Jobs Store Support Register
PC
XBOX
PLAYSTATION

[SOLVED] IMPORTANT: PC version vulnerability

+
remzicavdar

remzicavdar

Fresh user
#81
yamasushi said:
Ok, I feel like I need to say something, this kind of bad practice has to stop.

Let me introduce myself, I am yamashi the creator of Cyber Engine Tweaks.

I wasn't planing on saying anything but since we, the modders, are getting blamed for this, I can't just stand on the sidelines and take it.

What CDPR posted above is WRONG, it isn't caused by an external DLL, the vulnerability is caused by a buffer overflow in a function they use to load strings, this function is used more than 100 times in the game, it is used to load the save games, the archive assets and other parts that we haven't investigated. This is 100% CDPR's fault, it isn't anybody else's fault. This is caused by a lack of proper unit testing.

What happened to owning up to your mistakes CDPR? Not only did PixelRick communicate this a week ago and you didn't do anything (this should have been hotfixed a few hours after you knew about it), but then you go public lying about the nature of the vulnerability so that modders take the fall for this? What we do, we do for free, we aren't your scapegoat, and this is definitely on you. The fact that we redirect the buffer overflow to xinput because it doesn't have ASLR does not mean that it's xinput's fault, we shouldn't be able to access xinput in the first place.

Just so you know everyone this isn't just a PC issue, every platform is affected.

It has been exploited to gain access to Geforce NOW already, maybe you should explain to NVIDIA how it is not your fault CDPR, I am not sure that's going to work once they audit the exe.

Addendum:

I am not saying CDPR explicitly said mods are an issue here, my problem is with the incorrect information and vague description leading to of course many people, including media sites, to misunderstand and think the issue here is mods. Phrasing it like "We have been made aware of a vulnerability in the game's code making it possible to execute code in the game by loading a malicious save, therefore we recommend you stay away from custom saves and archive assets until we release a patch for this" would in my opinion have been a lot better.

It happens, we all fuck up sometimes in code, it's easy to make a mistake like this one (though proper unit testing would likely have prevented that), none of us blame CDPR or the programmers for the vulnerability, we are disappointed by the way it was handled, very slow reaction and misrepresenting the issue (intentionally or not).

Please, in the future, use more transparency, your players only want to play a great game, showing you care and explaining what's going on won't hurt you.
Click to expand...
Hear! Hear!

I still don't understand CDPR. I think I'm truly done with this. I bought all Witcher games in the past and Cyberpunk 2077 these will be my last games from CDPR, until they have truly proven themselves. Mic drop and peace out!
 
ElsonsoJannus

ElsonsoJannus

Forum regular
#82
Ziffa said:
There was cases of mods uploaded on Nexus with malicious intent (keylogger).
While download counts most of the time is a sign of a trustworthy mod, like torrents votes, doesn't mean it's 100% safe.
Click to expand...
I keep hearing that there were malicious mods (plural) on Nexus, but this seems to be urban legend.

At this point, given how things tend to get expanded upon in the retelling of the narrative, it is hard to tell whether people are just assuming the worst has happened, or whether there were confirmed files on Nexus, and if so, how many and which ones.

Anyone who downloaded confirmed malware should to be notified. Who does that?
 
Ziffa

Ziffa

Forum regular
#83
ElsonsoJannus said:
I keep hearing that there were malicious mods (plural) on Nexus, but this seems to be urban legend.

At this point, given how things tend to get expanded upon in the retelling of the narrative, it is hard to tell whether people are just assuming the worst has happened, or whether there were confirmed files on Nexus, and if so, how many and which ones.

Anyone who downloaded confirmed malware should to be notified. Who does that?
Click to expand...
A couple of weeks after Cyberpunk launch there was a Trainer cheat uploaded on Nexus, turns out it was a Keylogger and was removed after almost 400 downloads.
 
HazadoV

HazadoV

Forum regular
#84
Tracido said:
XD Um, the exploits can be done to consoles which never use mods, so, you're not safe unless you play with the Cyber Engine Tweaks fixes, because CDPR hasn't touched the fix, we modders, did..
Click to expand...
didnt know tht was jus speaking to mods in general anyways never downloaded for cyberpunk or any brand new game
 
H

Hickey.f

Rookie
#85
Why did you not send it out for the xbox are is it coming in alater patch when you add mod support for the xbox so we can add the adult content back in
 
TigaShout

TigaShout

Forum regular
#86
What the fuck is up with the pitchfork and torches mentality. A problem was stated. It is solved. Basta.

No one was thrown under the bus.
 
Tracido

Tracido

Forum veteran
#88
HazadoV said:
didnt know tht was jus speaking to mods in general anyways never downloaded for cyberpunk or any brand new game
Click to expand...

Well, that was why some modders were angry earlier in the thread, and understandably so.

The community found them, one person in that trusted community exploited with a mod, then our community at nexus fixed it in another mod.

The consoles however as far as I know did not receive patches unless there was an update while I was sleeping. They can still be exploited with a gamesave..
 
RedStigg

RedStigg

Forum regular
#91
Is this game dead ? No more patchs for console ? There are still a lot or bugs. It's been one month I didn't touch the game, waiting.
 

Similar threads

[SPOiLERS][IDEA] Faction opportunities - Dark Comedy
0
2K
Bugs in 1.10
45
4K
Unofficial FAQ for The Witcher 3: Wild Hunt
311
15K
Linux issues and user solutions
58
7K
The Witcher 2 for PC Technical FAQ
0
6K
Top Bottom