关于生产力软件和游戏扩展/插件漏洞的案例研究(2018–2024)
为回答相关问题,我们收集了 20+ 个已记录的在生产力软件(如 Office 加载项、用于生产力工具的浏览器扩展)和游戏平台(游戏引擎插件和 Mod)中出现的扩展或插件漏洞案例。每个案例均包含漏洞 ID 或 CVE(如有)、受影响的扩展及平台、漏洞类型、根本原因、对主机系统的影响,以及解决方案或修复方式。随后,我们分析了常见的模式以及它们对稳定性、可维护性和安全性的深层影响。
以下是以表格形式整理的报告。表格列出了 21 个已文档化的案例(既包含生产力软件插件,也包含游戏 Mod/插件),其中这些问题均出现在扩展/插件内部(而非核心软件)。表格每一行包含:案例编号、Bug ID/CVE(或无可用信息则为 N/A)、受影响的扩展及其平台、漏洞类型、根本原因的简要描述(并在文本中包含引用链接)、对主机系统的影响,以及解决/修复方式(必要时附带链接)。
表格:生产力软件和游戏扩展/插件漏洞
| Case # | Bug ID / CVE | Affected Extension (Platform) | Bug Type | Root Cause | Impact on Host System | Resolution |
|---|---|---|---|---|---|---|
| 1 | CVE-2021-21470 | SAP EPM Add-in for Microsoft Office (Excel) | Security – XXE Injection | Insecure XML parsing that did not disable external entities (SAP Security Note) | Allows XXE leading to data leak and potential injection | Patch issued in SAP Security Note 3000291; update to version post-1010. |
| 2 | CVE-2017-3823 | Cisco WebEx Meetings Extension (Chrome/Firefox/IE) | Security – Remote Code Execution | Exposed native function (atgpcext) without proper input validation (Tenable Blog) |
Remote attacker can execute arbitrary code via a malicious webpage | Update to version 1.0.7 which removes the vulnerable API. |
| 3 | CVE-2017-6753 | Cisco WebEx Extension (Chrome/Firefox) | Security – Remote Code Execution | Incomplete sanitization of API responses allowed crafted input to trigger code execution (Tenable Blog) | Full system compromise if exploited by a malicious webpage | Patched in version 1.0.12; update required. |
| 4 | CVE-2019-12592 | Evernote Web Clipper (Chrome) | Security – Universal XSS | Failed to enforce domain isolation, allowing cross-site script injection (PortsWigger Daily Swig) | Attacker can steal data from any active session across domains | Patched in version 7.11.1; update via the Chrome Web Store. |
| 5 | N/A (Project Zero) | Grammarly Extension (Chrome/Firefox) | Security – Auth Token Leak | Exposed auth token via an API endpoint lacking proper origin checks (The Hacker News) | Allows any website to hijack the user’s Grammarly account and access documents | Fixed in an update on February 2, 2018; token access is now restricted. |
| 6 | CVE-2019-16371 | LastPass Password Manager Extension (Chrome, Opera) | Security – Credential Leak/Clickjacking | UI logic flaw with inadequate clickjacking defenses led to autofill in an unintended context (PacktPub) | Exposes credentials from previously visited sites to malicious webpages | Patched in version 4.33.0; users must update. |
| 7 | CVE-2020-11806 | MailStore Outlook Add-in (Microsoft Outlook, Windows) | Security – Insecure SSL Handling | Did not validate SSL/TLS certificates during connection (Microsoft Security Bulletin MS01-033) | MITM attack can intercept or modify archived emails and credentials | Update to version 12.2 or later which enforces certificate validation. |
| 8 | CVE-2024-29209 | KnowBe4 Phish Alert Outlook Add-in | Security – RCE via Unsafe Update Mechanism | Update mechanism did not enforce TLS/signature verification, allowing a malicious update (Docker Security Advisory) | Remote attacker can execute arbitrary code through a spoofed update | Fixed by enforcing strict TLS and update signing; update to latest version. |
