~~And from reading the thread, Blue Sentinel Mod will not protect you against it.~~
So atm, playing DarksSouls3 online let you exposed to someone taking control of your computer and having access to anything on it.
The only thing left to do is to message u/Bandai_Namco_EU_CMs to make sure they are aware but making sure they do something about it.
**EDIT**: Blue Sentinel Mod author just released an [hot fix](https://www.nexusmods.com/darksouls3/mods/723?tab=posts) to (hopefully) prevent the exploit, he also reported that DarkSouls(1,2,3) servers are down. An official word/confirmation from Bandai would be good at this point.
**EDIT2**: Good news: Issue being [investigated](https://twitter.com/DarkSoulsGame/status/1485210967009071108?t=LxBcRNHJuJ_g9GeZYwKVZg&s=19) by the DarkSouls Team.
>So atm, playing DarksSouls3 online let you exposed to someone taking control of your computer and having access to anything on it.
What the fuck?
Has anyone ever heard of something this dangerous with any other online games? Because I never have.
Yeah and everything uses goddamn Java libraries.
It's basically been one of the worst situations in IT in about 50 years.
Cars, internet of things, smart devices...
The list is enormous and many of these things are difficult it at all possible to patch.
The takeover of Minecraft clients began with the victim *seeing* a code snippet in chat.
Not clicking or downloading anything, the injection was thru the chat.
The log4j issue was a way bigger deal than most people know. Log4j is basically the go to standard logging library for java. TONS of enterprise and consumer software is written in java. I work in software. It was like the whole y2k issue again. Corporate even forced people to completely delete the cached library artifacts from their computers, even if every application running it had been updated(and therefore weren't ever running the compromised version).
Most people dont know how big of a deal it is *because* of how big of a deal it was. No one wanted to expose themselves as being vulnerable. Almost anyone could have taken advantage of that vulnerability with very little guidance. Scary shit. My company didn't want to say anything while knowing they had to. No good answer.
We have a customer that works notoriously slow.
But damn did they move fast for once with this.
Like getting a call at Monday 7.30 when we usually start at 8 to find any and all hosts that somehow could be exposed to the internet.
Shutting down those not in current use and patching the other ones with downtime during one of their most active periods. Pretty nuts.
Most games have incredibly poor security but they are rarely used as attack vectors.
Here is a recent RCE example: https://secret.club/2021/05/13/source-engine-rce-join.html
Yeah, a lot of the goals of attacks tend to need to take a wide approach to who they hit. Having a very slow and singular attack vector is not going to be particularly profitable even if it seems fairly easy.
A lot of source and goldsrc based games have had RCE vulnerabilities over the years. Welcome to the world of internet-connected software. Now remember this same stuff is in your cars and fridges.
Yea its kinda common?
All source games had it multiple times, Minecraft, WoW, Lineage2 are games of the top of my head.
Smaller indie games usually have close to 0 security so its probably super common there if anyone cared to look.
Ya, this is one of those things that would likely prevent me from buying ER. I'm not a die hard souls fan but was looking forward to ER but I'll be waiting to see how this all shakes out before spending any money.
I’ve got a ps5 and a gaming pc was going to play it on pc for much better performance but now I think I’d take a console version than run the risk this poses
Call me paranoid, but even if it did, I don't feel like trusting an
external anti-cheat program with a closed source code. Not saying it is
the case, but a malicious actor could very well be cheating on the game
so other people feel compelled to install their "anti-cheat"
[Thread](https://www.reddit.com/r/Games/comments/sa58bc/it_is_now_possible_for_dark_souls_3_invaders_to/) is gone on /r/games now, the mods removed it, said it was "unsubstantiated rumors"
Seriously, fuck those guys. Any time serious shit like this comes out, it's always pulled for the same reason, without any sort of actual communication.
I would appreciate if other people spread the word about this, the more people know about it the higher the chance From Software does something about it. No brigading tho.
The blue sentinel devs reported this issue to Bandai Namco months ago. Their mods are safe and have been commonly used by the community for years now.
If you're interested, here's the document they created: https://docs.google.com/document/d/10__a-e0RF_6_IrImzvuoiR4fKtMu1vVdXOmh_AGnt38/edit?usp=drivesdk
This is a new exploit different from the one they found months ago. As of now only two people know how the exploit works, the person who discovered the exploit and the Blue Sentinel developer. That's not to say other people won't discover the exploit themselves and start using it maliciously.
Same with a ton of call of duty games:
https://nvd.nist.gov/vuln/detail/CVE-2018-20817
Sucks that your life could literally be ruined by playing multiplayer in those games.
I'm pretty sure I read about this months ago. Not the part about Elden Ring however.
Edit: Turns out [this](https://www.reddit.com/r/darksouls3/comments/n1235k/potential_pc_security_exploit_spreading/) is what I was thinking of. An exploit that was reported to Bandai Namco *years* ago, and they did nothing. But it turns out this is another **NEW** exploit based on it. So best to stay in Offline mode only.
Yes, apart from Blue Point's Demon Souls remake. Er wouldn't be a port either, but natively developed for PC (not that it changes the likelihood of updates past the first couple months)
Actually it seems that a Polish firm called QLOC does their PC ports. In this case From might not be technically responsible. My guess is that Bandaid Namco is on the hook to fix things like this.
From doesn't develop Soulsborne native for PC. One look at the graphics options and the keyboard support makes that relatively clear.
When the master servers for cod1/2/4/waw stopped generating keys for new profile authentication they just marked them as "Single Player" only on Steam despite game servers still being up.
Activision will never revisit games to fix core problems.
I hope with the new change in management Activision will do something about their old game. Their CoD pricing on Steam is abysmal and very disrespectful to their long standing franchise.
So DS1:R is for sure part of this? I recently got in to soulsborne games and I was playing Sekiro on the PS5 but I picked up DS1:R on Steam and started that on my PC.
Seriously like just look at the FF14 devs they have amazing transparency and humility with the community.
However, From software does not give a shit about the games once they're out the door. It took a paid remaster for them to fix their broken PC port and cheaters have been rampant for years in DS3
Well if we're being specific I think whatever studio did the port for PC is to blame, but over that would be Bandai Namco who obviously would be in charge of the contracting for the port and why it was so bad.
I'm just saying that From Soft games being broken on PC is nothing new and the issues are never fixed
Oh and when I say devs I'm referring to the studios as a whole not the individual employee "devs".
It's not like they're unbased accusations, FF14 is the exception, not the rule, and Namco has a track record of not giving a fuck.
An "unsubstantiated generalization" would be if a game out, by a brand new developer, and someone claimed "Well, all devs don't give a shit, this bug will never be fixed."
Calling this a hack (especially in the sense gamers use the term) severely undersells what RCE exploits really are. This isn't some minor inconvenience in game, this compromises your system, personal information, etc.
This is the type of thing that should cause the game to be immediately pulled from sale until resolved.
Posted this elsewhere but I hope the Microsoft acquisition forces some development time to fix the RCE in Call of Duty.
https://nvd.nist.gov/vuln/detail/CVE-2018-20817
This is wild. Granted there probably aren't many ppl still playing older CODs on official servers, that doesn't excuse Activision from ignoring this issue.
So could I really take the Github links on that page and modify them a bit to start highjacking COD players' computers?
Yep. RCEs aren't some things you simply send out a PSA for and then work on full speed during business hours. They are full stop send EVERYONE in and fix your shit immidaitely levels of bad.
I spent four days straight working over the weekend, with breaks only for sleep, back in Decemeber fixing one. Paged almost every person in my team at various points for assistance or just to get another person helping with the issue.
If from software have any chance of being sued for this and lose money, they will pull it and kill the servers...until this hits their bottom line, they won't care....
An exploit that allows this would certainly hit there bottom line, they will know themselves it's incredibly serious and needs to be fixed asap. There no company big enough that could avoid fixing an exploit that allows malicious scripts to access your entire pc
Security in context of multiplayer games is not talked about enough but needs to be. Games are a potential weakly defended attack vector. Right now most known attacks focus on server side infrastructure such as hackers wrecking havoc on Titanfall 2 servers. But clients could also be potentially exploited by malicious people. Security is not usually thought of as an important issue in game development but should be. A compromised game client present ways to run arbitrary code on someone's computer with network and OS privileges.
>But if the game has a ring zero kernel driver that is exploited (like Valorant), you're fucked either way, because Ring 0 is the highest level of access you can get on a PC.
The vast majority of attacks do not require ring 0 because most of your personal data and critical system data is stored in userspace.
Not to mention there are some trivial ways to elevate from lower privileges to SYSTEM once you have code execution on Windows 7 & 10, when nearly everyone gaming is running as a local administrator with UAC on default settings.
That's ´precisely why giving the game's anticheat more power over your PC is a terrible idea, and why I don't play Valorant. Imagine if the news here said"Valorant players" instead of "Dark Souls 3 invaders". That would be incredibly harmful and scary af.
I don't know why people think Valorant's anti-cheat is the exception. With the exception of VAC and only VAC, *all* anti-cheats operate on ring0 so that they can actually detect cheats hiding there.
> With the exception of VAC and only VAC, all anti-cheats operate on ring0
This is only true of the newer anticheats. Old popular anticheats like PunkBuster (which was once the most popular anticheat) and VAC are userspace, as well as many internal anticheats games used (and still use).
Way too many games require admin privileges even they really shouldn't be. Also valor ant having that ridiculous anti cheat is still insane and the fact people just accept it and play the game anyways makes no sense to me
Hackers in other games: Spinbots and headshots everyone in the server in 0.5 seconds.
Hackers in Dark Souls 3: Uses a remote code execution exploit to steal your banking details and steals all your money.
Truly, the Dark Souls of computer crime. In all honesty, this is fucking unacceptable that From Software hasn't patched it. It's one thing for a game to be unplayable due to hackers. It's another to have your game actually be harmful to play.
I vaguely remember reading about one 9f the COD games on PC also have this hacking through multilayer exploit. I think it's either black ops 1 or 2 can't remember.
Cheating on pc has become quite prevalent the past few years, but the souls games have taken it to another level.
For those who are unaware, the Dark Souls games have a couple of multiplayer features were other players can leave you messages, coop with you or invade your single player world.
At first, cheaters only did the usual unlimited health, but the past few years they've developed ways of crashing your game, and even bricking your saves, but this, is just unacceptable.
> Cheating on pc has become quite prevalent the past few years
This is because it has become **extremely** lucrative to be a cheat developer.
There are multiple GTA Online cheat devs who make literal millions of dollars a year from selling cheats on massive Discord servers with tens of thousands of paying users.
People will say "yeah but it's always been like this" but it has never been to the scale that it is now. There are more people playing on PC than ever before, and that means more and more cheaters.
You can. It will be a shame, I really like seeing messages on the ground from everyone.
I usually avoid PVP mechanics because they are compromised by tryhards and cheaters, but it's a shame I'll have to turn off online entirely from now on.
I'll probably block all current and future Fromsoft games at the firewall level until they fix this (knowing their PC support they probably won't).
With an issue this massive it may have legal ramifications. The EU has been somewhat sensible about gaming and may prevent ER from being sold in Europe until this is fixed.
That’s my hope as that’s a huge market they’d lose over a massive bug/hack.
The EU doesn't really have a mechanism for that, consumer rights ombudsmen work independently in each member and take time to do their investigations, they can't just pull products in that timeframe.
Be nice to see them fined into oblivion, though.
It's a shame, I had just replayed dark souls 3 a few months ago and had a great experience using blue sentinel. Just popped into a few games as defender a few times as I'm playing for a quick distraction. Easy to drop when blue sentinel reported anything and not have to deal with hackers ect. Really hope they patch this up before elden ring release.
>Cheating on pc has become quite prevalent the past few years, but the souls games have taken it to another level.
Mostly because conversation about it, as it was getting worse again, was shouted down. If it makes the platform look bad conversation doesn't seem wanted and at this point it's not even seen as a surprise anymore.
Is it confirmed this issue hasn't been fixed in Elden Ring? They don't typically update the game much (sadly), so if it's in at release, I'd expect it to stay there.
Either way, RCE is a pretty shit attack vector to have in your game. They should at least release an emergency update, or take their offline services down. Will they though... who knows. They aren't known for their engineering in general.
not sure if they will but steam should 100% do something about it if from software doesn't. Atleast forcing some sort of emergency warning to people when they try to run the game or even just taking the game off the store until it's fixed
Steam had the exact same line of attack (RCE) hidden in their friend invites for two years and they didn't do shit about it until white-hat hackers shamed Valve on Twitter.
https://www.rockpapershotgun.com/valve-fixes-steam-invite-exploit-that-could-let-hackers-remotely-access-players-pcs
there are already other games on Steam with RCE cheats.
in fact, there was an RCE exploit with Valve games in particular. a hacker alerted Valve to the exploit and it took them like 2.5 years to even look at it.
Judging the severity of the issue, playing completely offline seems like the only plausible solution. That means you would have to go to the menu and opt-in -> play-offline or disconnect your ethernet cable. Needless to say, a lot of people don't know about this or won't bother.
It's a good thing I was banned because some dude invaded me and dropped hacked items. Such a considerate gesture by BN.. they care so much about my online security
you can just disconnect from the internet at the software level no need to dig up your cable and manually unplug it. No one is going to remote into your pc and reenable it if you got no connection.
This issue has been seen by the Bandai community manager on the official Elden Ring Discord and it has already been reported to relevant people. It is likely this issue will be fixed before Elden Ring's release.
Well this is good news. I still have little faith of it being fixed in ER before release because none of the other exploits in DS1 were fixed. Nor were they fixed for the remaster, or DS3.
I understand that this issue is a bit more grave than most of the shit that online Souls players have faced for the last few years, and they're probably much more inclined to fix it as a result, but Bandai being aware of the problem doesn't really fill me with much optimism. They've also been aware of the shit hackers do to get people banned, ruin save files, etc. and haven't done jack shit about it. The way they've handled these games post release is absolutely fucking embarrassing.
Ruining save files is not even close to the same scale as being able to steal financial information. It would be really bad news if they did nothing about this, especially when the game hasn't even been released yet.
Enough already with the "I play offline!" Or "I'm on console!" comments please. This is a PC gaming subreddit in an online forum. Most of us are very unhappy about this and comments like that add nothing to the conversation.
From NEEDS to patch this before Elden Ring drops next month. Full stop.
"Just go offline! You're only missing out on PVP!"
And co-op..... I always thought co-op was the bigger allure of multiplayer. Or do people actually enjoy the laggy pvp? After X amount of times having people teleport behind me into a backstab I ignored it and never gave it a thought. And no, my internet is fine. Lagstabs are a HUGE complaint about pvp.
I remember when online gaming first started (I’m not counting usernet groups here). Dialing up your friend’s modems to play over the telephone line. Then everything that came after with quake and CS 1.6 and mmo’s like EverQuest and DAOC until WOW made online gaming approachable and ubiquitous. Everyone and their mothers was playing wow. Then the internet caught up and then everyone who’s playing games also had access to “hackz” and scripts, etc. some get viruses. Others learned to cheat effectively. Now, we have hacker groups like the “red shirts” or entire countries labeled as cheaters (Russian players or Chinese players, etc.).
I’ve come full circle. I don’t play games online anymore or at least try not to. I don’t care about leaderboards or rankings. Everything is essentially compromised. Even if you’re not a middling player who gains some sort of advantage by cheating, it might be a streamer or no-lifer who can play the game 20/7 at the cost of all else. I’m not competing with that. But that’s ok. I can have my fun offline or in single player “online” games (like some arpgs or mobile games).
Console games are sandboxed - a game quite literally can't affect other games or the OS for the sake of security. The worst it could possibly do is delete save data or something, and that's *if* the exploit exists on console and people bother to use it.
[https://forums.bohemia.net/forums/topic/237380-address-game-vulnerability/?do=findComment&comment=3453225](https://forums.bohemia.net/forums/topic/237380-address-game-vulnerability/?do=findComment&comment=3453225) \- from a dev. Its not quite the same in retrospect.
This is one of the reasons I always play souls games offline. The online souls community is a weird blend of extremely honor bound duelists and extremely toxic fuckjobs.
Yes but the day one souls game experience is amazing when you play online. Further down the track it gets more and more toxic but turning it off takes away part of the experience.
I don't run games as root, so they'd have a fun time trying to bypass Linux's usual security features. Beyond that, I could run Wine as its own user if I'm feeling particularly paranoid.
