Unity Security

Jump to Security Updates and Patches

 

Unity Technologies is focused on making it easy for content creators to build and distribute their creative results. Because of this we also know that security and trust is paramount here at Unity. This page discusses some security information for our services and also how to get a hold of Unity’s security team.

Unity is PCI Compliant, leveraging industry best practices and security tools to maintain a high-level of Security. This includes on-going assessments, bug-bounty programs and continuing to grow our global security team (apply at https://careers.unity.com)

 

Protecting Our Customer’s Assets

When handling payment transactions we do not store any card information. All transactions are sent through an external payment processor that handles the information.

At Unity we understand that your game assets are critical to your business. That is why when you put your trust in us to store or build your game we take as many precautions as possible. From having regular security testing of our services and making sure user assets are securely stored and separated, we take the protection of your assets very seriously.

 

Responsible Disclosure

Unity has adopted a Responsible Disclosure policy as a part of our co-operation with internal and external Security Researchers and Bug Bounty program. Unity may withhold information about an identified vulnerability for a reasonable period of time to ensure that all customers are given time to patch their systems. For a full list of scope, and information on our Bug Bounty program, please contact security@unity3d.com.

 

Contacting Us

We are happy to hear from you. We try to make it easy, just send us an email to support@unity3d.com and we will get back to you as soon as we can.

 

Reporting Security Issues and Bug Bounty

If you have found an issue we would love to talk with you. Please email security@unity3d.com and we will send you information about our bug bounty program.

 

Security Updates and Patches

 

Editor

ID:

UNITY-SEC-844

CVE ID:

CVE-2017-12939

Type:

Remote Code Execution

Discovered:

2017/08/13

Discovered By:

Rio

Patch Availability:

2017/08/18

Affected Operating System:

Windows

Affected Versions:

All (Windows)

Severity:

High

Patch Versions:

Please note: The Mac version is provided as a courtesy for team environments using Windows and Mac. The Mac version is NOT affected by the identified vulnerability.

If a patch is not available for your version, please use the Mitigation Tool [6,7,8] (All Versions)

Identified Vulnerability Details:

TBA (To Be Announced after Responsible Disclosure)

Remediation Steps:
  • Download and install the appropriate patch for your version of Unity.
  • If your version is not listed, use the Mitigation Tool [8,6].
References:

FAQ

What type of vulnerability was addressed in this update?

An input string validation issue was identified that could lead to remote code execution. As a part of Unity’s responsible disclosure program, additional details will be released to the public after customers have had time to apply the updates.

What are the exact details of the threat?

We’re not in a position to share the full details yet, per our responsible disclosure program.

What platforms are affected?

Windows. Mac and Linux platforms are not affected by the identified vulnerability.

What versions of Unity are affected?

All versions of the Unity Editor running on Windows, whatever the machine.

What versions are being patched?

We’ve released a patch for the following Unity versions: 5.3, 5.4, 5.5, 5.6, and 2017.1. The full details are listed on unity3d.com/security.

We will not be patching Unity 4.x, 5.0, 5.1, or 5.2.

Will my specific version be patched?

Unity will be releasing a single patch to each of the most-current ‘dot-releases’ of Unity. For example, users running an older version of Unity 5.3 will need to update to the patched version of 5.3.8. There will be no patches for 5.3.7, 5.3.6, etc.

What about versions older than 5.3?

We are providing a workaround tool that disables the identified vulnerable Editor feature, which can be downloaded from unity3d.com/security. Please understand, though, that the workaround is not a patch and has limitations. The workaround will disable the Editor feature identified as vulnerable, but since we can’t control whether the affected functionality becomes re-enabled at some point after applying the workaround (system changes, reinstallations, etc.), we strongly recommend updating to the latest version of Unity to get the benefits of the full patch. You will also no longer be able to use the ‘Open in Unity’ functionality in the web browser version of the Asset Store after applying the workaround.

Does the workaround tool work for versions newer than 5.3? Can I use the workaround tool instead of patching?

The workaround tool can be used on all affected versions of Unity. Please understand, though, that the workaround is not a patch and has limitations: the workaround will disable the identified vulnerable Editor features, but since we can’t control whether the affected functionality becomes re-enabled at some point after applying the workaround (system changes, reinstallations, etc.), we strongly recommend updating to a patched version. You will also no longer be able to use the ‘Open in Unity’ functionality in the web browser version of the Asset Store after applying the workaround.

I run multiple versions of Unity, do I have to apply the workaround tool for all of them?

No, by running it once it deactivates the identified vulnerable component across all of them. Do keep in mind that by re-installing or updating (one) of the versions, it may activate the component again. To check, re-run the workaround tool until all versions are up to date.

Can I just use the workaround and never move to a patched version?

The workaround will disable the Editor feature identified as vulnerable, but since we can’t control whether the affected functionality becomes re-enabled at some point after applying the workaround (system changes, reinstallations, etc.), we strongly recommend updating to a patched version. You will also no longer be able to use the ‘Open in Unity’ functionality in the web browser version of the Asset Store after applying the workaround.

I have a locked down older version of Unity 5.x.x. Will you produce a patch for the exact version of Unity that I’m using?

Our focus right now is on addressing the identified vulnerability in the most-current version of each dot-release. We don’t have any details to share on patches for other versions at this time.

Will I need to rebuild asset bundles due to the update requirement?

It depends on the specific version of Unity that you are using. Most customers will be able to update to the patched versions without needing to rebuild their bundles, but some customers may find that asset importers have been updated between the version they’re currently using and the patch for that dot-release. For those customers, asset bundle rebuilding may be necessary.

You definitely won’t need to rebuild bundles if you’re currently using 5.3.8p1, 5.4.5p4, 5.5.4p2, 5.6.3f1, or 2017.1.0p3.

How do I know if I’ll need to rebuild my asset bundles?

You may need to rebuild your bundles if any assets are reimported when you first open your project in the patched version of Unity.