Honestly if I were a company like Unity ( and probably much smaller companies ) I would be seriously looking to remove all dependencies on such open source code use. Reading through some of the posts on github is scary the level of support for the both versions of the code got from a small subset of users, due to it being 'for a good cause' or other reasons. Sure we didn't get the full on scorched earth result this time, but it must surely only be a matter of time now, especially as this time its not simply a rogue/disgruntled developer, but based around a political/social statement that effectively weaponised open source software ( which I think is new within this context ). I hope that Unity will take the time to evaluate the safety of using such third party code as well as audit any such code that is also in the editor.Ĭlick to expand.Not sure it is an exaggeration since it has happened and this isn't even the first time to open source software. We've already seen how serious an issue like this can be with regard to log4j and had a previous wake-up-call with regard to nodejs ( Color Attack) now I feel Unity got super lucky with node-ipc, but this has to be the last warning sign. I still feel that Unity ( and many other companies ) will need to be more proactive regarding the flaw this has exposed in using third party code and would very much like to see ongoing efforts such as a blog post on it in the future to provide the reassurance that such an attack vector could never be exploited. Though to be honest I don't recall ever visiting announcements forum directly, so maybe it could be boosted a bit. Its also good to see it get its own thread in announcements and not just a reply buried in a thread. This is much improved over the initial statement, being far more open and informative. Its not as if this is new we had the log4j issue and specifically with npm the Colors Attack By which I mean I would expect a sticky post that provides frequent or at least day by day updates to the auditing of the Hub and any other third party software that might provide an attack vector. They have also only acknowledged that the was a 'inconvenient' issue in a couple of posts discussing the issue and AKAIK made no effort to raise awareness of the problem to user base - frankly that pisses me off.Īs I said above, this incident has shown how vulnerable we are to security threats via the Hub ( what about the editor? ) but I see little coming from Unity to provide any reassurance that there are not hidden/unknown dangers yet to be found. They have not named the 'third party' software that was at fault. Of course this is speculation, because in typical Unity fashion they have refused to be open about this issue. So it seems Unity was super F***ing lucky that there automatic update of the dependency on this node managed to miss the first version, otherwise they could be looking at having been responsible for wiping goodness knows how many customer/users harddrives! It was later retroactively changed to just dumping a file on your desktop. Whilst I can only speculate based on what I've read it would seem that the node in question was the one that originally would over-write all your files if your IP was deemed to be Russian ( approx 8 days ago ). The further I look into this, the more worrying it becomes. PC’s and didn’t simply rewrite all the files with heart emoji’s! Honestly I can’t remember a worse security breach that a company could have exposed their users hardware to. I would expect at minimum to see this as a blog entry and supported with announcements in the forum and on social media.įrom what I’ve read of the issues around some of nodes, Unity may have been luckily it just dumped a text file onto people’s. I need to know that the hub and all past versions are safe for use. I want to see a commitment from Unity that they will make the results of such an audit public, or even get a third party to come in and do the code audit. What troubles me more is the lacklustre response from Unity to both informing their customers and users about this issue or providing very clear steps in terms of how they can win back trust in using the hub. ![]() This would seem to be a huge lack of judgement and Unity may have just got lucky this time it wasn’t more serious. It’s quite scary to learn that the hub is using code that Unity hadn’t audited and apparently never had any auditing in place prior. Wow, I thought this was going to be a dumb or joke post, but nope.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |