Analysis

A bunch of Xbox first-party games have suddenly become unavailable on the Microsoft Store over the past few hours due to a security issue that's been discovered with the Unity engine. The "security vulnerability" stems back to 2017 and Unity has provided fixes that developers can implement, but Microsoft has removed a bunch of games, bundles and add-ons from the Xbox storefront until those fixes have been completed for each title. Fortunately, this security issue doesn't affect the Xbox console or Xbox Cloud Gaming versions of these titles, but some have nevertheless been delisted on the Microsoft Store across console and PC. "A security vulnerability was identified that affects games and applications built on Unity versions 2017.1 and later for Android, Windows, Linux, and macOS operating systems. There is no evidence of any exploitation of the vulnerability, nor has there been any impact on users or customers. We have proactively provided fixes that address the vulnerability, and they are already available to all developers. The vulnerability was responsibly reported by the security researcher RyotaK, and we thank him for working with us." Here's the list of affected first-party Xbox games according to the Microsoft website: - Avowed Artbook - DOOM: Dark Ages Companion App - Fallout Shelter - Ghostwire Tokyo Prelude - Grounded 2 Artbook - Hearthstone - Knights and Bikes - Pillars of Eternity II: Deadfire - Starfield Companion App - The Bard's Tale Trilogy - The Elder Scrolls IV: Oblivion Remastered Companion App - The Elder Scrolls: Blades - The Elder Scrolls: Castles - Warcraft Rumble - Wasteland 3 - Wasteland Remastered Obsidian has also shared a slightly different list over on social media: "Our team is working on a fix and will restore these games as soon as possible. We will provide additional information once they are available again. We also encourage players who have already downloaded these games to update them as soon as a patch becomes available." • Grounded 2 Founders Edition • Grounded 2 Founders Pack • Avowed Premium Edition • Avowed Premium Edition Upgrade • Pillars of Eternity: Hero Edition • Pillars of Eternity: Definitive Edition • Pillars of Eternity II: Deadfire • Pillars of Eternity II: Deadfire Ultimate • Pentiment Meanwhile, some of the games that are no longer supported have been permanently delisted instead. Apps and games that are no longer actively supported by Microsoft will be removed from app stores to safeguard customers. If you are still using one of the following apps or games, we recommend you uninstall: - DOOM (2019) - DOOM II (2019) - Forza Customs - Gears POP! - Halo Recruit - Mighty Doom - The Elder Scrolls: Legends - Zoo Tycoon Friends Again, it should be stressed that the security vulnerability isn't said to affect console versions, but because of how the Microsoft Store works, the delisting for the likes of Pentiment and Wasteland 3 still applies on the console version of the store. There's a full FAQ about this situation over on the Microsoft website if you want to know more, and we'll leave you with some of the most important sections from it down below: Q: I am playing one of the impacted games on Xbox console, should I be worried? A: No. Console games and cloud gaming are not impacted. Q: How do I know if my game is impacted? A: You can review the above list for impacted Microsoft titles. If the game you are playing is not listed and you have installed all available security updates, no further action is required. The above list is only representative of first-party Microsoft games. Q: I am using an impacted game or app, what should I do? A: You should uninstall the impacted application until an update is available. Updates are being released regularly, you can check this page to see if the impacted application has been removed from the “Updates in Progress” list above or check for available updates on your device. We also encourage customers to subscribe to Security Update Guide notifications to be alerted of updates for impacted games/apps. This Advisory and the related CVE will be updated with new information as needed and will link to any future security updates released. Q: When will updates be available for the games and apps that have not been updated? A: Microsoft does not provide ETAs for security updates. Solutions to security issues are tested to ensure quality prior to release and will be published to the Microsoft Store once validation has been completed. Microsoft (MSFT) has proactively delisted numerous first-party Xbox games and applications from its digital store following the discovery of a security vulnerability in the Unity (U) engine. The flaw, which dates back to 2017 and affects Unity versions 2017.1 and later, has prompted this pre-emptive action despite there being no evidence of exploitation or direct impact on users. While the vulnerability does not affect Xbox console or cloud gaming versions, the integrated nature of the Microsoft Store has resulted in the temporary removal of titles such as 'Wasteland 3' and 'Pillars of Eternity II: Deadfire' across all platforms. For Microsoft, this represents a minor operational disruption and highlights software supply chain risk, requiring developer resources to implement patches provided by Unity. For Unity, the incident poses a greater reputational risk, as a vulnerability of this age originating from its engine forced a major partner to take public, albeit temporary, corrective action. The negative sentiment is more pronounced for Unity (-0.5) than for Microsoft (-0.3), reflecting that the core issue lies with the game engine's security integrity.