Hello,
We received a message from Microsoft stating the below, but we have a few questions that the Remedial FAQ didn’t quite cover regarding this vulnerability. Hoping for some support here as our direct Unity support POC directed us to this forum. Thank you!
OUR INQUIRIES
• Steam - Per the remediation FAQ, it appears Valve will address this issue from their end but it’s not clear if the developer should also update the vulnerability on their end (Any thoughts here?)
• Epic - There is no mention of Epic listed in the remediation FAQ like it does for Steam. Would the title on EGS require a vulnerability fix?
• GOG - Probably the version that needs to definitively be patched out of them all and by the developer (due to being DRM free). Is this accurate/our assumption correct?
• WinGDK – While this is built similarly to Xbox, does anyone know if this will need to be updated by the developer for this vulnerability?
• Sony PS5, Xbox Series, Nintendo Switch, Steam Deck – No update required for this vulnerability for these platforms. Is this accurate/our assumption correct?
THE ORIGINAL VULNERABILITY EMAIL FROM MICROSOFT
Microsoft reached out to let us know that they have heard there is an Urgent Vulnerability
on a Run TIme Component of Unity which may affect the Security of Windows. There will need to be some work done to secure the issue.
We recommend updating all builds on Windows, including for all of your mentioned distribution mechanisms (Steam, Epic, GOG, WinGDK). While Windows Defender and Steam deployed protections that block vulnerability from being exploited, that is a secondary defense line:
- Not every computer has Windows Defender enabled;
- Even if you install game through Steam, it’s possible to launch it outside of Steam and thus it’s possible to have URI handlers registered to launch the game bypassing Steam and in that case Valve’s defense will not help.
It is primarily aimed at providing protection while you’re in the process of patching the game and for games that are abandonware/will never get updated (maybe the studio behind them went out of business).
PlayStation, Xbox and Switch are not affected by vulnerability.
Steam Deck runs Linux, so it is affected, however, On Linux, the vulnerable Unity command‑line arguments function similarly to the LD_PRELOAD mechanism. Under the standard Linux security model, these arguments do not cross privilege boundaries and therefore do not introduce additional risk relative to what is possible with LD_PRELOAD. It is possible to configure Linux systems to disallow LD_PRELOAD and in that case, this vulnerability would allow you to bypass that configuration. We also have this to say in the remediation guide:
Due to the lower risk profile, Unity has not released a Linux version of the Unity Application Patcher. If desired, particularly in environments with strict access control policies, rebuild your Linux application with a patched Unity Editor to remove the vulnerable code paths.
So the answer is yes, its the same one, unity have provided patch and instructions, what are you unsure of?
we were not certain it was the same. Now that this has been confirmed along with the detailed follow-up above, we have our path forward. Thank you.
thats why a CVE number is important.