Unity has been sounding the alarm about a code execution vulnerability that has been identified in all applications built with vulnerable editor.
While there's definitely no harm in patching, in my personal opinion, the situation is needlessly overblown. I have worked in offensive cybersecurity, and the fact that Unity game allows you to locally run a code that
would be confined to the privilege level of the vulnerable application, and information disclosure would be confined to the information available to the vulnerable application.
is not really exploitable. Since the attack vector is local, the attacker already has to have read/write/execute access to the application and your system, which usually means you have way bigger problems.
Not to mention that since Unity suffers with .dll injection vulnerability (which is what most mods are using), the attacker can do the same by simply replacing a .dll file of the game.
So, patch up if you can, but if you're not able or can't be bothered, in my opinion, it doesn't really matter. But please prove me if I'm wrong.
Apparently the biggest risk is that another malicious application could modify the intent urls of the runtime to pass extra arguments to the command line and run arbitrary code whenever you start a unity game. Apparently permissions could be escalated on windows but only if you registered the app as a custom URL schema handler
It’s an easy attack vector to drain crypto wallets!
I didn't want to take any Risks. So did the fix first thing in the morning and had QAs doing tests all morning. Pushed the fixed build after lunch. The fix was really simple with a Unity made tool. It was actually clear and understandable, unlike the messes Unity usually ships.
LOL yeah, they took this seriously and handled it well