Security Notification - Unity Editor

Hey everyone,

We've identified a Remote Code Execution flaw in the Unity Editor. The good news is that we've already rolled out a critical security patch to fix it!

You can find the appropriate patch and instructions for your Unity version on our Security page.

This flaw only affects Windows users, so Mac users do not need to download a patch.

As a part of our commitment to Responsible Disclosure, we will release more details about the identified vulnerability once all of our users have been given time to patch.

If you have any questions, please don’t hesitate to contact our Customer Service team.

Questions & Answers

Q: What type of vulnerability was addressed in this update?
A: An input string validation issue was identified that could lead to remote code execution. As a part of Unity’s responsible disclosure program, additional details will be released to the public after customers have had time to apply the updates.

Q: What are the exact details of the threat?
A: We’re not in a position to share the full details yet, per our responsible disclosure program.

Q: Does this vulnerability affect built games/applications in any way?
A: No. Only the Editor is affected.

Q: What platforms are affected?
A: Windows. Mac and Linux platforms are not affected by the identified vulnerability.

Q: What versions of Windows are affected?
A: All versions of Windows.

Q: What versions of Unity are affected?
A: All versions of the Unity Editor running on Windows, whatever the machine.

Q: What versions are being patched?
A: We’ve released a patch for the following Unity versions: 5.3, 5.4, 5.5, 5.6, and 2017.1. The full details are listed on unity3d.com/security. We will not be patching Unity 4.x, 5.0, 5.1, or 5.2.

Q: Will my specific version be patched?
A: Unity will be releasing a single patch to each of the most-current ‘dot-releases’ of Unity. For example, users running an older version of Unity 5.3 will need to update to the patched version of 5.3.8. There will be no patches for 5.3.7, 5.3.6, etc.

Q: What about versions older than 5.3?
A: We are providing a workaround tool that disables the identified vulnerable Editor feature, which can be downloaded from unity3d.com/security. Please understand, though, that the workaround is not a patch and has limitations. The workaround will disable the Editor feature identified as vulnerable, but since we can’t control whether the affected functionality becomes re-enabled at some point after applying the workaround (system changes, reinstallations, etc.), we strongly recommend updating to the latest version of Unity to get the benefits of the full patch. You will also no longer be able to use the ‘Open in Unity’ functionality in the web browser version of the Asset Store after applying the workaround.

Q: When will the patch be available?
A: The updates are available at http://unity3d.com/security.

Q: Does the workaround tool work for versions newer than 5.3? Can I use the workaround tool instead of patching?
A:The workaround tool can be used on all affected versions of Unity. Please understand, though, that the workaround is not a patch and has limitations: the workaround will disable the identified vulnerable Editor features, but since we can’t control whether the affected functionality becomes re-enabled at some point after applying the workaround (system changes, reinstallations, etc.), we strongly recommend updating to a patched version. You will also no longer be able to use the ‘Open in Unity’ functionality in the web browser version of the Asset Store after applying the workaround.

Q: I run multiple versions of Unity, do I have to apply the workaround tool for all of them?
A: No, by running it once it deactivates the identified vulnerable component across all of them. Do keep in mind that by re-installing or updating (one) of the versions, it may activate the component again. To check, re-run the workaround tool until all versions are up to date.

Q: Can I just use the workaround and never move to a patched version?
A: The workaround will disable the Editor feature identified as vulnerable, but since we can’t control whether the affected functionality becomes re-enabled at some point after applying the workaround (system changes, reinstallations, etc.), we strongly recommend updating to a patched version. You will also no longer be able to use the ‘Open in Unity’ functionality in the web browser version of the Asset Store after applying the workaround.

Q: How can I get the workaround (or the patches)?
A: Visit http://unity3d.com/security.

Q: I have a locked down older version of Unity 5.x.x. Will you produce a patch for the exact version of Unity that I’m using?
A: Our focus right now is on addressing the identified vulnerability in the most-current version of each dot-release. We don’t have any details to share on patches for other versions at this time.

Q: Will I need to rebuild asset bundles due to the update requirement?
A: It depends on the specific version of Unity that you are using. Most customers will be able to update to the patched versions without needing to rebuild their bundles, but some customers may find that asset importers have been updated between the version they’re currently using and the patch for that dot-release. For those customers, asset bundle rebuilding may be necessary.

You definitely won’t need to rebuild bundles if you’re currently using 5.3.8p1, 5.4.5p4, 5.5.4p2, 5.6.3f1, or 2017.1.0p3.

Q: How do I know if I’ll need to rebuild my asset bundles?
A: You may need to rebuild your bundles if any assets are reimported when you first open your project in the patched version of Unity.