Mmiszczyk

Name of the Vulnerable Software and Affected Versions: Tencent GameLoop versions prior to 4.1.21.90 Description: The issue allows a malicious attacker in a man-in-the-middle (MITM) position to spoof the contents of an XML document describing an update package. This can replace a download URL with one pointing to an arbitrary Windows executable. Since the only integrity check is a comparison of the downloaded file's MD5 checksum to the one contained within the XML document, the downloaded executable would then be executed on the victim's machine. Recommendations: For versions prior to 4.1.21.90, update to version 4.1.21.90 or later to resolve the issue. As a temporary workaround, consider restricting access to the update mechanism to minimize the risk of exploitation. Avoid using insecure HTTP connections for downloading updates until the issue is resolved.