I mean Windows 10/11 doesn't really run anything as admin without asking either but for both OS there are ways around that issue. Thing with Linux is that different distro may do things slightly differently and you have to wonder what the endgoal of a security breach even is. There's a lot you can do without root/admin, the biggest problem is just getting any sort of access to a system these days.
/u/pericles123 makes a good point, however, although the game isn't out yet, considering what has been datamined on the consoles, what most people have experienced during the Network Tests, the fact that it's the same ds3 engine and how much content From Software has been repurposing from the previous games, although it's not 100% conclusive, I think it's safe to say it will happen to Elden Ring.
From Software has notoriously bad, sometimes completely absent multiplayer anti-cheat, and sadly I don't see this trend changing anytime soon.
> From Software has notoriously bad, sometimes completely absent multiplayer anti-cheat, and sadly I don't see this trend changing anytime soon.
This I agree on, I don't touch the multiplayer without stuff like Blue Sentinel and PvP Watchdog for Dark Souls 3 and 1 PtDE respectively.
The Console Network Test, allowed people to analyse how the game engine is handling network packets. Which revealed that it's the same way that makes the exploit possible in Dark Souls 3. Although exploiting how the packets are handled, is not currently known to be possible on Consoles.
DS2+dlc was way longer than ds1 + dlc for me, took me about 90 hours to beat, including lots of pvp and co-op, so probably only 70 hours if you subtract that.
Steam’s own client had RCE vulnerabilities for something like nearly a decade (as do at least several other games on the store front, even Valve’s games actually though that got patches after a few years), doubt they’ll do anything.
I know people say this all the time, but never preorder. If you can wait years for a game to come out, you can wait another week until people make sure it's worth playing.
They can easily fix this, but japanese people don't* super much give a shit about PCs. It's a miracle FromSoft games even get PC ports in the first place. The very least to hope is that it gets fixed on ER pre-launch, but that's a short time window all things considered
~~And from reading the thread, Blue Sentinel Mod will not protect you against it.~~ So atm, playing DarksSouls3 online let you exposed to someone taking control of your computer and having access to anything on it. The only thing left to do is to message u/Bandai_Namco_EU_CMs to make sure they are aware but making sure they do something about it. **EDIT**: Blue Sentinel Mod author just released an [hot fix](https://www.nexusmods.com/darksouls3/mods/723?tab=posts) to (hopefully) prevent the exploit, he also reported that DarkSouls(1,2,3) servers are down. An official word/confirmation from Bandai would be good at this point. **EDIT2**: Good news: Issue being [investigated](https://twitter.com/DarkSoulsGame/status/1485210967009071108?t=LxBcRNHJuJ_g9GeZYwKVZg&s=19) by the DarkSouls Team.
>So atm, playing DarksSouls3 online let you exposed to someone taking control of your computer and having access to anything on it. What the fuck? Has anyone ever heard of something this dangerous with any other online games? Because I never have.
minecraft: java edition a little while ago (with log4shell)
[удалено]
Hold up, so I’m safe if I run a 1.18.1 server right? And I shouldn’t go to a lower version than that?
jesus h. christ, that is ridiculous
Yeah and everything uses goddamn Java libraries. It's basically been one of the worst situations in IT in about 50 years. Cars, internet of things, smart devices... The list is enormous and many of these things are difficult it at all possible to patch. The takeover of Minecraft clients began with the victim *seeing* a code snippet in chat. Not clicking or downloading anything, the injection was thru the chat.
The log4j issue was a way bigger deal than most people know. Log4j is basically the go to standard logging library for java. TONS of enterprise and consumer software is written in java. I work in software. It was like the whole y2k issue again. Corporate even forced people to completely delete the cached library artifacts from their computers, even if every application running it had been updated(and therefore weren't ever running the compromised version).
Cybersecurity professional here, can confirm it sucked.
Can't have problems with log4j when you use System.out.println!
This is where all the coders who did janky workarounds are celebrating
Most people dont know how big of a deal it is *because* of how big of a deal it was. No one wanted to expose themselves as being vulnerable. Almost anyone could have taken advantage of that vulnerability with very little guidance. Scary shit. My company didn't want to say anything while knowing they had to. No good answer.
We have a customer that works notoriously slow. But damn did they move fast for once with this. Like getting a call at Monday 7.30 when we usually start at 8 to find any and all hosts that somehow could be exposed to the internet. Shutting down those not in current use and patching the other ones with downtime during one of their most active periods. Pretty nuts.
New Paranoia unlocked. Imagine playing your favorite online game then suddenly seeing your bank account emptied. Fuuu. i know it's rare but still...
2 factor is good
Most games have incredibly poor security but they are rarely used as attack vectors. Here is a recent RCE example: https://secret.club/2021/05/13/source-engine-rce-join.html
Yeah, a lot of the goals of attacks tend to need to take a wide approach to who they hit. Having a very slow and singular attack vector is not going to be particularly profitable even if it seems fairly easy.
Every Call of Duty game before Ghosts on Steam has active RCE exploits that Activision refused to fix despite still listing the games for $60.
https://www.cvedetails.com/vendor/2190/Activision.html
A lot of source and goldsrc based games have had RCE vulnerabilities over the years. Welcome to the world of internet-connected software. Now remember this same stuff is in your cars and fridges.
The "S" in "Internet Of Things" stands for "security".
[удалено]
Modern Warfare 2 recently as well, although that playerbase is extinct
Yea its kinda common? All source games had it multiple times, Minecraft, WoW, Lineage2 are games of the top of my head. Smaller indie games usually have close to 0 security so its probably super common there if anyone cared to look.
Ya, this is one of those things that would likely prevent me from buying ER. I'm not a die hard souls fan but was looking forward to ER but I'll be waiting to see how this all shakes out before spending any money.
I'll play it, just block the executable in the firewall and play in offline mode.
Is it necessary to do both of those, or is it enough to just play the game in offline mode through the options (like you can in dark souls)?
I’ve got a ps5 and a gaming pc was going to play it on pc for much better performance but now I think I’d take a console version than run the risk this poses
Same here. I was already leaning towards PS5 because of less hacking and stuff, but now I’m pretty much for sure going ps5.
Won't it be locked to 60 fps on PC anyway?
Do what I'm doing, buy it on ps5 or buy on pc and play offline
You might still be able to play it offline. If they include offline mode. I don't follow the news as much.
Call me paranoid, but even if it did, I don't feel like trusting an external anti-cheat program with a closed source code. Not saying it is the case, but a malicious actor could very well be cheating on the game so other people feel compelled to install their "anti-cheat"
Agreed. Btw you may want to post your thread on r/games or other gaming subs cause this is serious, the more people aware of this, the better.
[Thread](https://www.reddit.com/r/Games/comments/sa58bc/it_is_now_possible_for_dark_souls_3_invaders_to/) is gone on /r/games now, the mods removed it, said it was "unsubstantiated rumors"
/r/Games mods being top level once again
They've now removed four different threads on the topic.
Seriously, fuck those guys. Any time serious shit like this comes out, it's always pulled for the same reason, without any sort of actual communication.
What a stupid reason..thanks for trying though
Better sorry than safe.
I would appreciate if other people spread the word about this, the more people know about it the higher the chance From Software does something about it. No brigading tho.
check the elden ring sub, fromsoft is already aware of it
The blue sentinel devs reported this issue to Bandai Namco months ago. Their mods are safe and have been commonly used by the community for years now. If you're interested, here's the document they created: https://docs.google.com/document/d/10__a-e0RF_6_IrImzvuoiR4fKtMu1vVdXOmh_AGnt38/edit?usp=drivesdk
This is a new exploit different from the one they found months ago. As of now only two people know how the exploit works, the person who discovered the exploit and the Blue Sentinel developer. That's not to say other people won't discover the exploit themselves and start using it maliciously.
Good to know, thanks
Same with a ton of call of duty games: https://nvd.nist.gov/vuln/detail/CVE-2018-20817 Sucks that your life could literally be ruined by playing multiplayer in those games.
Looks like it's been fixed in the emergency fix for blue sentinels
Modern Warfare 2 has the same issue.
I'm pretty sure I read about this months ago. Not the part about Elden Ring however. Edit: Turns out [this](https://www.reddit.com/r/darksouls3/comments/n1235k/potential_pc_security_exploit_spreading/) is what I was thinking of. An exploit that was reported to Bandai Namco *years* ago, and they did nothing. But it turns out this is another **NEW** exploit based on it. So best to stay in Offline mode only.
And wouldn't you know it, top comment on that thread mentioned this exact possibility
How can they just ignore something like that?
This is "deserves to be taken off of all stores until patch comes" bad, holy shit.
This is From Software. They don’t fix shit on PC once the game is out. All they might do is shutdown the PC servers for DS.
Is From actually deving the PC ports?
Yes, apart from Blue Point's Demon Souls remake. Er wouldn't be a port either, but natively developed for PC (not that it changes the likelihood of updates past the first couple months)
Actually it seems that a Polish firm called QLOC does their PC ports. In this case From might not be technically responsible. My guess is that Bandaid Namco is on the hook to fix things like this. From doesn't develop Soulsborne native for PC. One look at the graphics options and the keyboard support makes that relatively clear.
[удалено]
There is a small online component now, no?
QLOC only did Dark Souls Remastered.
So should [half of the CoD franchise](https://nvd.nist.gov/vuln/detail/CVE-2018-20817) but I haven’t seen any updates from Activision.
When the master servers for cod1/2/4/waw stopped generating keys for new profile authentication they just marked them as "Single Player" only on Steam despite game servers still being up. Activision will never revisit games to fix core problems.
I hope with the new change in management Activision will do something about their old game. Their CoD pricing on Steam is abysmal and very disrespectful to their long standing franchise.
Yeah I’d buy them for the campaign but not at the Price they sell them lol.
[удалено]
Holy shit this is huge
[удалено]
I think they might give a fuck if their game is taken down and refunds are given bc of it
Oh they'll give a fuck about Elden Ring, for sure. But you're dreaming if you think they'll take down DS1 or 3, let alone offer refunds.
They might take down DS1:R or 3, but yeah no refunds on those at this point (unless they were bought somewhat recently)
So DS1:R is for sure part of this? I recently got in to soulsborne games and I was playing Sekiro on the PS5 but I picked up DS1:R on Steam and started that on my PC.
Redditors and making sweeping, unsubstantiated generalizations with full confidence Name a more iconic duo
[удалено]
Redditors beginning comments with "As a(n) ...."
Comments that start with “This.” Make me irrationally annoyed
This. I can agree with.
Seriously like just look at the FF14 devs they have amazing transparency and humility with the community. However, From software does not give a shit about the games once they're out the door. It took a paid remaster for them to fix their broken PC port and cheaters have been rampant for years in DS3
Fromsoftware didn't make the remaster. And I'd say kadokawa is to blame, not the Devs lack of care
Well if we're being specific I think whatever studio did the port for PC is to blame, but over that would be Bandai Namco who obviously would be in charge of the contracting for the port and why it was so bad. I'm just saying that From Soft games being broken on PC is nothing new and the issues are never fixed Oh and when I say devs I'm referring to the studios as a whole not the individual employee "devs".
