Please don’t make it sound like it is either this OR an old version full of exploits.
Let’s clarify.
The old version had 1 reported and verified exploit.
The likely undiscovered ways don’t count towards real problems.
Is it known? Which part of the software does it affect? Is there a known mitigation? Ok let’s work on it…
Stop.
The outrageous product they tried to sell us, even with forced upgrades is some kind of mobile style scam.
Omg my mobile is unsecure! Oh thanks there is an update. Oh… it occupies 99% of my memory and everything is so slow… Oh I’d better buy a new mobile.
Stop scamming people. A security issue can be solved without forcing a broken interface
And even the link you’ve given talks about version 1.24. People playing original are using versions 1.26 - 1.27 or 1.29 - 1.31. No exploits reported for these versions. None.
At this point, people like @Reforged2Gli and @DrSuperGood are being dishonest and using fear tactics to dissuade people from playing original, and to attempt one last ditch effort to excuse Blizzard’s immoral and illegal actions.
They cannot legally offer a version full of exploits. It would be like Microsoft still offering, and hence supporting, Windows 98. The really old versions do not even run properly on Windows 10.
Except unless you brought it, nothing was sold. I still play WC3 using my RoC key.
That you know of. There certainly was a lot of unsafe I/O going on as I discovered with my experiments into BLP.
the forced upgrade is a matter of fact. In their intention, to be able to play WC3 you have to download reforged. There is no choice other official choice.
I saw your post in that forum (was that a memory overflow due to reading from an image right?), but that is not the way security issues are handled.
Any software could be potentially full of bugs or exploits. If years ago you thought you had discovered something in order to turn it into a proven vulnerability you had to submit a formal proof of a reproducible issue.
You didn’t publish what you found but you also don’t have the responsibility to do that. Instead, Blizzard has the responsibility to find it. As you also said, you can install Windows 98, or older version of WC3, but then have fun with it…
Is there anywhere in the eula something like “this software is distributed as it is, blizzard is not responsible of any harm caused to your computer?”
If not, and your computer turns into a datamining bot, it is blizzard’s fault.
The upgrade to reforge, forces you to completely change some of the assets in a way that could not be compatible to the primary use of the software itself.
This includes the 30gb of useless data or the way the game checks what you are changing in the registry.
Let’s not confuse security with the animation in the campaign or the ladder.
Did you test the whole game?
Don’t think so. So potentially reforged could be even worse than the original game. Difference is, we had 20 years to test WC3 having a community of thousands of players.
We have this uninteresting stuff since 6 months.
There could also be the case that they spent 90% of the budget to create the most secure game ever. Problem is, if no one plays it, it can be also considered secure without spending anything^^
Forcefully removing the game that we paid for, without warning or way to reverse the change, is legal? Surely not. Remasters should not be forced onto people, but given AS AN OPTION.
Blizzard did NOT provide an option to refund Warcraft 3 RoC and TfT either. They just provided this option to those who purchased Reforged.
In other words, they kept our money, but took the product from us. EULA never specified they are allowed to do this, nor would it make it legal even if it did.
They offered it with support, since if serious exploits were discovered or exposed they would throw people at the problem until it was solved. Like the type cast exploit allowing arbitrary code execution exploit that they patched and gave us hashtable.
Offering, and hence selling, a version without support is another big legal minefield.
So? It is just an update. Most game companies do this. You might not own the DLC of Anno 1800 but it still forces you to download it all as if you did. Very few companies have taken the moral high ground with DLC, where the DLC itself is still a download and not just a licence check.
No but they had a term stating that they reserve the right to revoke your licence, and hence ability to play the software at any time. The same terms used to justifying banning people.
Hence what they are doing is totally legal. Fair, maybe not so to people on older hardware, but still legal.
Pretty sure it was covered by the original ToU. Most paid software, especially multiplayer games, have terms allowing the owner to remove the right to play. Otherwise they would be sued every time they banned someone from online play.
Both those games were outside the period which refunds made sense. You cannot refund paper towel after having used the whole roll, which matches how much many of the people played Warcraft III in the past.
They granted you use of the product for the entire legally obliged refund period. They also still grant you use of the product now. The fact you cannot or do not want to use the product is not their problem as they still give you the option and it is out of the legally required refund period anyway.
I have no issues running Warcraft III now. I still use my original RoC CD key to play. Hence they are not denying you the ability to play the product even. I do agree that multiplayer stability has been an on running problem but honestly that is the only major gripe I have with the recent versions of Warcraft III. Sure I miss the chaos space marine but custom map makers can always import the old model and fix it if they so choose.
I get from what you are saying that you consider them Lawfully Immoral.
That sounds like an old D&D alignment…^^
Honestly reforged is the only blizzard game in which I have seen a total lack of support beside the obvious refunding…
Not “old”, but “selected”, without any possibility to tweak the game according to the needs.
