Quake III flaw could frag your computer

[William Knowles <wk () C4I ORG>]

http://www.zdnet.com/zdnn/stories/news/0,4586,2561554,00.html

By Rob Lemos, ZDNN
May 3, 2000 5:34 PM PT

Game developer Id Software Inc. announced on Wednesday that its
flagship first-person shooter has a security flaw that could leave
Quake III players' computers open to attack while they play.

"The basic nature of the exploit is that malicious server operators
could overwrite any file on a client system," wrote Robert Duffy, a
programmer at Id Software, in his .plan file on Wednesday.

The flaw was found last week by network security firm Internet
Security Systems Inc. and could allow an attacker running a Quake III
server to read and write to any player's computer connecting that
server. Internet Security Systems waited until Id Software could issue
a patch before sending out an alert to users and the press.

"This vulnerability is important to network administrators who may be
unaware that users are accessing potentially malicious Quake3Arena
servers outside their network," wrote Internet Security Systems in the
alert.

Id Software fixed the flaw in its latest patch release, Version 1.17,
released on Wednesday.

To force users to move over to the secured Quake III client, Id
Software has made Version 1.17 of the game incompatible with earlier
-- and insecure -- versions.


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".