It allows you develop and host VR and AR experiences on the web. Regardless, this situation shows that it is extremely important to keep your software updated, especially the web-related one.The WebXR Device API provides access to input (pose information from headset and controllers) and output (hardware display) capabilities commonly associated with Virtual Reality (VR) and Augmented Reality (AR) devices. An experience with the latest Firefox and freshly updated Unity Web Player showed that either the vulnerability was no longer present or that the test tool wasn’t working properly. Still, unless you suddenly happen to run Chrome below version 42 (the current one is 43.0 and the browser is updated automatically), a vulnerability is there.Īlso, it works as an ActiveX element in Internet Explorer. The plugin disabling also affects Java and Silverlight plugins, – now they are off by default too. It is an old API that is notorious for crashes and poses some security concerns on its own, so no surprise Chrome developers decided to start getting rid of it.Ĭurrently the users should manually re-enable this API, otherwise Unity Web Player will not run. Google has recently disabled by default its 1990s era NPAPI in Chrome 42. But it currently has a different problem with Unity Web Player, which largely mitigates the issue with a bug. Until now, though: The company has said it takes measures to counter the problem. Unity Web Player: too popular to disregard its flaws #security TweetĪdded to the trouble is the fact that it had been reported to Unity six months ahead of current disclosure, apparently without any reaction from Unity Technologies. Exploiting this vulnerability in Internet Explorer, for example, allows an attacker to read locally stored files, which is as bad as it gets. The vulnerability allows the malicious Unity app to bypass cross-domain policies in place that prevent apps from accessing URLs and other resources from outside websites or the local file system. The newly-disclosed bug is very dangerous on its own, for apparent reasons.Īccording to a researcher who discovered the flaw, an attacker exploiting the vulnerability would first have to lure the victim to the attacker’s site hosting the malicious Unity app, or inject the app onto a legitimate site or onto a Facebook game. In fact, there are no reports – so far – of any large-scale exploitations of Unity bugs on the web. Even if every download doesn’t lead to installation and regular use, that figure is quite formidable. This creates an extra route for an attack as the actor can attempt to inject a malicious app into a Facebook game.ĠDay in Unity Web Player: partially mitigated, still unsafe #security TweetĪccording to Unity Technologies, the player has been downloaded more than 125 million times. Facebook also uses the Unity Web Player in many of its games and has an SDK it offers to embed Facebook features in games. Unity Web Player is, true to its name, a browser plugin which allows the running of games and other apps created with Unity development tools. It is used mainly to develop video games for PC, consoles, mobile devices and websites however, it is also actively used by non-gaming businesses to create real-time interactive visuals right in a browser window – domestic designers, furniture manufacturers, 3D planning, construction apps, and many others. With a recent update to version 5.0 lots of feature limitations had been removed, so its popularity climbed. Unity Technologies is the developer of a namesake cross-platform game engine that became extremely popular in recent years, largely due to its intuitive UI and WYSIWYG-based development process, as well as the existence of a free version for hobbyist and indie developers. As Threatpost reports, the zero-day allows an attacker to use a victim’s credentials to read messages or otherwise abuse their access to online services. A serious zero-day has been disclosed in Unity Web Player, a visualization browser plugin developed by Unity Technologies alongside its game engine.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |