Dear Friends at Epic,
I do hope I’ve made it clear through all my posts that all I care about is the absolute success of UE4
So I am only bringing this to your attention as someone concerned for maximum success of UE4.
I was trying to get an OS file browser to show up from within UE4, and I ran across the System command.
I ran the command (from within my player controller class)
system("explorer C:\\");
And it worked!
A new windows explorer window popped up open to my c:\
I dont know much about System() myself, or how you have set up System() to work within the UE4 context, but I read this about System() online in this article:
In this example the author is illustrating how a simple program could be included with the main game install and then run from within UE4 to activate malicious software.
Begin Article
include
int main()
{
printf( "Bwah, hah, hah, hah, hah!\n" );
return 0;
}
Compile it and name the executable “notepad.exe” if you are on Windows
The danger is that when you directly execute a program, it gets the same privileges as your program – meaning that if, for example, you are running as system administrator then the malicious program you just inadvertently executed is also running as system administrator. If that doesn’t scare you silly, check your pulse.
It doesn’t matter if you aren’t sysadmin either. Anything you can do it can do.
------------- Anti-Virus Programs Hate It (System()) -------------
The last thing is simply a matter of perception. If your users are running any sort of anti-virus, like ZoneAlarm, Norton, McAfee, etc. then they will get a very unpleasant message about your program trying to do something considered dangerous. Remember, the AV software doesn’t say what you are trying to do, only that it is trying to do something uncouth. Users treat such programs with suspicion.
End Article
#My Main Point
With the upcoming release of UE4 to the public while also allowing c++ access, the potential for someone to download the UDK version of UE4 with the sole purpose of running malicious software through System() could very much hurt the reputation of UE4.
The Scenario:
Someone designs a superficial game, and they package a malicious program with the game install.
Unsuspecting user installs the game, and the game runs System() on the malicious exectuable.
Because the innocent user chose to run the game install with system administrator privileges, one of two things happens
- the malicious program runs and UE4 has been hijacked to abuse someone’s computer
- antivirus software deflects the attack, but now the end user is being told that the UE4 game is a virus, and will likely get mad at UE4 rather than the author who wrote the malicious software. This will hurt the UE4UDK.exe’s rating among anti virus programs, causing future downloads of the UDK to perhaps be inhibited for others.
#Removing The Ability to Call System() for UDK Users of UE4
I imagine that for companies who have true c++ access, you have some sort of legal agreement with them that makes them liable if they allow or inadvertently enable their game to support spreading of viruses / malicious software
But for UDK UE4 users, I cannot see any reason to avoid disabling the use of System() to prevent people from hurting UE4 and Epic’s reputation.
Is there any reason to not disable the use of System()?
#Summary
Again I hope it is clear I am writing this out of my concern for Epic and UE4’s success,
and because the UE4 UDK will probably be the first time that non-contracted / legally bound entities will have the chance to write c++ in the Unreal Engine.
Please dont remove the C++ access!
I am absolutely loving coding directly in C++ for UE4
But I felt it was my duty to bring this potential loophole to your attention if it was not already on your radar
Rama