Third Party Minecraft Skins containing viruses

Discussion in 'Community Discussion' started by Aikar, Apr 17, 2018.

  1. Oh geez...
    Welp, with that in mind, I should probably take a day or two of break from EMC-- sounds about right ._.
    IsaacNorman likes this.
  2. see my updated reply.
    We3_MPO and MagicalGirlRiRi like this.
  3. Thanks for the update. But I'm still going to wait until it's fixed just to be safe.
    ItsDicey and IsaacNorman like this.
  4. Thanx for the PSA, Aikar.
  5. Thanks for the important information!
  6. I have created a video showing me updating java and how to have minecraft use it.
    Esrik likes this.
  7. To be honest I don't quite believe the whole thing to be true.

    That is, I could understand skins containing code but I fail to understand how they plan on actually getting this working. See: the report talks about a PowerShell script which should be embedded in the skin. That part I believe, because that's doable.

    But how to get the program to actually execute this PowerShell script? Obviously a buffer overflow of some sort, but if you're going to use that then you'll be needing much more than just a PowerShell script. And if you already have that much access then there are much better ways to exploit it.

    Another reason why I don't believe this is because of the default PowerShell settings itself. PowerShell is Microsoft's answer to Unix shells and it's a darn good one too. One of the key elements is a very strict ExecutionPolicy.

    Try this yourself:
    • win-r (run program) then try starting "powershell" (without the quotes of course).
    • You'll get a PS> (PowerShell) prompt. Try: Get-ExecutionPolicy -List.
      • tab completion is a thing, so press: get-exec<tab> and so on.

    Your list will probably look different than mine because I changed stuff, but the thing which matters here is CurrentUser and LocalMachine. Most likely no policy is set ("Undefined") which means the default is used, which is Restricted. See also: help about_Execution_Policies:
    • Restricted: Permits individual commands but will not run scripts, Prevents running of all script files, including formatting and configuration files (.ps1xml), module script files (.psm1) and Windows PowerShell profiles (.ps1).
    • AllSigned: Scripts can be run, requires all scripts and configuration files to be signed by a trusted publisher, including scripts that you write on the local computer.
    • RemoteSigned: Scripts can run, Requires a digital signature on scripts that you have downloaded on the local computer, does not require digital signatures on scripts that you have written on the local computer, runs scripts that are downloaded from the Internet and not signed, risks running unsigned scripts from sources other than the Internet and signed, but malicious, scripts.
    • Unrestricted: Unsigned scripts can run, Warns the user before running scripts and configuration files that are downloaded from the Internet.
    • Bypass: Nothing is blocked and there are no warnings or prompts.
    • Undefined: There is no execution policy set in the current scope, If the execution policy in all scopes is undefined then the effective policy is Restricted, which is the default policy.
    So I have a somewhat hard time believing that a PowerShell script will "just" run and perform all sorts of nastiness. As said, you can even check this for yourselves.

    Note that I'm not saying that you shouldn't be careful at all, but I have some serious doubts about this report and its nature. Avast isn't exactly the best source when it comes to anti virus, and sometimes anti virus companies will even go as far as to launch fud merely to get themselves better in the picture again.

    Which is easy too: when it comes to news like this then few people will stop to think about what could have happened and most will feel the urge to spread it. Well, Avast's name sure is out in the open now.

    I suppose time will tell :)
    607 likes this.
  8. I see the op has a crossed out section of "Minecraft may lead to infection"....
    In a way, it could, if you don't use the vanilla launcher, nor Technic (correct me if that's the wrong name), but again, that's third party launcher downloads, so avoid third party anything, in general...
    I lost a computer once to Minecraft, because I used a third party launcher... But in all my years of playing, never have I heard of *skins* causing the infection.... Good thing I'm keeping to a borrowed skin instead of trying to change it to fit me...
    Thank you, Aikar.
  9. Is it only a threat if we have it or another player in other words if we made our own skin are we safe?
  10. As I mentioned in my post, there was a confusion about vectors. There is a bug in older versions of Java that can execute code simply by rendering images....

    The wording used by one of my peers sounded as if we had confirmation that these images triggered said vulnerability.

    If this/was the case, then the original alarm of my PSA would be true, but talking with said peers, I found he did not intend to mean it was actively being used, but theoretical that was their goal.

    Regardless, it's an iffy situation that there is a known bug in java that windows users are currently susceptible to that it appears someone is trying to exploit, and deserves an alarm.

    But the way avast worded it as "on the mojang skin servers", gives me alarm there may be more to it than simply "did you download an infected skin".

    Now, Avast I doubt did anything with malicious intent here. But yes they are getting some free publicity from this.

    the only fault I can really give them is not being more clear about how or what they consider an infection and risks to non users.
    607 likes this.
  11. More discussion has been had and Mojang has responded.

    Essentially Avast made some false statements about the nature of this incident, and it was not actually not much to be concerned with.

    It appears the only attack vector would be if you downloaded a skin from a site, renamed the file and ran it.

    So as long as you don't do that, no reason to be alarmed.

    Sorry for the panic, but wanted to be on the safe side.
    TheOtherShell, 607, SeflYT and 2 others like this.
  12. We3_MPO likes this.