In January 2013, our own Chief Research Officer, Carsten Eiram encountered the latest version of the RealArcade installer provided by GameHouse on a system during an audit. With a number of recent reports about vulnerabilities in game clients/installers due to unsafe design, it seemed appropriate to determine the status of the previously disclosed vulnerabilities in RealArcade installer and to perform a more thorough analysis of its design. What was found was unfortunate for users as it showed that the implementation suffers from serious design flaws and very basic, but critical vulnerabilities many of which have been publicly known for more than two years.
The full paper which was recently published, describes flaws in the GameHouse game installer implementation for Windows, and how it exposes users’ systems to both local and remote attacks. The most severe of the covered vulnerabilities cause any system with the GameHouse installer to be wide open to attack, allowing websites to execute arbitrary commands on the system with the user’s permissions.