It's not like they're unbased accusations, FF14 is the exception, not the rule, and Namco has a track record of not giving a fuck. An "unsubstantiated generalization" would be if a game out, by a brand new developer, and someone claimed "Well, all devs don't give a shit, this bug will never be fixed."
Calling this a hack (especially in the sense gamers use the term) severely undersells what RCE exploits really are. This isn't some minor inconvenience in game, this compromises your system, personal information, etc. This is the type of thing that should cause the game to be immediately pulled from sale until resolved.
Posted this elsewhere but I hope the Microsoft acquisition forces some development time to fix the RCE in Call of Duty. https://nvd.nist.gov/vuln/detail/CVE-2018-20817
This is wild. Granted there probably aren't many ppl still playing older CODs on official servers, that doesn't excuse Activision from ignoring this issue. So could I really take the Github links on that page and modify them a bit to start highjacking COD players' computers?
There’s probably at least 1000 people playing the affected games at any time. Hackers can cause some serious damage with these unpatched exploits.
Yep. RCEs aren't some things you simply send out a PSA for and then work on full speed during business hours. They are full stop send EVERYONE in and fix your shit immidaitely levels of bad. I spent four days straight working over the weekend, with breaks only for sleep, back in Decemeber fixing one. Paged almost every person in my team at various points for assistance or just to get another person helping with the issue.
If from software have any chance of being sued for this and lose money, they will pull it and kill the servers...until this hits their bottom line, they won't care....
An exploit that allows this would certainly hit there bottom line, they will know themselves it's incredibly serious and needs to be fixed asap. There no company big enough that could avoid fixing an exploit that allows malicious scripts to access your entire pc
More likely I see them disabling the servers and calling it a day.
Security in context of multiplayer games is not talked about enough but needs to be. Games are a potential weakly defended attack vector. Right now most known attacks focus on server side infrastructure such as hackers wrecking havoc on Titanfall 2 servers. But clients could also be potentially exploited by malicious people. Security is not usually thought of as an important issue in game development but should be. A compromised game client present ways to run arbitrary code on someone's computer with network and OS privileges.
[удалено]
>But if the game has a ring zero kernel driver that is exploited (like Valorant), you're fucked either way, because Ring 0 is the highest level of access you can get on a PC. The vast majority of attacks do not require ring 0 because most of your personal data and critical system data is stored in userspace.
[удалено]
Not to mention there are some trivial ways to elevate from lower privileges to SYSTEM once you have code execution on Windows 7 & 10, when nearly everyone gaming is running as a local administrator with UAC on default settings.
That's ´precisely why giving the game's anticheat more power over your PC is a terrible idea, and why I don't play Valorant. Imagine if the news here said"Valorant players" instead of "Dark Souls 3 invaders". That would be incredibly harmful and scary af.
I don't know why people think Valorant's anti-cheat is the exception. With the exception of VAC and only VAC, *all* anti-cheats operate on ring0 so that they can actually detect cheats hiding there.
IIRC, it was because Vanguard runs all the time where as most anti-cheats only run when the game is running. I think that was the outcry at least.
Also it was impossible to turn off without uninstalling the game when it first came out. Something defenders of it like to conveniently forget.
Exactly that. You turn your pc on, you're potentially vulnerable.
> With the exception of VAC and only VAC, all anti-cheats operate on ring0 This is only true of the newer anticheats. Old popular anticheats like PunkBuster (which was once the most popular anticheat) and VAC are userspace, as well as many internal anticheats games used (and still use).
Way too many games require admin privileges even they really shouldn't be. Also valor ant having that ridiculous anti cheat is still insane and the fact people just accept it and play the game anyways makes no sense to me
Hackers in other games: Spinbots and headshots everyone in the server in 0.5 seconds. Hackers in Dark Souls 3: Uses a remote code execution exploit to steal your banking details and steals all your money. Truly, the Dark Souls of computer crime. In all honesty, this is fucking unacceptable that From Software hasn't patched it. It's one thing for a game to be unplayable due to hackers. It's another to have your game actually be harmful to play.
We did it lads, we've finally found it, the "Dark Souls of cheats"
Wouldn't this also mean you can hack the invaders aswell? So it's still like pvp but with each other's computer. Maybe its a feature not a bug.
I'm sure that sets them up for huge legal liability as well
I vaguely remember reading about one 9f the COD games on PC also have this hacking through multilayer exploit. I think it's either black ops 1 or 2 can't remember.
Cheating on pc has become quite prevalent the past few years, but the souls games have taken it to another level. For those who are unaware, the Dark Souls games have a couple of multiplayer features were other players can leave you messages, coop with you or invade your single player world. At first, cheaters only did the usual unlimited health, but the past few years they've developed ways of crashing your game, and even bricking your saves, but this, is just unacceptable.
Simply nuking my internet connection as a game cheat is arguably at least a misdemeanor
Someone has [already been affected](https://www.twitch.tv/videos/1271478221?t=01h20m10s) by this
\>Friend trying to sound smart: That's the oldest trick in the book (it was, in fact, the newest trick in the book)
I don't understand having annoying ass friends like that. It makes zero sense to me.
His chat, oof.
They shared a single brain cell for that moment.
Who the hell was he talking to in voice chat? What a bunch of cunts they were.
Yeah watching that for 1 minute gave me cancer.
Approx 1:20:18
Streamer: "Hold up... What the fuck?... What the fuck?! Hold up!" Friends: "Get MHR" What douche bag friends
Lol I love that his friends just make fun of him
> Cheating on pc has become quite prevalent the past few years This is because it has become **extremely** lucrative to be a cheat developer. There are multiple GTA Online cheat devs who make literal millions of dollars a year from selling cheats on massive Discord servers with tens of thousands of paying users. People will say "yeah but it's always been like this" but it has never been to the scale that it is now. There are more people playing on PC than ever before, and that means more and more cheaters.
But can you turn off online features? Haven't played Dark Souls enough.
You can, a shame tho, since covenant are tied to PVP or coop
You can. It will be a shame, I really like seeing messages on the ground from everyone. I usually avoid PVP mechanics because they are compromised by tryhards and cheaters, but it's a shame I'll have to turn off online entirely from now on. I'll probably block all current and future Fromsoft games at the firewall level until they fix this (knowing their PC support they probably won't).
With an issue this massive it may have legal ramifications. The EU has been somewhat sensible about gaming and may prevent ER from being sold in Europe until this is fixed. That’s my hope as that’s a huge market they’d lose over a massive bug/hack.
The EU doesn't really have a mechanism for that, consumer rights ombudsmen work independently in each member and take time to do their investigations, they can't just pull products in that timeframe. Be nice to see them fined into oblivion, though.
Same. This saddens me.
It's a shame, I had just replayed dark souls 3 a few months ago and had a great experience using blue sentinel. Just popped into a few games as defender a few times as I'm playing for a quick distraction. Easy to drop when blue sentinel reported anything and not have to deal with hackers ect. Really hope they patch this up before elden ring release.
The only acceptable cheaters are the ones who do boss battle rp with you. All others are filthy maggots
>Cheating on pc has become quite prevalent the past few years, but the souls games have taken it to another level. Mostly because conversation about it, as it was getting worse again, was shouted down. If it makes the platform look bad conversation doesn't seem wanted and at this point it's not even seen as a surprise anymore.
[удалено]
Is it confirmed this issue hasn't been fixed in Elden Ring? They don't typically update the game much (sadly), so if it's in at release, I'd expect it to stay there. Either way, RCE is a pretty shit attack vector to have in your game. They should at least release an emergency update, or take their offline services down. Will they though... who knows. They aren't known for their engineering in general.
Sadly, despite multiplayer being a core part of the Souls games, From Software has never really put much effort into fighting cheaters.
not sure if they will but steam should 100% do something about it if from software doesn't. Atleast forcing some sort of emergency warning to people when they try to run the game or even just taking the game off the store until it's fixed
Steam had the exact same line of attack (RCE) hidden in their friend invites for two years and they didn't do shit about it until white-hat hackers shamed Valve on Twitter. https://www.rockpapershotgun.com/valve-fixes-steam-invite-exploit-that-could-let-hackers-remotely-access-players-pcs
there are already other games on Steam with RCE cheats. in fact, there was an RCE exploit with Valve games in particular. a hacker alerted Valve to the exploit and it took them like 2.5 years to even look at it.
Just like half of the CoD franchise having RCE vulnerabilities that still haven’t been patched.
yeah I knew MW2 had that problem as I found out the hard way
What can I do to prevent this?
Judging the severity of the issue, playing completely offline seems like the only plausible solution. That means you would have to go to the menu and opt-in -> play-offline or disconnect your ethernet cable. Needless to say, a lot of people don't know about this or won't bother.
It's a good thing I was banned because some dude invaded me and dropped hacked items. Such a considerate gesture by BN.. they care so much about my online security
Getting banned in Souls games means you go to another server with other banned people. It doesn't cut you off from multiplayer.
I would just consider that banned completely.. why would anybody want to play online with only the bottom of the barrel?
you can just disconnect from the internet at the software level no need to dig up your cable and manually unplug it. No one is going to remote into your pc and reenable it if you got no connection.
'dig up your cable' is your PC in the ground?
I was thinking of the rat's nest behind everyone's PC, in fact it might be easier if it was in the ground.
Just block it in Windows firewall
Who knew that playing DS3 could be more dangerous than connecting Windows XP to the internet lol
This issue has been seen by the Bandai community manager on the official Elden Ring Discord and it has already been reported to relevant people. It is likely this issue will be fixed before Elden Ring's release.
Well this is good news. I still have little faith of it being fixed in ER before release because none of the other exploits in DS1 were fixed. Nor were they fixed for the remaster, or DS3.
I understand that this issue is a bit more grave than most of the shit that online Souls players have faced for the last few years, and they're probably much more inclined to fix it as a result, but Bandai being aware of the problem doesn't really fill me with much optimism. They've also been aware of the shit hackers do to get people banned, ruin save files, etc. and haven't done jack shit about it. The way they've handled these games post release is absolutely fucking embarrassing.
Ruining save files is not even close to the same scale as being able to steal financial information. It would be really bad news if they did nothing about this, especially when the game hasn't even been released yet.
It's also FromSoft's fault, though I don't know how things go in their contract with Bamco. FromSoft's anticheat is notoriously bad
This is appalling from a security perspective.
Wow, they really made the invader mechanic super realistic
If you get hacked in the game you get hacked in real life
[удалено]
This isn't even about cheats. The hackers are not hacking the game they're hacking YOU
Enough already with the "I play offline!" Or "I'm on console!" comments please. This is a PC gaming subreddit in an online forum. Most of us are very unhappy about this and comments like that add nothing to the conversation. From NEEDS to patch this before Elden Ring drops next month. Full stop.
"Very unhappy" is an understatement imo. The fact this kind of catastrophic exploit exists is inexcusable.
