Windows Unity: Is it dangerous to play the old versions now?

G

GencFenerli

Refugee
For those who don't know: Apparently, there was a security vulnerability in Unity that's been present since 2017 which they found just know. That's why all games which rely on Unity had to be patched, like 7 Days To Die recently (currently still in latest_experimental). You can read more info here: https://unity.com/security/sept-2025-01

Now here's the thing: Many people are playing the old versions, like A16, A17 etc. for various reasons. I also like to hop back into the old alphas to load my old save files and dive into nostalgia. Some several youtubers like GNS and Just Rob also started doing playthroughs of A16/A17 which encouraged some players to play the old versions again or try them out for the first time.

I'm not a game dev, so I'm not sure how to classify the security vulnerabilty in 7 Days. Is it dangerous to play the old versions like A16, since they all seem to based on the Unity versions that's been mentioned in the link above? Even if you play offline on your own and block any connection from your firewall? Can someone with some know-how provide us with more info?

Cheers
 
Look at it like preferring using windows 7 as an OS or XP even. You can do it, but you have no support whatsoever on unpatched securtiy holes. Going offline only helps if you dont use any mods that could take advantage of the vulnerability as its dependand on the loading of local files. So i would say no mods and completely vanilla offline should be safe.
 
Eh, from a personal view I wouldn't worry much about it. Unless you hear in the news some team has made some botnet actively scouring the internet prodding devices running a game using it and found some way to force command injection (which sounds more of a fictional movie thing), I wouldn't worry about it. You're just running a game. Now, I probably wouldn't go about connecting to random servers that you have no idea who is running it and probably stay away from unknown mods (as these two would be the likely case of someone trying to exploit it). But there have been no known exploits done using the vulnerability.
 
Jugginator said:
Eh, from a personal view I wouldn't worry much about it. Unless you hear in the news some team has made some botnet actively scouring the internet prodding devices running a game using it and found some way to force command injection (which sounds more of a fictional movie thing), I wouldn't worry about it. You're just running a game. Now, I probably wouldn't go about connecting to random servers that you have no idea who is running it and probably stay away from unknown mods (as these two would be the likely case of someone trying to exploit it). But there have been no known exploits done using the vulnerability.
Click to expand...
Well on Windows all it takes is invoking an URI handler. Dunno if 7dtd registers any but if so, attacking on windows would be a walk in the park (clickable link, external image in game etc):

"On Microsoft Windows systems, the presence of a registered custom URI handler for a vulnerable application or handler name could increase the risk of exploitation. If a custom URI scheme is present and can be invoked on the target system, an attacker who can cause that URI to be opened could trigger the vulnerable library-loading behavior without needing direct command-line access. Potential exploitation remains constrained to the privileges of the targeted application and to the data and services accessible to that process. Entities that routinely create registered URI handlers for Unity applications are encouraged to contact Unity directly at [email protected]."
 
Fritzl said:
Well on Windows all it takes is invoking an URI handler. Dunno if 7dtd registers any but if so, attacking on windows would be a walk in the park (clickable link, external image in game etc):

"On Microsoft Windows systems, the presence of a registered custom URI handler for a vulnerable application or handler name could increase the risk of exploitation. If a custom URI scheme is present and can be invoked on the target system, an attacker who can cause that URI to be opened could trigger the vulnerable library-loading behavior without needing direct command-line access. Potential exploitation remains constrained to the privileges of the targeted application and to the data and services accessible to that process. Entities that routinely create registered URI handlers for Unity applications are encouraged to contact Unity directly at [email protected]."
Click to expand...

Which I covered by saying don't connect to unknown servers and don't use unknown mods :). The game would have to be running for any exploiting of it could be done.
 
You must log in or register to reply here.
Back
Top