Developer Mojang allows its hit sandbox game Minecraft to be modded by the community, and many of those modders allow their creations to be run on third-party servers. However, a recent flaw in the Java-based version of Minecraft has been exploited by one or more hackers and could be used as a way to run remote code on a Minecraft player’s PC.
The fan-run Minecraft Malware Prevention Alliance (via Tom’s Hardware) has posted about the threat of this exploit, which it has called “BleedingPipe”. Here’s its description:
BleedingPipe is an exploit being used in the wild allowing FULL remote code execution on clients and servers running popular Minecraft mods on 1.7.10/1.12.2 Forge (other versions could also be affected), alongside some other mods. Use of the BleedingPipe exploit has already been observed on unsuspecting servers. This is a vulnerability in mods using unsafe deserialization code, not in Forge itself.
The blog post has a list of the known Minecraft mods that either are or have been hit with BleedingPipe. It adds that as of now there’s no word of the specific code contents in the exploit, or if it was indeed used to exploit other clients.
If you are a Minecraft player, and you only play on official Mojang supported Minecraft servers, you are fine. If you do play on unofficial third-party Minecraft servers, you should take the following actions, according to the blog post:
As a player, we recommend checking for suspicious files, doing an antivirus scan, and doing a scan on your .minecraft directory with something like jSus or jNeedle. Note that mod files are stored in a different directory when using a modded launcher such as Curseforge. These files can typically be accessed by right-clicking the modpack instance and clicking “Open Folder”.
If you are a third-party Minecraft server admin, the blog post recommends checking it for any suspicious files, and either removing any mods that are known to have been hit, or updating the mods that have fixed this exploit.