Ok, I feel like I need to say something, this kind of bad practice has to stop.
Let me introduce myself, I am yamashi the creator of Cyber Engine Tweaks.
I wasn't planing on saying anything but since we, the modders, are getting blamed for this, I can't just stand on the sidelines and take it.
What CDPR posted above is WRONG, it isn't caused by an external DLL, the vulnerability is caused by a buffer overflow in a function they use to load strings, this function is used more than 100 times in the game, it is used to load the save games, the archive assets and other parts that we haven't investigated. This is 100% CDPR's fault, it isn't anybody else's fault. This is caused by a lack of proper unit testing.
What happened to owning up to your mistakes CDPR? Not only did PixelRick communicate this a week ago and you didn't do anything (this should have been hotfixed a few hours after you knew about it), but then you go public lying about the nature of the vulnerability so that modders take the fall for this? What we do, we do for free, we aren't your scapegoat, and this is definitely on you. The fact that we redirect the buffer overflow to xinput because it doesn't have ASLR does not mean that it's xinput's fault, we shouldn't be able to access xinput in the first place.
Just so you know everyone this isn't just a PC issue, every platform is affected.
It has been exploited to gain access to Geforce NOW already, maybe you should explain to NVIDIA how it is not your fault CDPR, I am not sure that's going to work once they audit the exe.
Addendum:
I am not saying CDPR explicitly said mods are an issue here, my problem is with the incorrect information and vague description leading to of course many people, including media sites, to misunderstand and think the issue here is mods. Phrasing it like "We have been made aware of a vulnerability in the game's code making it possible to execute code in the game by loading a malicious save, therefore we recommend you stay away from custom saves and archive assets until we release a patch for this" would in my opinion have been a lot better.
It happens, we all fuck up sometimes in code, it's easy to make a mistake like this one (though proper unit testing would likely have prevented that), none of us blame CDPR or the programmers for the vulnerability, we are disappointed by the way it was handled, very slow reaction and misrepresenting the issue (intentionally or not).
Please, in the future, use more transparency, your players only want to play a great game, showing you care and explaining what's going on won't hurt you.
github.com
