Search Unity

Following the discovery of a security issue in the Unity Web Player plugin that can allow an attacker to use a victim’s credentials to read messages or otherwise abuse their access to online services (thanks to researcher Jouko Pynnonen for pointing this out) we’ve been working hard to get the issue fixed.

With Jouko’s help, we’ve identified all codepaths leading to these vulnerabilities and have developed fixes. Tests for the fixes are going well and we’re working hard to make sure everything is right. We’re looking to be ready to go for Monday afternoon (Central European Time).

We’ll keep you posted on developments if there are any during the weekend.

UPDATE (6/8/2015): 4.6.6f2 update is now live and addresses the security issues. 5.0.3f2 is currently in the final phases of testing and will be released Tuesday. Additionally at that time, the Web Player client will be automatically updated when a user tries to load any Unity Web Player content.

UPDATE (6/9/2015): Both 4.6.6f2 and 5.0.3f2 are now live to address the Web Player security issues. These patches are meant for developers building games for the Web Player with Unity. For end users, the Web Player client will now automatically be updated to the fixed version when a user tries to load Web Player content of any kind. This update is seamless and behind the scenes without any further input needed from users. For those that are interested in downloading the newest version of the Web Player on their own, they can do so by visiting

16 replies on “Security Update Coming for Web Player”

To: Karel Lejska (you haven’t reply link available, so…)

1) And you, ofcourse, can tell to me, how you can get hands on unity5 building process to do that.
I don’t see, why unpacked-obfuscated-repacked unity web packages won’t work on other
systems. Tested so far: PC win & Linux.

2) “in matter of months”: And cows are flying. Yeah. Dream on.
“don’t waste your time”: No, I don’t! I’m just testing all new obfuscator builds.
I haven’t enough time to fight with undocumented structures.

However. I’m satisfied, since obf-coder have done a great job so far.
Totally mixed assemblies for copy/pasters.

Jari Kaija

I didn’t mean it’s useless for me or you, but for clients. which brower will support webplayer?
I used it for tens of my projects but who wants to install plugin too?

I hope that the problems get resolved and in the mean time can we see that Google Chrome may one day use the web player again?

On the down side, the Web Player uses technology that’s over a decade old and was developed for Netscape. Of course, Netscape is gone and this NPAPI hasn’t been updated and will always be a security risk. On the up side, Web Player builds are much smaller than WebGL builds and take much less time to build. Plus, Google watches you sleep and sells your info to Big Brother, so I wouldn’t use Chrome anyways. Firefox is secure and private, and does support NPAPI safely, so switch to Firefox and everyone wins.

Web Player? Who needs it when we can’t use it. it really doesn’t make sense. work on webgl instead

Well it’s only currently an issue in Chrome, anyone with sense would dual publish for the other browsers to get the extra performance, and as they are different teams, it would make no sense for the Web Player team to suddenly switch to WebGL, where there expertise would likely be low, and Unity taken WebGL almost as far as they can without Chrome updating things there end…

So… can I just say pointless comment.

Can’t use? Why?

Because the code isn’t obfuscated?

It wasn’t _really_ so hard to get an one obfuscator maker to do a new version for Web versions for Unity 5. Just an one email started it. He thought, he is ready within an one week. (Next week). Most of the time goes to solve re-packing .unity3d file, but he had a good news, that he will get it work quite soon.

No one couldn’t crack his obfuscator+cryptings up to these days.

I will inform you, when the web obfuscator is ready to buy.

Mmmm. First version works fine :-)

Now the coder is implementing more crypting methods one by one as he is learning
structures by re-engineering asset & package formats.

Funny, that this kind of information (structures about assets etc.) is NOT as
public data from Unity, since it is already re-engineered ALMOST totally by coders anyway.
With a good explanation about structures, it would be much easier to create fully working
obfuscator & crypter & licenssor FAST! Now most of the time goes with re-engineerings.

It seems, that unity don’t take a s*it, that web versions are fully transparent
for everyone who want to steall _FULLY READABLE AND UNDERSTANDABLE_ code
+ assets from games.

1) It would be much easier to obfuscate the assemblies BEFORE they get packaged into the .unity3d file in the first place. This way, the obfuscated assemblies can be ported to more platforms, too.

2) Web player is gonna be replaced by WebGL in matter of months, don’t waste your time on implementing an obfuscator just for this platform.

There are still a load of games out there that won’t work for various reasons in webGL and it’s overall a worse user experience than the webplayer (slower to download, much slower to start up). Long-term, sure, webGL is the way forward but *today* webplayer is better than the webGL export option.

Comments are closed.