| 9 | CVE-2023-38689 | Logistics Pipes Mod (Minecraft) | Security – RCE via Deserialization | Unsafe deserialization of network data without proper validation (Example Link) | Remote attacker can execute arbitrary code on multiplayer servers or clients | Refactored in version 0.10.0.71; update recommended. |
| 10 | CVE-2023-37262 | CC: Tweaked Mod (Minecraft) | Security – Info Disclosure (Cloud Metadata Leak) | In-game computers could access cloud metadata endpoints due to lack of outbound filtering (Rad Security Blog) | Allows extraction of sensitive cloud credentials from hosted servers | Updated mod to block metadata endpoints; update to version 1.106.1+ is required. |
| 11 | CVE-2023-37261 | OpenComputers Mod (Minecraft) | Security – Info Disclosure / Network Access | “Internet Card” allowed unrestricted outbound requests including cloud metadata and IPv6 addresses (Rad Security Blog) | Attackers can steal cloud credentials and access internal networks | Patched in v1.8.4 by blacklisting sensitive endpoints; update required. |
| 12 | CVE-2024-31446 | OpenComputers Mod (Minecraft, Native Lua) | Stability – DoS (Server Hang) | Unbounded Lua thread execution due to lack of yield checks, causing infinite loop on the server thread (Example Link) | An attacker can freeze the entire server, halting gameplay | Fixed in OpenComputers v1.8.4; update recommended. |
| 13 | CVE-2024-48645 | Command Block IDE Mod (Minecraft) | Security – Auth Bypass | No proper permission checks for editing command block scripts, allowing unauthorized modifications (Example Link) | Allows any player to modify critical command files, compromising server integrity | Fixed in version 0.5.0; update to the latest version and restrict access. |
| 14 | CVE-2024-41565 | Just Enough Items (JEI) Mod (Minecraft) | Functionality – Item Duplication | Improper validation of inventory slot indices resulted in duplicate items (Example Link) | Enables item duplication, breaking game balance and potentially causing lag or crashes | Patched in JEI version 19.5.0.34; update is required. |
| 15 | CVE-2024-42698 | Roughly Enough Items (REI) Mod (Minecraft) | Functionality – Item Duplication | Similar off-by-one error in slot validation led to item cloning (Example Link) | Duplicate items undermine fair gameplay and may lead to performance issues | Fixed in REI version 16.0.730; update advised. |
| 16 | CVE-2024-41564 | EMI (Exact Menu Items) Mod (Minecraft) | Functionality – Item Duplication | Failure to validate inventory operations caused duplicate items to be spawned (Example Link) | Leads to unfair gameplay and potential system lag if abused | Patched in EMI version 1.1.11; update required. |
| 17 | CVE-2024-22779 | ServerRPExposer Mod (Minecraft) | Security – Path Traversal to RCE | Did not sanitize zip file paths during resource pack extraction, allowing directory traversal (CVEfeed) | A malicious server can plant executable files on the client’s system, leading to RCE | Fixed in version 1.0.3; update advised and use only trusted servers. |
