EA's Origin hit by remote code execution flaw

March 19, 2013 // 9:45 a.m.

Tags: #digital-distribution #ea #electronic-arts #origin #revuln #security #steam #valve #vulnerability

A security vulnerability in EA's Origin digital distribution platform could allow attackers to use the software to load malware and other unwanted packages onto a target system, according to reserach carried out by ReVuln last last month.

EA's Origin, the company's equivalent to Valve's popular Steam service, sets itself up as a helper application for special "origin://" links when installed on a client PC. These links are used by EA's Origin website to trigger the application to do a variety of tasks - install a newly-purchased game, for example - and are also used by the Origin client itself to launch installed games and communicate with the in-built digital rights management (DRM) system.

So far, so standard: that's exactly how Steam operates, except for the links being "steam://" rather than "origin://" in Valve's case. Sadly, security researchers Luigi Auriemma and Donato Ferrante of ReVuln claim to have located a loophole in EA's system that can allow ne'er-do-wells to use Origin as a means of loading executable content onto a client system, taking full control of the computer in the process.

'In order to demonstrate the insecurity of the Origin platform, we picked the most recent and well known game available on this platform: Crysis 3, which was released on 19 February 2013,' the pair explain in a white paper (PDF) warning on the matter, written on the 28th of February but only made public this past weekend. 'We found several ways to trigger remote code execution against remote victim systems by abusing the Origin platform itself.'

The proof-of-concept attack carried out by the pair demonstrated on video, resulted in the attacker being able to load a dynamic link library (DLL) executable file from a remote system on the client system - with the result that the client machine started to run untrusted code from a remote source. Had the attack been real, this code could have been anything from a back-door package to allow full remote access to a malicious package to delete critical files.

It's a serious flaw, but one with plenty of precedence: Valve's Steam platform was discovered to have the exact same issue (PDF warning) back in October last year, by the same security researchers. That another company has fallen victim to the same design flaw, however, does not make the problem any less serious for EA - and, coming as it does on the back of a botched high-profile game launch and the resignation of its chief executive, it's news EA could do without.

Asked for comment, EA refused to confirm that the flaw exploited by the researchers was legitimate - despite video evidence of that fact - stating only that 'our [security] team is constantly investigating hypotheticals like this one as we continually update our security infrastructure.'

QUICK COMMENT

View this in the forums

SUBSCRIBE TO OUR NEWSLETTER

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU