Earlier this week, Newport, Calif.-based PivX Solutions issued an advisory warning of three high-risk buffer-overflow vulnerabilities it discovered in "Half-Life," a popular first-person-shooter game.
Although released several years ago, "Half-Life" has remained popular, due to variants based upon the game such as "Counter-Strike" and "Day of Defeat." It has more than 10 million players, according to online gaming sites.
The company said in a statement that these flaws make players' computers and the 30,000 servers that run the game susceptible to a denial-of-service attack. In such attacks, servers can be taken over by hackers so that they constantly send requests to other servers, making the targets so busy that they can't respond to legitimate requests. The vulnerabilities also allow "limitless and complete code execution by an attacker," PivX added.
"These bugs affect both clients and servers, so everyone that plays or serves 'Half-Life' is vulnerable," said Luigi Auriemma, a senior security researcher with the company.
PivX said it had alerted Valve, the Kirkland, Wash.-based developer of "Half-Life," about this issue in April. Valve responded by saying a patch was in the works, but it has failed to provide an update so far, PivX said.
"Due to the severity of these vulnerabilities, PivX waited much longer than the industry standard of 30 days for a patch to be created and distributed by the vendor," the company said in a statement. "However, after 100 days and no patch or fix from Valve, despite repeated inquiries, PivX has decided to (address) these vulnerabilities with our free fix."
PivX's "Preparation V" patch is currently available for download on the company's Web site.
This is not the first time that PivX has identified security holes in computer games. In November of last year, PivX also uncovered a denial-of-service vulnerability in the multiplayer GameSpy network. The network allows game players to find and connect to online game servers.
CNETAsia's Winston Chai reported from Singapore.