| 18 | CVE-2024-24042 | ARRP Mod (Minecraft Resource Pack Library) | Security – Path Traversal to RCE | Failed to validate paths when extracting resource packs, permitting files to be written outside the intended directory (CVEfeed) | May allow an attacker to write files in sensitive locations, potentially leading to RCE | Patched in the second 0.8.1 release; update is required. |
| 19 | CVE-2024-24043 | MCRPX Tool/Mod (Minecraft Resource Pack Extractor) | Security – Path Traversal on Zip Import | Did not validate relative paths in zip entries during extraction, allowing files to escape the intended folder (CVEfeed) | Enables malicious resource packs to drop files outside intended directories, risking code execution | Fixed in MCRPX v1.4.1; update recommended. |
| 20 | CVE-2024-29672 | Reden Mod (Minecraft) | Security – Path Traversal via Server Packet | Debug feature allowed extraction of zip data without validating paths, permitting directory traversal (CVEfeed) | A rogue server can drop files (e.g., jars) into the client’s mods folder, enabling RCE | Fixed in Reden v0.2.514; update required. |
| 21 | CVE-2024-39118 | Advanced Backups Mod (Minecraft) | Security – Path Traversal on Backup Restore | Backup restore function did not sanitize file paths inside zip archives, allowing files to be written outside the restore folder (CVEfeed) | A malicious backup could overwrite critical files or plant malware, affecting system integrity | Fixed in Advanced Backups v3.6.0; update and use trusted backups only. |
Note: 表中的最后几个 Minecraft Mod 案例(ServerRPExposer、ARRP、MCRPX、Reden、Advanced Backups)都来自于 2024 年一次协调披露,主要涉及 Zip 文件路径遍历 漏洞(Vulnerability research report for Minecraft mods. · GitHub)。在每个 Mod 中,其技术根本原因相同:解压归档文件时未检查 .. 或绝对路径,这是一种众所周知的问题,会导致将文件写入指定目录之外 (Vulnerability research report for Minecraft mods. · GitHub)。得知该问题后,Mod 开发者们迅速发布了修补程序,体现了即便在游戏 Mod 环境中也同样需要重视安全编码。
扩展/插件漏洞模式
从上述案例可以看出若干常见模式:
-
输入验证不足: 大多数漏洞都源于对扩展/插件接收的数据缺乏验证。例如,很多 Minecraft Mod 未验证 zip 文件中的文件名,从而导致路径遍历漏洞 (Vulnerability research report for Minecraft mods. · GitHub)。同样,WebEx 扩展未对传入消息进行适当清理 (Critical RCE Vulnerability Found in Cisco WebEx Extensions, Again — Patch Now!),LastPass/Grammarly 也未能验证或限制网页对其扩展 API 的操作 (Grammarly Patches Chrome Extension Bug That Exposed Users’ Docs | Threatpost) (NVD - CVE-2019-16371)。简而言之,扩展常常默认信任不可信任的数据(文档、网络数据包或网页),从而出现 XXE、XSS、RCE 或逻辑错误。
-
过度权限或 API 滥用: 扩展通常拥有较高权限或与系统深度集成,一旦出现漏洞就易被滥用。Evernote 和 Grammarly 的案例显示,一旦逻辑存在缺陷,就会破坏浏览器正常的安全模型——例如,Evernote 的漏洞破坏了 Chrome 的域隔离,令一个站点能够访问另一站点的数据 (Evernote Chrome Extension Vulnerability: Guardio's Analysis)。实质上,扩展原本为了方便用户(比如剪辑网页内容或全局语法检查)而授予的广泛权限,在插件出现错误时却成了安全负担。同理,Outlook 加载项(MailStore 与 KnowBe4)具有连接服务器或更新软件的能力,若无适当验证(如证书验证、更新签名验证),这就成了攻击面 (CVE - Search Results) (CVE -Search Results)。
-
由于复杂性导致的设计/逻辑漏洞: 某些问题并非底层内存错误,而是更高层级的逻辑漏洞——例如,LastPass 的凭据泄露是由 UI 逻辑及点击劫持(clickjacking)造成,而不是缓冲区溢出。这类问题往往源于扩展在 UI 事件、多上下文等场景下的复杂交互。研究员 Tavis Ormandy 指出,这类问题通常难以被自动检测,需要人工仔细审查 (Grammarly Patches Chrome Extension Bug That Exposed Users’ Docs | Threatpost)。在游戏 Mod 中,类似 JEI/REI 的物品复制(item duplication)是逻辑错误,可能不会导致游戏崩溃,但会破坏游戏规则,也因此在测试中容易被忽视。
