Security Flaw in Quake 3 Arena

ID software programmer Robert Duffy posted information today in his .plan about a possible security hole in their flagship product, Quake III Arena. The hole that could permit malicious server operators to "overwrite any file on a client system" can be fixed with a patch, version 1.17, also released today.


"This patch fixes a fairly serious security flaw in Quake 3 Arena. Internet Security Systems identified the flaw and notified us with reproduction details as well as an overview of the exploit," Duffy wrote in is .plan for May 4th.


According to him, "the basic nature of the exploit is that malicious server operators could overwrite any file on a client system." Such a hole could enable the server operators to install
so called 'trojan' computer viruses, that allow malicious users to have a backdoor into a users computer.

He also added that "This type of thing is always possible with DLL based mods" and that ID recommends that customers use VM based mods, "but with this exploit, it was possible [even] within the VM system."


An important note to users that upgrade, version 1.17 will not be compatible with older (less secure) version of Quake III Arena.