Game musings and news

[Thad]

Activision Blizzard Staff Announce Start of New Strike Action

They've got a strike fund on GoFundMe.

[Mongrel]

EDIT/UPDATE: The exploit below is actually not restricted to Minecraft and affects a very large number of games and even whole platforms (including Steam).

RCE 0-day exploit found in log4j, a popular Java logging package used not only in Minecraft, but other cloud apps as well:

Cloud services like Steam, Apple iCloud, and apps like Minecraft have been found to be vulnerable to this exploit. Many, many others likely are, also.

A bit more detail from someone over at reddit:
https://old.reddit.com/r/Minecraft/comments/rcum79/important_javawide_exploit_that_lets_people/hnxmizb/

If you play Minecraft, the java machine switch as described above should be sufficient; however, because theoretically any chatlog or eventlog that's stored to the cloud can be affected, look to Steam for any update or the app you're using for any app-specific update.

[Thad]

...Java and JavaScript are different things.

(this post made sense before Mongrel edited his post after I replied to it)

[Mongrel]

Small but important update on this exploit is that the above solution, at least with regards to Minecraft specifically, is NOT sufficient. MS pushed a patch today which apparently contained the temporary fix but servers are still seeing takeovers using the same exploit (so yes, this is not just a theoretical issue - it's out there and actively happening) and a new patch for Minecraft is coming shortly in a new attempt to stop it.

As for other services using Java-based logging I have no idea. Haven't seen any Steam updates lately, for example.

EDIT: Steam should be fine (comments are from 4h ago, well after stories stated Steam was affected)

Comment by JonP_valve:
We immediately reviewed our services that use log4j and verified that our network security rules blocked downloading and executing untrusted code. We do not believe there are any risks to Steam associated with this vulnerability.

Comment by JonP_valve:
The early discussion on twitter mentioned Steam specifically but they were talking strictly about the server side - not the Steam client. It appears they were using "a DNS lookup occurred" as enough to indicate a potentially-vulnerable system. However we were able to confirm that Steam servers were not at risk of running untrusted external code via this log4j issue.

Recent updates via Bleeping Computer

Not a ton of info in there, but it does state that Cloudflare has also confirmed their services aren't exposed.

What's sort of funny is that not only is this a live issue, but apparently some folks in the security sector think this has been active for some time and only became a prominent issue after Minecraft servers started being compromised. The potential implication there being that some crooks may have had had a nice quiet little moneymaker going until some idiots got ahold of it and started fucking with Minecraft players' shit.

[Thad]

Small but important update on this exploit is that the above solution, at least with regards to Minecraft specifically, is NOT sufficient. MS pushed a patch today which apparently contained the temporary fix but servers are still seeing takeovers using the same exploit (so yes, this is not just a theoretical issue - it's out there and actively happening) and a new patch for Minecraft is coming shortly in a new attempt to stop it.

I can't speak to what's happening with Minecraft specifically -- whether it's client-side, server-side, whether the people still seeing the bug just haven't run the update -- but the formatMsgNoLookups flag should prevent the issue from occurring. AFAICT that's all 2.15.0 changes from 2.14.1, is set that flag to default to true instead of false.

As for other services using Java-based logging I have no idea.

"Java-based logging" isn't quite an accurate description of what's being exploited here. There are many different libraries you can use for logging in a Java app; log4j is one of the most popular but it's not synonymous with "Java-based logging". (It's also not part of Java proper; it's a third-party library published by the Apache Software Foundation.)

[Mongrel]

Yeah, I should have mentioned it's a bunch of Apache libraries in particular. It's in the linked article even (but then, that's why you link the sources for shit like this, because amateur transcription can easily contain errors).

As for the Minecraft issue and the Microsoft patch, it was some servers reporting issues after they had installed the earlier MS patch. I have no way of knowing if the patch simply added the fix you describe but there's additional channels of the exploit which weren't addressed (but even I get that "don't run code off this" should be pretty comprehensive as fix, no?), or if MS bungled their first patch for some reason.

[Thad]

As for the Minecraft issue and the Microsoft patch, it was some servers reporting issues after they had installed the earlier MS patch.

I think in Minecraft's case it may be a client-side issue? You don't see a lot of client-side Java apps on the desktop these days* but the classic version of Minecraft is one of them.

* phones are another story, but I doubt there are a whole lot of Android apps relying on log4j

[Mongrel]

As for the Minecraft issue and the Microsoft patch, it was some servers reporting issues after they had installed the earlier MS patch.

I think in Minecraft's case it may be a client-side issue? You don't see a lot of client-side Java apps on the desktop these days* but the classic version of Minecraft is one of them.

* phones are another story, but I doubt there are a whole lot of Android apps relying on log4j

It may also have something to do with the type of server. Players playing Mincraft on Java have the option of either independent Java-based servers or Microsoft's "Realms", their pre-packaged and obviously highly-limited servers, which, amusingly enough, are actually hosted by Amazon web services rather than MS.

I assume Realms are still technically running Java under the hood, but I'm not sure about that, and who knows what else is mixed up in there. Plus even the regular Java client and server software for Minecraft has acquired all sorts of MS backdoor nonsense over the years (for a long time it was clear the goal was to eliminate the Java edition entirely, but, surprise surprise, there's obviously way too much pushback for that to ever fly).

I have absolutely zero clue if any of that added MS garbage exposes clients or servers in extra ways to this particular exploit, but I wouldn't rule it out, if only for the basic engineering rule of "the more shit there is, the more shit can break".

[Thad]

I would certainly hope the official MS servers are fixed at this point.

[Mongrel]

I would certainly hope the official MS servers are fixed at this point.

I would hope all of them are, since the newer patch should be out by now. I'd have to ask Starr (since she's the one who plays regularly) but IIRC it was supposed to go out today.

[Thad]

I would hope all of them are

Dude who's still running Windows 7 expresses surprise that there are people who might not install a software update within 3 days.

[Mongrel]

I would hope all of them are

Dude who's still running Windows 7 expresses surprise that there are people who might not install a software update within 3 days.

I wasn't talking about end-user installation. Come on man, geez.

[Büge]

Java-based logging, or "jogging"

[atog]

Java-based logging, or "jogging"

She died in a horrible way while out jogging one day

She fell into an abandoned crypto mine

[Thad]

Indie Hosting Platform Game Jolt Suddenly Bans ‘Porn Games’

Same old song: platform gets popular in part due to sexual content, decides it's going to ban sexual content (possibly under pressure from gatekeepers like Apple and the credit card processors), "accidentally" takes down queer content as part of the purge.

[Mongrel]

“I wish Game Jolt the best of luck in their inevitable pivot toward pushing NFT gambling on children,” said Yang jokingly.

[beatbandito]

I'm hype.


looks more botw-like than odyssey. Some of the areas seem set up similarly to bomberman 64, which is good in my book.

[Thad]

Sony's porting PS4 games to the PC and apparently God of War is pretty good?

I've got a PS4 but that's still good news all around. I've already got Spider-Man but I'd still love to see it released for PC because the more people who can play it the better.

And hey, I haven't played Ghost of Tsushima yet. That seems like it'd be a good one.

[KingRoyal]

Microsoft buys Activision-Blizzard for close to $70 billion

Shares of Activision soared about 37% in pre-market trading before being halted after the Wall Street Journal first reported the deal.

Microsoft shares fell more than 2% following the announcement

[Newbie]

Kotick remains in charge until the sale is complete, at least. Hopefully a quick departure will follow.

Candy Crush is their money maker, but acquiring Call of Duty seems like the bigger deal in terms of the Microsoft/Sony competition.