-
第三方开发缺乏安全意识: 许多扩展/插件由第三方开发(例如 SAP Add-in、社区开发的 Mod、甚至 Cisco 或 LastPass 等大公司),核心程序本身或许安全,但扩展却打开了缺口。例如,Microsoft Office 本身无漏洞,但 SAP Add-in 引入了一个 XXE 问题 (CVE-2021-21470 : SAP EPM Add-in for Microsoft Office, version - 1010 and SAP EPM Add-in for SAP A)。由此可见,扩展开发者通常不像平台厂商那样拥有同等严格的安全流程。尤其是社区 Mod 开发者,往往以功能为重,忽视安全,导致目录遍历之类的历史漏洞持续存在 (Vulnerability research report for Minecraft mods. · GitHub)。
-
更新与沙盒机制: 某些问题与扩展的更新或隔离策略相关。KnowBe4 的 PAB 加载项未验证更新完整性 (CVE -
Search Results
),这与其他软件供应链攻击有相似之处(不仅限于扩展,但对于经常自动更新的扩展尤为突出)。从另一面看,对执行代码的沙盒失败也在一些 Mod 中出现,比如 OpenComputers(Lua 线程在主服务器线程上执行),以及 WebEx(向网页暴露本地代码执行功能)。凡是需要执行脚本或宏的扩展,都应具备强沙盒;而当沙盒不足时,宿主环境便面临风险。
对稳定性、可维护性和安全性的影响
扩展/插件中的漏洞对宿主系统的稳定性、可维护性和安全性具有巨大影响:
-
稳定性: 存在缺陷的插件可能严重影响宿主应用或系统的稳定性。我们看到,一个单独的 Mod(OpenComputers)就可令整个游戏服务器宕机 (CVE -
Search Results
)。Office 加载项若错误处理内存或事件,也会使 Outlook 或 Excel 崩溃(例如,若 SAP Add-in 遇到恶意 XML 触发异常行为)——由于扩展与宿主进程同处于一个进程空间,扩展崩溃会连带崩溃主应用。例如,一个问题严重的 Outlook 插件能使 Outlook 在未禁用之前彻底无法恢复 (Outlook Slow/Crashes - Slow and Disabled Add-ins)。在游戏场景下,Mod 出现内存泄漏或无限循环(或疯狂地生成物品)将导致游戏性能极度下降甚至无法继续。换言之,看似可选的附加功能却可能破坏整个平台的可靠性。 -
可维护性: 扩展使系统复杂度提升,从而影响可维护性。每个漏洞的修复都需插件开发者和宿主环境协作。如果是 WebEx 或 LastPass 等热门扩展,可能需要多次紧急修补(例如 2017 年的 WebEx 就进行了第二次补丁),对 IT 管理和用户而言都增加难度。在 Mod 场景中,一旦发现漏洞,维护者需要迅速发布修补,玩家则需在数以千计的服务器或客户端中更新这些 Mod——并非易事。此外,插件生态往往存在依赖关系(如 ARRP 库 Mod 会影响其他 Mod (Vulnerability research report for Minecraft mods. · GitHub)),因此一次修复可能要求多个项目共同更新,进一步增加维护复杂度。若缺乏自动更新或代码签名等机制,则用户需要手动跟踪和安装正确版本,进一步加重维护负担。
-
安全性: 或许最关键的是对整体系统安全性的影响。扩展和 Mod 会扩大宿主应用的攻击面。一个安全的核心应用可能因不安全的插件而变得脆弱。Chrome 在安全隔离方面很强,但依然被 Evernote 和 Grammarly 扩展漏洞所绕过 (Evernote Chrome Extension Vulnerability: Guardio's Analysis) (Grammarly Patches Chrome Extension Bug That Exposed Users’ Docs | Threatpost)。LastPass 作为安全工具,却一度因插件漏洞暴露了密码 (NVD - CVE-2019-16371)。许多扩展都拥有高权限(浏览器扩展能读取/修改所有网站的数据、Office 加载项可访问文档、游戏 Mod 能在游戏引擎中执行代码),任何漏洞都可能导致完全破坏:例如 WebEx 扩展漏洞可在 Windows 上实现完整远程代码执行 (CVE-2017-3823 : An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chro)。在企业环境中,一旦像 KnowBe4 加载项这种漏洞被利用,攻击者可经由一个简单的 Outlook 插件展开网络渗透。总之,扩展往往处于高信任级别,一旦出问题,就会打破用户信任、泄露数据、或为恶意软件入侵打开大门。
-
安全维护债务: 从流程角度看,扩展漏洞突显了及时更新插件的重要性。用户常常装完扩展后就不再关注其更新。Guardio 指出浏览器扩展风险很高,需要像其他软件一样定期维护和更新 (Evernote Chrome Extension Vulnerability: Guardio's Analysis)。未打补丁的扩展就成了长久的安全隐患(比如有人在 2018 年仍使用旧版 WebEx 插件,极易遭受攻击)。这带来维护性挑战:用户和平台提供商都必须严谨地管理扩展(现代浏览器可远程禁用已知恶意扩展,Office 也可能禁用导致崩溃的加载项 (Add-ins decreased performance or caused Outlook to crash))。此外,若更新机制本身不安全(如 PAB 案例所示),频繁更新也会成为新的安全风险。
-
影响超越单一应用(系统级后果): 某些插件缺陷带来的影响不局限于所在应用。诸多 Mod 漏洞(如云元数据提取)表明游戏 Mod 的一个漏洞可能导致云基础设施被攻击 (CVE -
Search Results
)。同理,一个包含漏洞的 Office 加载项可被用作网络攻击的跳板(比如恶意文档利用此加载项执行代码)。因此,其安全影响范围可小至本地(作弊、崩溃),也可大到破坏整个网络或植入恶意程序。
综上所述,扩展/插件漏洞往往遵循未检查输入、不当权限使用、缺乏隔离等模式。这些漏洞会严重影响稳定性(导致崩溃、宕机)、削弱可维护性(需紧急修复、版本管理复杂)并破坏安全防护(导致数据泄露或代码执行)。本次收集的 2018–2024 年案例表明,扩展固然能增强功能,但若未遵循与核心软件同等的审查标准,可能成为整条链中最脆弱的一环。正如某安全研究团队所言,浏览器扩展可拥有极高权限,若不妥善维护则存在极大风险 (Evernote Chrome Extension Vulnerability: Guardio's Analysis)。此结论同样适用于任何平台:宿主软件的安全与稳定性取决于所加载插件的安全程度。