Particle.news

Download on the App Store

Steam Blocks Risky Launches as Microsoft Urges Uninstalls After Unity Patches High-Severity Engine Flaw

Developers must rebuild with patched Editors, with an alternative drop‑in runtime provided.

Overview

  • Unity’s CVE-2025-59489 (CVSS 8.4) stems from unsafe command-line and intent handling present since version 2017.1 across Android, Windows, macOS, and Linux.
  • Valve’s updated Steam Client now blocks launches that include vulnerable Unity debug parameters, and it directs publishers to submit updates using safe engine versions or patched runtime files.
  • Microsoft added Defender detection rules, advised users to temporarily uninstall impacted games, cited examples like Hearthstone and Fallout Shelter, and noted Xbox builds are not affected.
  • Research shows exploitation can be triggered via Android intents or unvalidated parameters such as -xrsdk-pre-init-library, with elevated Windows risk where custom URI handlers are registered; any code runs with the game’s privileges.
  • Unity provides two remediation paths—rebuild with patched Editors or replace UnityPlayer runtime binaries—with a patcher tool available, though some Linux and tamper-protected builds are not covered; no in-the-wild exploitation has been reported.