Application Control for games: more than just a productivity issue

Back in March 2007 Sophos published an article on Application Control blocking games such as Second Life. It was briefly mentioned that games were a security concern as well as a productivity one; I’d like to go into more detail on that point here, because it’s something that might not be immediately obvious to people running corporate networks.

From a security point of view, most games are terrible. Gamers don’t have a great understanding of software security and many game developers don’t have a lot of experience of writing secure code. The emphasis from the game developer’s point of view is to get the game shipped on time, and to get it playing as well as possible — that sometimes means cutting corners to get code running faster, or to get it written quickly.

Because execution speed is such a concern, most games are still written in non-typesafe languages, generally C and C++, in which all the traditional vulnerabilities such as stack and heap overflows, format string exploits and double-free errors are still alive and kicking. Many games have freely available SDKs for the development of plugins or game mods. The presence of an SDK for an online game shifts the discovery of these type of vulnerabilities from being doable only by dedicated security researchers and reverse engineers to anyone with a knowledge of C/C++.

As an example, I recently discovered (completely by accident) a vulnerabilty in one of the most popular online gaming services in which setting the name of one of your games to “%n” would cause a client crash for anyone that saw you joining that game. This was a common format string exploit, as simple as they come, and it would not have been a great stretch for an attacker to craft a string that would not just crash other clients but actually execute malicious code on them. The fact that this class of vulnerability is so well documented, and that it was discovered so easily (without any reading of source code or reverse engineering binaries) is bad enough; that the developer is actually one of the best game companies around when it comes to security is much more worrying. They fixed this vulnerability within a couple of days. Other vulnerabilities — some much more serious — in online games from other companies have remained unpatched for months or years despite being disclosed to the vendor.

The security problems with having games on a network aren’t just limited to software vulnerabilities either; most modern online games contain some form of matchmaking service or even a full IM client. Those that don’t probably still have in-game chat. These channels are open to all the same forms of phishing and Trojan distribution that are commonplace in all communications software. Many game password stealers are distributed over in-game communications; players are messaged with a malicious download link or a direct request for their password from someone claiming to work for the game manufacturers.

For anyone interested in game vulnerabilities, Luigi Auriemma’s website contains a fair number of vulnerability descriptions and plenty of information on typical vendor responses.

Customers that choose to use the Application Control features of Sophos Endpoint Security and Control are protected against these vulnerabilities (and the malware that spreads by exploiting them) in the simplest way possible; the games simply won’t run. The list of games currently covered by Sophos Application Control is growing all the time and is available here.