Skip to Content
12-10-2010 @ 4:08PM
This article is technically misleading. No addon contains Flash, HTML, or any executable code other than LUA, and the LUA can only do what the WoW addon API says it can do, which is limited to safe behaviors. No addon can steal your account information or take over your computer, period. It might be possible for your addon *updater* to be Trojaned and/or execute malicious code, but an addon itself simply cannot carry a malicious payload because of the way the game is designed. There Is No Such Thing As A Virus Infected Addon. Systems administrator & network engineer 12+ years experience sez: keep on using Curse to update your addons 'cos it's just fine.
12-10-2010 @ 4:13PM
That's exactly what he's saying. Several updaters (The Curse client, for example) run flash ads in the client. The article is about updaters.
12-10-2010 @ 4:16PM
THISIf your auto-updater is from a trusted source like Curse then you should be in the clear. The only way for the Curse auto updater to be compromised is if:1) someone hacked curse and you happen to update to a bogus updater (Very Unlikely)2) Your computer has some malware that specifically targets the curse updater (If so, you have bigger problems)3) You install the Curse updater from an unscrupulous site. If you're only going to curse.com then this isn't an issue.The same goes for WoWInterface, both sites go to great lengths to make sure there isn't any unsavory code on their site. I think this article does a disservice to those addon sites that have been nothing but reputable.
12-10-2010 @ 4:23PM
In regards to Flash ads, I can't imagine that Curse or WoWI would not go to the same extreme lengths they do with their addon repository to ensure the ad vendor is reputable.
12-10-2010 @ 4:40PM
I have been hacked (or more accurately, keylogged) twice by using the Curse Installer/Updater. There was a certain addon that after I used Curse to installed it, I started getting hacked, even after I changed my password. I Used Curse to uninstall it, and between that and buying myself an authenticator, I was all set.My only guess is that while the Curse Client is fine, that addon had some sort of installation script that ran a keylogger. This was an addon I had read about from this website (tho I forget the name), and I heard stories of other ppl in the same boat as me.Oh, and I'm an IT tech here as well, and i'm usually very cautious with my downloads. Short story: the author has a valid point. He RECOMMENDS using Curse.com, just not the client. Please do so.
12-10-2010 @ 4:47PM
I think I heard that the curse updater program has been compromised in the past (yes, someone hacked curse and did strange things to their program), which is perhaps why he's cautioning people. If it's happened before, it can happen again.
12-10-2010 @ 4:54PM
What happened was that there were fake sites masquerading as Curse that appeared at the top of Google sponsored result listings. The Curse client has _never_ been compromised. While I appreciate the assertions regarding Flash appearing in the client, what's to say that the very large Flash ad at the top of this very page isn't malicious? Does WoW Insider screen every single ad that they get? I seriously doubt it, because they likely use advertising companies that push ads, rather than screening every single one.So, if we're all supposed to be terrified of Flash, then we should also stop visiting WoW Insider and 90% of websites out there?
12-10-2010 @ 4:57PM
Entirely agree.Every Time I read one of McCurley's articles I become less and less impressed with WoW Insider's chioce in replacement for the previous author. This guy has no idea clue about legal issues or how legal systems ACTUALLY work, runs down random rabit holes, and now thinks that an article about the nebulous threat of add-on cliants is an apprpriate topic for the LAWbringers column. Good Lord! He doesn't even back up his asertions with even the remotes proof that the flash boxes in cliants are a real threat. He essentaially just said "flash can contian viruses so all add-on cliants are dangers." Realy? And all the flash adds on the cliants' host sites are some how less so?McCurley realy needs to go...
12-11-2010 @ 8:29AM
@fade2greya.) you speak as though you have a grasp over the law mccurley doesn't. judging by your egregious use of the english language, it must be foreign law...or perhaps some other general legal field i'm not familiar with. not only is your reasoning shallow and thoughtless, but you'd be fired from a firm or clerkship the moment you submitted anything resembling work like that. if it is foreign law, you are in no better place to judge. pot, meet kettle.2.) with that segue out of the way, wtb spellcheckerGamma.) if you'd like him to provide proof flashboxes provide viruses, if would be even less on topic and longer, i'm sure, than what he wrote here. it is actually a pretty big legal deal when you download a virus off of an automatic updater and violate the EULA. ignorance is no excuse for not following the law. mccurley is providing a likely necessary PSA, given the expansion will likely lead to more people downloading a ton of addons through various means. imho, kudos for giving the less addon-educated a heads up, mat! keep on truckin'!
12-10-2010 @ 6:01PM
I find it ironic that Curse would say theirs is safe, considering they are the one who have infected a ton of people before.The ADDONS it installs may be safe, but the FLASH ads it displays are not. Idiotic sales people seem to not screen anything they sell space to. Look at Google, 9/10 gooling "WoW Armory" will result in a malware or phishing site as the sponsored result."Huh, these guys want to buy ad space? Ok!"(Buyer places a Flash exploit ad with a keylogger in their ad.)(Users of the Curse updater get the ad, and if they are not secured against Flash exploits or malware, are hit, and their computers are infected.)So, either be lazy and not update your addons yourself, and hope that you are completely protected against malware, and one doesn't slip thru, or just take the few moments it takes to look up new versions when they are out.
