'Unreal' Security Risk


Entertaining computer games may no longer be so harmless – especially for your computer.

PivX Solutions, a computer security firm in Newport Beach, Calif., recently disclosed that it has found a slew of vulnerabilities in the core software code or “engine” that is used in the Unreal video game. PivX says the holes could let an attacker launch a denial-of-service attack, crash a gaming server, or even run code on a player’s machine.


“Epic and its employees are playing ‘cat and mouse’ with us,” Shively says. “Software vendors have a tacit obligation to protect their customers’ security. Unfortunately, many of them don’t take this responsibility seriously.”

In a phone interview monday Epic Vice President Mark Reins expressed anger at the PivX disclosure and said Epic would seek legal action.

In a subsequent call Tuesday, Reins retracted the statement saying he overreacted, and asked TechTV to remove his comments. Reins confirmed the statement of Epic CEO Tim Sweeney, saying the game maker had learned a hard lesson.

This has been an ongoing story for a bit. Mark Rein apologized for the quoted comments below yesterday on VE3d and Bluesnews forums. Apparently he was annoyed at them listing cancelled Unreal engine games or something. Here’s the full text:

I have sent Pivx an apology for the completely out-of-line and unfortunate comments which I sincerely regret. We did provide an official statement and I was not, at the time, aware that my verbal reactions, in a moment of shock and surprise at seeing unfinished licensee games on the list, were also being captured for the article.

Pivx gave us more than fair enough warning of the bugs and we simply failed to fix them in the allotted time. We already released a statement to Blue’s News last week indicating that “we fucked up” in not addressing these concerns within the given time and that we were already testing a patch with the security issues corrected. In addition the official statement we gave pointed out that we were fixing the holes and that the Pivx report was fair and accurate. Licensees have already been provided with the source code for the security fixes.

Again this was a moment-of-stupidity reaction and I sincerely apologize to Pivx and the security community. We have already stated that we will address these issues far more promptly in the future.