Any games or applications using Unity will need to be patched, the game engine company says, following the discovery of a new vulnerability.
Unity is urging users to update their software as a new security vulnerability has been spotted in Unity versions 2017.1 and later. It's present across versions for Android, Windows, Linux, and macOS operating systems.
Discovered back on June 4 this year, and patched on October 2, this vulnerability meant that users were "susceptible to an unsafe file loading and local file inclusion attack depending on the operating system." This means someone could enable local code execution or grab information at "the privilege level of the vulnerable application".
It was given a high severity score by Unity and a CVSS score of 8.4. With 10 being the most severe, this vulnerability is quite significant. Unity does clarify that "there is no evidence of any exploitation of the vulnerability nor has there been any impact on users or customers."
Games or applications released using version 2017.1 or later may contain this vulnerability, and creators are encouraged to download the patched update of Unity via the Unity Hub or Unity Download Archive.
Unity Version 2017.1, as the name implies, launched all the way back in 2017, so this exploit has been there for eight years now.
If you have developed a game or app using version 2017.1 onwards, Unity 'strongly' recommends you "recompile and republish your application." If your app is on Android, its built-in malware scanning and security features will pick up on affected software, and Windows' Microsoft Defender has also been updated to "detect and block the vulnerability." Valve is also adding additional protections against the vulnerability.
If you would prefer not to rebuild projects, Unity has published a tool that patches applications on Android, Windows, and macOS. However, this tool does not work on builds with tamper-proofing or anti-cheat measures, and it doesn't work with Linux either.
Linux still has a high severity on the affected platforms table on Unity's website, but Unity clarifies, "Due to the lower risk profile, Unity has not released a Linux version of the Unity Application Patcher. If desired, particularly in environments with strict access control policies, rebuild your Linux application with a patched Unity Editor to remove the vulnerable code paths."
Unity also clarifies "the fix is unlikely to break most games", which sounds less reassuring than might have been intended.
Developers using Unity are being encouraged to inform users to keep devices and applications up to date, as those working off old versions could be vulnerable. It's just good form to make sure software is up-to-date, but it will be particularly important for Unity software going forward.