12-10-2010 @ 6:05PM
Running 'flash adz' in the curse client is just as arbitrary as running them in a flippin web browser.
12-10-2010 @ 6:18PM
Hangk is absolutely, dead-on right about this one. Two words to the wise: "trusted source".
12-10-2010 @ 6:32PM
I think you you should take heed of these comments, Matthew (and Adam, for that matter). This article is clearly written either from the perspective of someone with little technical acumen, or dumbed down to the point that the information provided is worthless at best, misleading at worst. There are numerous factual errors in the article, and it desperately needs to be fixed, or removed entirely. >>>People can assume that addons are safe when they potentially aren'tAdd-ons are never "unsafe" in the way this article implies. Your password, login details, etc., are never exposed via WoW's API. You cannot have your account 'hacked' by an addon, period.>>>Some auto-updaters contain Flash ads or other HTML that could be running malicious malware or spyware aimed at grabbing your information.So does every single web browser. Is your next article recommending that we stop using Firefox/Chrome/Opera/Safari/IE?>>>new code could be downloaded and placed into your WoW directoryThis makes no sense - there is *nothing* that LUA can do that can compromise your account.>>>The solution to avoiding auto-updater issues is not merely to drop your auto-updater>>>Manually installing addons can help a great deal in that sphere, and it's easier than you think.So, remember, don't stop using your auto-updater, but stop using your auto-updater>>>Curse has contacted us and let us know that their system is based on Microsoft technologies, making their addon updater safer.This is a nonsensical statement from a technical perspective. Every program that runs on Windows uses "Microsoft technologies." You can't write a program without hooking into Windows APIs in some form or another. Do you mean the Curse client is written in C#? What does this have to do with being safer? Without context, this is meaningless buzzword dropping.To end my rant, what does this have to do with legal issues? Why is this not classified under Addon Spotlight, or WoW Rookie? This article is shoehorned into Lawbringer for no discernible reason.Ugh. Just ugh.
12-10-2010 @ 6:35PM
Hope to clear up a point or two for some people. Since the main discussion seems to be the curse client allow me address it. It uses flash ads action script can contain somethings you may prefer it did not. It is LIKELY that the ads are not directly sold via curse. It is more likely that an ad provider service sells the ad space so that Curse itself has less to do with the ads than you assume. A sales person for the ad provider gets others to purchase the ad space so the connection between Curse.com and the actual advertisement is a bit distant. So I could buy as space for the client with a deceitful ad for something that links to an unpleasant website. Not necessarily Curse.com's fault but it can happen. Of course add-ons should only contain LUA and XML. Of course you should be aware that LUA can read and write to the file system and your add-ons do so regularly. LUA scripting may be a bit more capable than you realize (it can make modifications to the windows registry). That said I am not so familiar with the entire system that I know what can and can not be ran via an add-on.The bigger concern, as indicated in the article, is that an updater is going to put files directly into your programs file folder. you may never even see what it is. Of course when the updater runs most users are going to tell windows yes the updater can make changes.
12-10-2010 @ 8:36PM
Definitely using "Malicious Payload" for a guild name should I need one.
12-10-2010 @ 9:20PM
Addons are distributed in zip files which can contain any kind of file including executable code. There is no way to be hacked by an addon through the actual game, but a fake addon zip can certainly contain malicious code that will run outside of the game (thus avoiding any protection Blizzard would have).
12-13-2010 @ 8:22AM
@Darasen"Of course add-ons should only contain LUA and XML. Of course you should be aware that LUA can read and write to the file system and your add-ons do so regularly. LUA scripting may be a bit more capable than you realize (it can make modifications to the windows registry). That said I am not so familiar with the entire system that I know what can and can not be ran via an add-on."Incorrect.Wow's implementation of Lua does not contain any file or networking functions or calls. Addons can't just freely ready and write to your file system at all.No what they do is when they want something saved they get marked in a special place in code. The wow client does the saving for them at logout or when the UI is reloaded.If they want to load something they just wait for a special event to fire and assume its loaded after that.Finally people don't usually have a Lua interpreter on their system by default. And there's nothing in the action you take to install an addon that can trigger the code inside even if you did have one installed.
12-13-2010 @ 8:33AM
@ThanderFor "malicious" Lua code from an addon to run outside the client the victim would have to have a Lua interpreter installed & run the code despite looking at the code and seeing how malicious it is.Wow addons run in a sandbox. They can not see you hard drive nor can they access the internet.
12-13-2010 @ 10:38AM
@EudeyrnI think by "Microsoft technologies" they are probably referring to Silverlight rather than C#. Silverlight essentially does exactly what Flash does, but is not as widely implemented so there are not as many exploits out there for it. That's not to say it's any more secure. The holes just haven't been found yet.
First time? A confirmation email will be sent to you after submitting.
Members enter your username and password.
Enter your AOL or AIM screenname and password.
Please keep your comments relevant to this blog entry. Email addresses are never displayed, but they are required to confirm your comments.
When you enter your name and email address, you'll be sent a link to confirm your comment, and a password. To leave another comment, just use that password.
To create a live link, simply type the URL (including http://) or email address and we will make it a live link for you. You can put up to 3 URLs in your comments. Line breaks and paragraphs are automatically converted — no need to use <p> or <br /> tags.