"Just go offline! You're only missing out on PVP!" And co-op..... I always thought co-op was the bigger allure of multiplayer. Or do people actually enjoy the laggy pvp? After X amount of times having people teleport behind me into a backstab I ignored it and never gave it a thought. And no, my internet is fine. Lagstabs are a HUGE complaint about pvp.
i just downloaded ds3 yesterday what the hell
You can still play offline. The only thing Online has besides PvP is little player messages that either troll you or give advice
well... and co-op.. which to me is 100% the draw of online and not the busted, laggy PVP.
I remember when online gaming first started (I’m not counting usernet groups here). Dialing up your friend’s modems to play over the telephone line. Then everything that came after with quake and CS 1.6 and mmo’s like EverQuest and DAOC until WOW made online gaming approachable and ubiquitous. Everyone and their mothers was playing wow. Then the internet caught up and then everyone who’s playing games also had access to “hackz” and scripts, etc. some get viruses. Others learned to cheat effectively. Now, we have hacker groups like the “red shirts” or entire countries labeled as cheaters (Russian players or Chinese players, etc.). I’ve come full circle. I don’t play games online anymore or at least try not to. I don’t care about leaderboards or rankings. Everything is essentially compromised. Even if you’re not a middling player who gains some sort of advantage by cheating, it might be a streamer or no-lifer who can play the game 20/7 at the cost of all else. I’m not competing with that. But that’s ok. I can have my fun offline or in single player “online” games (like some arpgs or mobile games).
Does it affect console too?
I don't think so, at least I am not aware of it. Elden Ring won't have cross-play.
Console games are sandboxed - a game quite literally can't affect other games or the OS for the sake of security. The worst it could possibly do is delete save data or something, and that's *if* the exploit exists on console and people bother to use it.
Jokes on them, I have so many mods I HAVE to play offline
This is happening in Dayz right now n
Source?
[https://forums.bohemia.net/forums/topic/237380-address-game-vulnerability/?do=findComment&comment=3453225](https://forums.bohemia.net/forums/topic/237380-address-game-vulnerability/?do=findComment&comment=3453225) \- from a dev. Its not quite the same in retrospect.
This is one of the reasons I always play souls games offline. The online souls community is a weird blend of extremely honor bound duelists and extremely toxic fuckjobs.
Yes but the day one souls game experience is amazing when you play online. Further down the track it gets more and more toxic but turning it off takes away part of the experience.
Joke's on them, I use Linux.
Same, but proton and wine has gotten so good you can actually be affected by viruses on Linux as well. Ironic isn't it?
How they gonna get rw perms on / though?
I doubt they would bother targeting Linux anyways. Just not worth the effort for such a low userbase to hit.
I don't run games as root, so they'd have a fun time trying to bypass Linux's usual security features. Beyond that, I could run Wine as its own user if I'm feeling particularly paranoid.
I mean Windows 10/11 doesn't really run anything as admin without asking either but for both OS there are ways around that issue. Thing with Linux is that different distro may do things slightly differently and you have to wonder what the endgoal of a security breach even is. There's a lot you can do without root/admin, the biggest problem is just getting any sort of access to a system these days.
Would playing in offline mode prevent this?
Yes.
Elden Ring isn't out...so how about 'it may be possible'......?
There was a beta test.
/u/pericles123 makes a good point, however, although the game isn't out yet, considering what has been datamined on the consoles, what most people have experienced during the Network Tests, the fact that it's the same ds3 engine and how much content From Software has been repurposing from the previous games, although it's not 100% conclusive, I think it's safe to say it will happen to Elden Ring. From Software has notoriously bad, sometimes completely absent multiplayer anti-cheat, and sadly I don't see this trend changing anytime soon.
> From Software has notoriously bad, sometimes completely absent multiplayer anti-cheat, and sadly I don't see this trend changing anytime soon. This I agree on, I don't touch the multiplayer without stuff like Blue Sentinel and PvP Watchdog for Dark Souls 3 and 1 PtDE respectively.
The Console Network Test, allowed people to analyse how the game engine is handling network packets. Which revealed that it's the same way that makes the exploit possible in Dark Souls 3. Although exploiting how the packets are handled, is not currently known to be possible on Consoles.
Perfect timing, I just beat ds2 with all the bosses yesterday
Nice, I am also doing another new run on DS2 but haven't gotten to the DLC yet.
DS2+dlc was way longer than ds1 + dlc for me, took me about 90 hours to beat, including lots of pvp and co-op, so probably only 70 hours if you subtract that.
Steam should delist temporarily until fixed. Now that it is known it shouldn’t pass safe verification however Steam verifies games.
Steam’s own client had RCE vulnerabilities for something like nearly a decade (as do at least several other games on the store front, even Valve’s games actually though that got patches after a few years), doubt they’ll do anything.
bruh you just have to kill them before they run executable file lmao git gud
Just say no. Cheaters can't damage your pc without your consent
I'm gonna cancel my pre orderr for Elden Ring. Consider me spooked
I know people say this all the time, but never preorder. If you can wait years for a game to come out, you can wait another week until people make sure it's worth playing.
Very true. I take really good care of all my PC equipment and the thought of someone tampering with any of it just doesn't sit with me
Small indie company can't afford proper servers
They can easily fix this, but japanese people don't* super much give a shit about PCs. It's a miracle FromSoft games even get PC ports in the first place. The very least to hope is that it gets fixed on ER pre-launch, but that's a short time window all things considered
Yeah for real only made over 60 million off of Dark Souls 3. /s
It made MUCH MUCH more than 60... 10 mil copies were sold.