By Adrian Stone, Sr. Director, EA Product Security
July 22, 2020
Today, we released an updated version of the Origin client to address a high severity security vulnerability. Andres Blanco and Joel Noguera of Immunity Inc confidentially worked with us through our Product Security Vulnerability Submission Program to address the issues identified in their reports.
If you have already logged into the Origin client, you likely have already been offered the update. It can also be directly downloaded here. A Security Advisory has been published with details on the vulnerability that was addressed by the update.
The issue (CVE-2020-15524) - which is now resolved - allowed a valid user with limited permissions to gain privileged-level access on computers that have Origin installed. At no time was there evidence of the vulnerability being used against our customers. If an attacker were to attempt to exploit this vulnerability, they would have needed to log in to the computer with a valid non-Administrator user account. They would then need to install a specially crafted program or execute code that modifies part of the software to obtain elevated access level.
Additionally, the team at Immunity also reported a second “Moderate” severity Information Disclosure issue (CVE-2020-13172), which does not require any action by customers and has been fixed. I also want to clarify that our policy is to release Security Advisories for Critical and High Severity vulnerabilities that require our customers to take action in order to address the issue. More information about how we classify security impact and severity can be found here.
We want to thank the security research community for the ongoing interactions, and are committed to continuing to work together to protect our players.