Remote Code Execution Flaw Found in Unity Game Engine Editor

An editor used by millions of game developers and coding students around the world contains a remote code execution vulnerability in all of its Windows versions on all versions of Windows. The Mac version of the editor is not affected.

Late last week, Unity wrote to its user base, explaining, “Unity has identified a Remote Code Execution flaw in the Editor and we’re rolling out a critical security patch to remediate this issue.” Unity provides its gaming engine at three levels: Free for personal use, Plus, and Pro.

The editor supports the Unity 2D and 3D gaming graphics engine used by developers for games targeted at a wide range of platforms, including Android, iOS, Linux, Windows, Oculus Rift and more.

In its vulnerability alert Unity-Sec-844, the company explains that its Mac version is not affected. It provides a number of patches for different affected Windows versions, but adds, “If a patch is not available for your version, please use the Mitigation Tool.” Unity is not patching some older versions of the editor, and recommends instead that users upgrade to the newer patched versions.

The alert provides no information about the vulnerability, announcing simply, “TBA (To Be Announced after Responsible Disclosure).” In this instance, ‘responsible disclosure’ is not specifically disclosure by a researcher or bounty claimant to the company, but by the company to its customers: “Unity may withhold information about an identified vulnerability for a reasonable period of time to ensure that all customers are given time to patch their systems.”

There is no indication of how or by whom the vulnerability was discovered, nor any indication on whether Unity is aware of any active exploits for the vulnerability. However, a separate FAQ mentions that the vulnerability is an input string validation issue in the Editor. Games produced by the Editor are not affected.

The mitigation tool provided by Unity is for any developer who simply cannot immediately apply the relevant patch. Unity explains, “This tool will update Windows to mitigate the identified vulnerability. The change is only related to the Unity Editor, and will not affect any other software, including games that use Unity.”

The company goes out of its way to stress that the mitigation tool should only be considered a temporary solution for developers, since it cannot guarantee that the disabled functionality containing the flaw will not be re-enabled at some point.

In May 2017, hackers from OurMine breached the Unity user forum and claimed to have exfiltrated user information. Unity acknowledged the breach, but said the hackers only accessed “a limited set of data,” and assured users that no passwords, payment information or other Unity services had been compromised.

Related: Flaw in Unity Web Player Allows Theft of Personal Data