Tweet
Last night, Capcom released a big new update for Street Fighter V. Also added, not contained in the main patch notes, was a "client-side security update" that aimed to serve as an anti-crack solution for the game.
The problem here is that this update added in a method of accessing a user's system at the kernel level. The update put "Capcom.sys" inside the System32 folder. Users discovered a few things about this file and what it does.
This means that the update created a backdoor which could allow someone with malicious intent to run code at the kernel level. In short: This is a very, very bad security loophole that Capcom added in this update.
It took about a day, but Capcom has decided to roll back this update. It is unknown whether or not rolling back this update will also remove the Capcom.sys file from System32. If it does not, you will have to manually remove it. You may need to reboot or boot into safe mode in order to remove it. Be very careful when doing this as it is unwise to just go messing around in the System32 folder.
The problem here is that this update added in a method of accessing a user's system at the kernel level. The update put "Capcom.sys" inside the System32 folder. Users discovered a few things about this file and what it does.
- The driver first registers itself using a pseudo-randomly generated name. That's kind of suspicious. It also doesn't specify any security, so any user at any privilege level can attempt to open and control the device. That's bad.
- It sets up custom handlers for opening the device object, closing the device object, and performing ioctls on the device object. This is pretty normal, although a driver that didn't set up basic security when creating its device should perform security checks when opening the device. This driver does not.
- The ioctl handler is where everything "interesting" happens. It checks for control codes 0xAA012044 and 0xAA013044, does some buffer size checks, disables supervisor-mode execution protection and then runs the arbitrary code passed in through the ioctl buffer with kernel permissions.
This means that the update created a backdoor which could allow someone with malicious intent to run code at the kernel level. In short: This is a very, very bad security loophole that Capcom added in this update.
It took about a day, but Capcom has decided to roll back this update. It is unknown whether or not rolling back this update will also remove the Capcom.sys file from System32. If it does not, you will have to manually remove it. You may need to reboot or boot into safe mode in order to remove it. Be very careful when doing this as it is unwise to just go messing around in the System32 folder.