The reproducible security threat was first showcased by Pakistan-based developer Ammar Askar on his blog two days before, after waiting for exactly two years for Mojang to respond. Askar first discovered the vulnerability in July 2013 which allowed him to crash the Minecraft game servers. Askar promptly contacted Mojang so the studio could patch it out however Mojang only responded once he had sent a second email but to date till the release of the above patch, the bug remained unfixed. Askar gave up on contacting Mojang after sending two more messages. Now, nearly two years later, he decided the only way to draw attention to the issue was to reveal it openly and hope that Mojang would be forced to respond, which it did promptly today by releasing the patch just after two days of making the bug public. “The version of the game when the vulnerability was reported was 1.6.2, the game is now on version 1.8.3,” he wrote. “That’s right, two major versions and dozens of minor versions and a critical vulnerability that allows you to crash any server, and starve the actual machines of CPU and memory was allowed to exist.” The exploit works by flooding the game’s servers with information about a particular inventory slot. Askar discovered that it was easy to create code that the game struggled to understand – to the point where the server would crash. The bugs fixed in this patch are as follows :
Pets follow spectator Vines no longer spread correctly in corners Certain characters cannot be typed on certain keyboard layouts (“AltGr” behaving like “Cltrl”) Nether portals place players in front of the portal Duplicating Items Malicious clients can force a server to freeze Malicious clients can force a server to go out of memory User (formerly known as olduser) has joined shows multiple times
The patch can be downloaded here.
