Patching a Zero Day Exploit
On April 7th, we received reports from multiple users regarding a mod that was allegedly generating malicious code when run. We immediately investigated the mod in question, which contained heavily obfuscated code, and confirmed that it was creating malicious files outside of the Project Zomboid directory.
Further investigation revealed that the same user had uploaded a total of 14 mods, all containing the same exploit. These mods had been installed on between 500 and 2200 devices. The user has since been banned, and all affected mods have been removed from the Steam Workshop.
At this time, the full scope and behavior of the malicious files have not been fully determined. However, because these mods were capable of creating files outside the game directory, we strongly recommend that anyone who downloaded them take appropriate security measures to ensure their system is safe. Simply uninstalling the mods is not sufficient.
[h3]Affected Mods[/h3]
- Risk of Rain 2 OST (True MoooZIC)
Workshop ID: 3681934105 - Mod ID: RiskOfRain2Music
- Risk of Rain 1 OST (True MoooZIC)
Workshop ID: 3681810963 - Mod ID: RiskOfRain1Music
- NieR: Automata OST (True MoooZIC)
Workshop ID: 3681765529 - Mod ID: NierAutomataMusic
- Katana ZERO OST (True MoooZIC)
Workshop ID: 3681764942 - Mod ID: KatanaZeroMusic
- Persona 5 OST (True MoooZIC)
Workshop ID: 3681756112 - Mod ID: Persona5Music
- Jujutsu Kaisen S1 OST (True MoooZIC)
Workshop ID: 3681755051 - Mod ID: JujutsuKaisenMusic
- Hotline Miami 2: Wrong Number OST (True MoooZIC)
Workshop ID: 3681719339 - Mod ID: HotlineMiami2Music
- Hotline Miami OST (True MoooZIC)
Workshop ID: 3681718339 - Mod ID: HotlineMiami1Music
- Silent Hill OST (True MoooZIC)
Workshop ID: 3681477980 - Mod ID: SilentHillMusic
- Cowboy Bebop OST (True MoooZIC)
Workshop ID: 3681476976 - Mod ID: CowboyBebopMusic
- Metal Gear Rising: Revengeance Vocal Tracks (True MoooZIC)
Workshop ID: 3681339955 - Mod ID: MGRRevengeanceMusic
- Classic Roblox Music (True MoooZIC)
Workshop ID: 3681335952 - Mod ID: RobloxClassicMusic
- DELTARUNE Ch3+4 Music (True MoooZIC)
Workshop ID: 3681334251 - Mod ID: DeltaruneCh34Music
- Minecraft Alpha+Beta OST (True MoooZIC)
Workshop ID: 3680972796 - Mod ID: MinecraftClassicMusic
[h3]Additional Information[/h3]
This exploit only affected Build 42 branches. Build 41 was not vulnerable to this specific issue.
The security updates released for Build 41 today address a separate vulnerability identified during an internal audit. At this time, we have found no evidence that this separate vulnerability has been exploited.
As with previous security fixes, we have updated the outdatedunstable branch to match the unstable branch to avoid leaving a known vulnerability accessible. Going forward, outdatedunstable will continue to lag one content update behind unstable.
As always, discussions regarding this update can be found pinned to the Project Zomboid Discussions Forums here.
Further investigation revealed that the same user had uploaded a total of 14 mods, all containing the same exploit. These mods had been installed on between 500 and 2200 devices. The user has since been banned, and all affected mods have been removed from the Steam Workshop.
At this time, the full scope and behavior of the malicious files have not been fully determined. However, because these mods were capable of creating files outside the game directory, we strongly recommend that anyone who downloaded them take appropriate security measures to ensure their system is safe. Simply uninstalling the mods is not sufficient.
[h3]Affected Mods[/h3]
- Risk of Rain 2 OST (True MoooZIC)
Workshop ID: 3681934105 - Mod ID: RiskOfRain2Music
- Risk of Rain 1 OST (True MoooZIC)
Workshop ID: 3681810963 - Mod ID: RiskOfRain1Music
- NieR: Automata OST (True MoooZIC)
Workshop ID: 3681765529 - Mod ID: NierAutomataMusic
- Katana ZERO OST (True MoooZIC)
Workshop ID: 3681764942 - Mod ID: KatanaZeroMusic
- Persona 5 OST (True MoooZIC)
Workshop ID: 3681756112 - Mod ID: Persona5Music
- Jujutsu Kaisen S1 OST (True MoooZIC)
Workshop ID: 3681755051 - Mod ID: JujutsuKaisenMusic
- Hotline Miami 2: Wrong Number OST (True MoooZIC)
Workshop ID: 3681719339 - Mod ID: HotlineMiami2Music
- Hotline Miami OST (True MoooZIC)
Workshop ID: 3681718339 - Mod ID: HotlineMiami1Music
- Silent Hill OST (True MoooZIC)
Workshop ID: 3681477980 - Mod ID: SilentHillMusic
- Cowboy Bebop OST (True MoooZIC)
Workshop ID: 3681476976 - Mod ID: CowboyBebopMusic
- Metal Gear Rising: Revengeance Vocal Tracks (True MoooZIC)
Workshop ID: 3681339955 - Mod ID: MGRRevengeanceMusic
- Classic Roblox Music (True MoooZIC)
Workshop ID: 3681335952 - Mod ID: RobloxClassicMusic
- DELTARUNE Ch3+4 Music (True MoooZIC)
Workshop ID: 3681334251 - Mod ID: DeltaruneCh34Music
- Minecraft Alpha+Beta OST (True MoooZIC)
Workshop ID: 3680972796 - Mod ID: MinecraftClassicMusic
[h3]Additional Information[/h3]
This exploit only affected Build 42 branches. Build 41 was not vulnerable to this specific issue.
The security updates released for Build 41 today address a separate vulnerability identified during an internal audit. At this time, we have found no evidence that this separate vulnerability has been exploited.
As with previous security fixes, we have updated the outdatedunstable branch to match the unstable branch to avoid leaving a known vulnerability accessible. Going forward, outdatedunstable will continue to lag one content update behind unstable.
As always, discussions regarding this update can be found pinned to the Project Zomboid Discussions Forums here.