Unity discovers “major security vulnerability” in development tool dating back to 2017

Unity has discovered a “major security vulnerability” affecting games made using its development tool dating back to 2017.

According to a Common Vulnerabilities and Exposures (CVE) analysis, “if an application was built with a version of Unity Editor that had the vulnerable Unity Runtime code, then an adversary may be able to execute code on, and exfiltrate confidential information from, the machine on which that application is running.”

The vulnerability affects games developed for Android, Windows, Linux, and macOS operating systems.

Unity director of community and advocacy Larry Hryb clarified in a blog post that “there is no evidence of any exploitation of the vulnerability, nor has there been any impact on users or customers.”

“We have proactively provided fixes that address the vulnerability, and they are already available to all developers,” he continued.

“The vulnerability was responsibly reported by the security researcher RyotaK, and we thank him for working with us.”

To address the vulnerability, Unity has “released an update for each of the major and minor versions of the Unity Editor starting with Unity 2019.1”.

It has also “released a binary patcher to patch already-built applications dating back to 2017.1.”

As for what developers need to do, Hryb suggested that those who have “developed and released a game or application using Unity 2017.1 or later for Windows, Android, or macOS” need to “review [its] guidance to ensure the continued safety for [their] users.”

“We strongly recommend you download the patched update for your version of the Unity Editor, recompile, and republish your application,” he added.

“Advise your users to keep their devices and applications updated, enable automatic updates, and maintain current antivirus software.”

Beyond Unity, Microsoft Defender has been updated to detect and block the vulnerability.

Valve has issued an update for its platform to implement “additional protections for the Steam client.”

Developers have since responded to the security issue, including Obsidian which removed some of its games from digital storefronts.