mike Byron has been named Chief Financial Officer (CFO) at Exabeam.

Ex-GitHub chief technology officer Mike Hanley has joined GM as CISO.

Network security and compliance assurance firm Titania has appointed Victoria Dimmick as CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.