Third Party Minecraft Skins containing viruses

Discussion in 'Community Discussion' started by Aikar, Apr 17, 2018.

  1. UPDATE:
    Mojang releases statement: https://minecraft.net/en-us/article/minecraft-java-edition-skins-issue-update

    It appears that Avast used deceptive and false statements in order to make this sound like more of a big deal than it really was. At this time it is believed the only way you could of been infected was if you were socially engineered to download a skin, rename it, and run it.

    As long as you don't do that, then no reason to be worried.

    ------

    Avast has issued an alert about malicious skins that can format your hard drive been seen.
    vector of the exploit being triggered is unknown but not much is known.

    I previously (See striked out below) thought that there was reports of a bug in java being used to exploit this, but I misread and discovered it is not currently known that bug is a source.

    https://blog.avast.com/minecraft-players-exposed-to-malicious-code-in-modified-skins

    At this time im downgrading my original PSA to state avoid downloading third party skins at this time, and if your anti virus does go off about a connection to skins having a virus, allow it to block it and let me know ASAP!
    Esrik, EntityAI, luckycordel and 20 others like this.
  2. Thanks for the heads up :)
    Tuqueque, 607, We3_MPO and 3 others like this.
  3. I am using a skin from like when I first started emc so I am chill
    Ethy202 likes this.
  4. Good to know, thanks Aikar!
    We3_MPO likes this.
  5. edit - no longer valid
    607 and We3_MPO like this.
  6. Thanks for the advisory Aikar.
    We3_MPO likes this.
  7. I know you can tell Minecraft to run from the version of java you have installed on your PC (or at least you used to). Would using an updated version prevent you from being at risk?
    Raaynn likes this.
  8. edit - no longer valid
    607, Echelon815 and WitherDoggie like this.
  9. If you made your own skin to use, are you at risk? What should I do if I don't have or know of an antivirus?
  10. Would using a mod (Optifine, or forge/liteloader) possibly stop this? My thinking is, if the above works, wouldn't using something other than complete vanilla be basically the same thing? (Probably didn't phrase that right... oh well.)

    Edit - Ninja'd.. "above" being telling Minecraft to run from the Java on your PC. Also, I just realized I didn't understand what was said, completely.. whoops :}
  11. Running a mod doesn't change the java version the game runs unless you manually change it. So no, it wouldnt fix the issue.

    Thanks. I already have the newest version of java so I'll get minecraft switched to it tomorrow.
    Harp4Christ and We3_MPO like this.
  12. WitherDoggie said:
    I know you can tell Minecraft to run from the version of java you have installed on your PC (or at least you used to). Would using an updated version prevent you from being at risk?
    Sweet! I always update my java independently from Mojang. Thanks for the heads up Aikar!
  13. Does anybody know of any mods that allow you to block other player's skins? Not just not see them, but not load them from the server at all?
  14. edit - no longer valid
    Harp4Christ and willies952002 like this.
  15. Hopefully they go with something at least as recent as 1.8.0 update 101, if not newer (preferably 1.8.0 update 171/172)
  16. Good thing to know all my skins I've used since 2017 are custom-made and designed by me :p

    Pays to be an artist in more ways than one... still doesn't mean this isn't horrible :/

    Everyone, if you're an artist and want a custom skin, I advise you to make your own skins -- best way to deal with this problem until then, sadly e_e;
  17. Sweet, another harm exploit for us Windows users...

    I wonder how soon it'll be before this issue has been patched.
  18. edit - see original post


    It appears I may have misread a report of the skins actively being executed by that java exploit.

    Avast only metions "some infected", but did not give much details, and my peers thought maybe the bug was the source.

    It does not appear we have confirmation that the old bug was a vector for triggering the attack.

    So I'm going to reduce the warning down to a "don't download skins, and pay attention to your anti virus if it does go off"

    It should be safe to play, otherwise we would probably of heard more by now.
    607, We3_MPO, Echelon815 and 5 others like this.
  19. I would imagine that Mojang would pull the plug on the session server as well as skin uploads (if not textures all together) if it wasn't safe to play. :p
    607 and IsaacNorman like this.