Something that you could easily do with WC3, even running on 128mb…
Reforged is a brick. Nothing more than that.
They turned a piece of art into the most disrespectful casual game ever, pretending to resell it for 30 dollars.
They removed the pillar on which countless hours of community work relied.
I guess their main thought has been: “let’s give them some crap, they will change it in something great anyway”.
Problem is that this time they completely failed the customizability of the game.
Beside changing the graphical engine, there is nothing more that can be fixed by the community. So we are left with the bugs.
Even private ladders suffer from the player name discrepancy. Come on… player name discrepancy? Are we serious?
Maybe ye, that and all the rest they did is actually immoral…
Do you understand that a lot of versions of the DotA map only run on Patch 1.26 because they use arbitrary code execution exploits to take ovet the computer and add features missing from the Warcraft 3 game, and as a result they can never be updated to Patch 1.32 (Reforged)?
I don’t know who reports to that “CVE” page but they are obviously lacking information. Leandrotp user on Hive Workshop published in a thread in 2016ish about how he got the old arbitrary code execution exploit working on 1.26 that was meant to have been fixed in 2009 after Patch 1.24. It’s not even that hard to do. The first step in achieving the exploit is arbitrary type casting, which was the only thing “fixed” in Patches 1.23-1.26. In 2016, Leandrotp literally explained the technical details and then sent it off to Blizzard to fix it. The 2009 patches slammed custom maps and ruined a lot but they wanted to cut off the problem at its roots by removing the arbitrary type casting (such as casting integer to function pointer) instead of fixing deeper issues.
Leandrotp showed that Patch 1.26 still accidentally allowed for type casting using a simple combination of local and global variables that shared the same name. This isn’t even an unknown, you could literally go get the Patch 1.22 command prompt map (exploit PC takeover map) and update it to run on Patch 1.26, which Leandrotp said that he did, and I believe him because using his technical documentation I was able to get an old mod from 2005 called “The Tales of Raviganion” to play on Patch 1.28.
I’ve literally done it, basic type casting was still possible until 1.29. Leandrotp was advocating for building a virus into all maps that would automatically patch the game client of people who played it, then spread itself through all their maps to everyone new that they played with, until they achieved a distributed content distribution system on a community enforced patch via map sharing that would force update all of our Warcraft 3 clients with his fixes back when he did not know Blizzard was coming back. That madness was averted by the return of Classic Games team. However, there must have been some disagreement between Blizzard and Leandrotp, and so Blizzard dropped support for type-casting on 1.29 instead of only fixing what was suggested to them like they did back on 1.27, and so we lost support for mods like TToR and all the pre 2009 maps again. I don’t think support for those is ever coming back now. If it was, we would hear about it, probably.
You can tell me that I am being dishonest or using fear tactics but I think if anybody else looks into the details of this problem, they will find that I did not make this up: https://www.hiveworkshop.com/threads/we-are-back-to-square-one-warcraft-iii-is-unsafe-again.276196/
Do you understand that a lot of versions of the DotA map only run on Patch 1.26 because they use arbitrary code execution exploits to take ovet the computer and add features missing from the Warcraft 3 game
Cool story bruh. I can tell many stories too, pulled straight from where sun don’t shine
If it was truly possible to distribute viruses through WC3 maps, it would have been done by now, and if this supposed “exploit” wasn’t fixed, infections through WC3 maps would be common place. Every other vulnerability in the Windows system or Third-party software has been used by now (To the point of using MS Word macros for it), yet this hasn’t…
Simply said, there is no evidence of any of what you are claiming here, and thus, this is no more than dishonesty and fear tactics, just as stated before.
The Hive link you posted just features a guy rambling stories without any evidence, just like you are here.
In the 10+ years of playing WC3, I downloaded hundreds of maps from various sites, varying in degrees of shadiness, and never did I encounter such “exploits”. And neither did others, judging from lack of reports.
The only ones speaking about this, are fear-mongering ppl like you.
Most paid software, especially multiplayer games, have terms allowing the owner to remove the right to play.
This has to have a legitimate reason, i.e. player breaking ToS.
Player in this case is getting money back anyways (game being refunded)
Both those games were outside the period which refunds made sense.
Irrelevant. Blizzard cannot take the product away from the user without returning money paid for it.
You cannot refund paper towel after having used the whole roll
Yes, but a more accurate analogy is this:
The store owner comes and takes away your paper towel before you used any of it. Before you even unpacked it. All without returning the money.
That’s illegal.
They granted you use of the product for the entire legally obliged refund period.
A product is NOT granted for the “refund period”. A goods is bought as a permanent license, i.e. for lifetime.
They also still grant you use of the product now.
No, they do not. They replaced it with another product without the User Consent, and without providing option to get a refund.
Thus, I stand by my statement - this is illegal. Care to try more arguments?
