On February 5th, Luigi Auriemma of PivX Solutions released a tightly packed advisory detailing multiple vulnerabilities in the Unreal network gaming engine developed by Epic Games. These vulnerabilities affect both clients and servers who are playing the plethora of games that are using the engine, and has been readily exploitable for 5 years. The press release: http://www.pivx.com/press_releases/ueng-adv_pr.html The advisory itself: http://www.pivx.com/luigi/adv/ueng-adv.txt Following both industry and personal standards, PivX gave Epic Games a duration of 30 days to (at the very least) respond to our private notification to them. After nothing had happened during that month we prepared to release the advisory, yet once the press asked Epic Games for comments they were suddenly very responsive. Promises to work closely with us on the vulnerability and advisory were made and we managed to hold down the press for several months after this. 60 days passed after this, without any collaberation, honest effort or actual contact from Epic Games. We released the advisory after 90 days had passed from the original vendor notification. 90 days, in which we were played like fools, in which Epic Games had ample time and sufficient opportunity to react and work with us on a coordinated release. 90 days in which Epic Games, from the best of our comprehension, had archived our communications in the thrash, during which we received no serious communication except for crisis handling at the originally planned release time. On February 6th, BluesNews (among many others) could cite a quote from Mark Rein, Epic Games Vice President: "I won't sugar coat this. We f***ed up on this. Yes this is real and yes this was brought to our attention and yes we should have fixed it by now." http://www.bluesnews.com/cgi-bin/board.pl?action=viewthread&threadid=39954 On February 11th the tides have changed, and TechTV are reporting public legal threats from that same person: "This is slanderous," he says. "They've taken this too far. We're getting our lawyers involved with this." http://www.techtv.com/news/security/story/0,24195,3417248,00.html I fail to see how Mark Rein on one hand can publicly announce this to be a real threat that they should have fixed earlier, and on the other hand can announce the advisory to be false and malicious statements. There is no slander or libel in any aspect of this, and the only imaginable outcome that Mark Rein must have been aiming for by his declaration of layer involvement is to silence future security research on Epic Games products through the promise of unfounded barratry. As we know from precedents in the past, this approach to security is counterproductive at best and encouraging for underground security research at worst, and I can only hope for an official retraction of this policy by Epic Games once other employees have had half a minute to think about the implications and example that Mark Rein is setting forth. In the past, I have received better nonresponsive treatment by Microsoft when their security handling was at its worst. Contrary to the vast improvements that Microsoft has gone through over the last year and a half, Epic Games did not even start to acknowledge the problem properly before a full public disclosure had been made on February 5th. I believe that Luigi, and all of PivX, has handled this issue in a courteous, proffessional and ethical manner, and the uncoordinated release that was its outcome stems from a direct result of a nonresponsive vendor that at best is plainly ignorant and at worst acts directly against the best interest and security of its own customers. Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher Latest PivX research: Multi-Vendor Unreal Engine Advisory http://www.pivx.com/press_releases/ueng-adv_pr.html
