By Adrian Stone, Sr. Director, EA Product Security - Oct 29, 2020
Today, we released an updated version of the Origin client to address two high severity security vulnerabilities. Both issues were reporting confidentially to us through our Product Security Vulnerability Submission Program. At no time was there evidence of either vulnerabilities being used against our customers. If you have already logged into the Origin client, you likely have already been offered the update. It can also be directly downloaded here. Two security advisories have been published with details on the vulnerabilities that were addressed by the update.
The first issue (EASEC-2020-002), was discovered by Xavier Danest - Decathlon & Tom Wilson of Nettitude. This issue allowed a valid user with limited permissions to gain privileged-level access on computers that have Origin installed. If an attacker were to attempt to exploit this vulnerability, they would have needed to log in to the computer with a valid non-Administrator user account and convince an administrative user to run an Origin application with elevated privileges. The administrative user would need to approve a UAC prompt to do this.
This release also resolves a second high severity issue in Origin (EASEC-2020-003), discovered by Ahmed El-Monairy. It’s a cross-site scripting (XSS) vulnerability that could allow a remote attacker to execute arbitrary Javascript against the Origin client’s friend list. An attacker could use this vulnerability to access sensitive data or to control or monitor the targeted friend list member’s Origin text chat window.
We want to thank the security research community for the vulnerability submissions and their positive interactions with us as we work together to protect players and the broader gaming community.