The standard version of DotA still worked until January. So I guess someone updated it. It is not really “taking over the computer”, it is just about exploiting a “feature”. (Let’s call it feature, since it seems to be Blizzard the new trend to call bugs)
It is still the most reliable one you can get. If there is more to say, anyone is free to update it, giving a proof of what you can achieve.
I have read the post on hiveworkshop, there are lots of I can do this and I can do that. There is an email sent to Blizzard without a proper answer.
That is why you have an incomplete CVE.
Don’t get me wrong, I suppose that they probably can do that, but that is not the proper why to show it.
Everyone will see the bonusses exactly the same way you see them.
How do I activate bonus models?
Just pick the hero with the model you want, it will always have new skin and effects as long as you use the ingame nickname the bonusses are connected to.
I lost all my bonuses, what happened?
Open very this site in your internet browser (Google Chrome/Firefox/Whatever). If you can not access D1Stats.ru , then the server is out and nobody have skins. Downtime is a very very rare thing, but still possible. Wait when the page returns online. Your goods are not lost, everything tracked, have no worries.
Using models doesn’t require updating the map, so you’ll have your bonus skin as soon as possible! Just make sure that you can access this page you’re currently looking at (if access to this page is somehow blocked, the map can’t access it either).
So, am I wrong or you are just telling me that the game opens a connection for each player using that map to a third party “website” on an unsecure connection exchanging unknown data?
Or do they have their private version of battle.net?
No, no, don’t worry about evidences, I just want to play a custom game of Warcraft 3 Patch 1.27 with you where only I am the host – this weekend after I have some time to set up the custom map. You’re fine with that, aren’t you?
Amigo if they can instantiate a connection with an arbitrary remote address I would think twice before joining his game.
Anyway, the deleterious part now is:
they even messed the download game folder, since you see like 20 maps with the same exact name, referring to 20 different files, without knowing what could have been injected in them^^
So, if you want to spread a virus, you are welcome^^
It really depends on what you can do. One thing is deleting the some maps, another is opening a shell with root privileges.
Also consider that in order to achieve the exploit you have to run WC3. I doubt that any important server is running WC3 now and then…^^
But I guess it is possible that things can be done. What I was trying to say that what they used is not the correct way to prove something.
Even if you join his game and he shows you how you get hacked, then you and him claim that something is possible. How can you be trusted?
So, formal proof is the way.
Including, code, examples and stuff.
Obviously you should send it to Blizzard first… if they are even interested…
Being banned does not entitle you to a refund. Never seen this happen and developers do not want it to happen as it could be exploited as a cheat all you want for free opportunity.
Within warrantee and legally obliged refund period. Not like they even did that as Warcraft III still runs with just a RoC CD Key.
Yes but having played a game for well over 10 years counts as “used”. In the case of some of us, the shop we brought the game from no longer exists as it went bankrupt nearly a decade ago now due to changing economic times.
*Lifetime of the product. Yes legal stuff is fun
They updated the product. It was not replaced. Same RoC key still works. Same custom maps still play (kind of). Even the graphics are mostly the same.
I’d imagine it can depend on a situation, but fair enough.
Warcraft III still runs with just a RoC CD Key.
It doesn’t. For months now. TfT Key still works, but RoC doesn’t.
Yes but having played a game for well over 10 years counts as “used”
No, not really. Computer Software doesn’t get used up like physical stuff. Thus, even after 10, 20, 30 years it still would count as “not used at all” in the case of this paper towel analogy.
In the case of some of us, the shop we brought the game from no longer exists […]
Me, and many others bought the game from Blizzard site. It was also possible to link your Physical CD Key to your Blizzard account.
The first case, at least, would make you able to get refunds as long as Blizzard itself exists. Not entirely sure about the second case tho.
*Lifetime of the product.
Nope. When you buy a certain GOODS, you become the owner of that product. This applies to games as well (Though there is still some legal mumbo jumbo there).
Don’t get me wrong - you do not own the brand, or the distribution rights for that product/game, but you DO OWN the product/game copy, that you bought, itself. (Technically you could even bring company to court for demanding you NOT to reverse-engineer the game. With good lawyers ofc).
Thus, it’s literal owner’s lifetime… And technically more, as it’s not like the company can take it’s product back upon initial owner’s demise.
This is contradictory to what other people have posted. Who stated they are playing Warcraft III with just RoC bound to their BattleNet account.
Technically it does. This is why most game platforms have strict refund policies where a game can only be refunded within the first X hours of play and within Y days of purchase.
Otherwise fraudsters would buy the game, play it to completion and then demand a refund to effectively get the game for free. Given that some games only take 8 hours to complete this was a huge problem in the industry.
Refunds would be handled by the retailer. Which no longer exists for years and certainly is well without of their 7 day or so refund policy.
You own a licence to play the product. However under the ToU the company might reserve the right to remove or revoke your licence to play the product at any time and for any reason. Generally they never invoke that aspect since it would be bad for their company image, but it can be used in defence when banning users.
