Is your anti-virus flagging it? Windows Security doesn't find anything wrong with it 3D Marks files.

Originally posted by ReflexShift:

Is your anti-virus flagging it? Windows Security doesn't find anything wrong with it 3D Marks files.

Since it's not a virus anti-virus doesn't flag it. Neither my anti-virus nor windows security. It has is a exploit in a java library used in some program - like 3d mark.

Most anti-virus software check for other things beside virus's. I highly doubt 3D Mark is using there software to steal information or something any of us should be worried about. They just collect system specs and scores, and some small amount of personal data mostly to provide a service here on Steam and their website.

"In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers."

I see no way for anyone outside your computer to accomplish this feat. So 3DMark is not really vulnerable to this. If someone can modify files in 3DMark folders on your PC, he already is on your PC and doesn't really need this to do something nasty.

Frankly, the world is full of "low tier" vulnerabilities that are very theoretical and meaningful only in very specific circumstances where they usually allow you to bypass limitations of the permissions of your user account. 3DMark is generally run on a system where you have full access anyway, so this does not matter in practice. 3DMark runs on the permission level of your user account, so at best the attacker would get the same permissions he already has to pull off his attack (access to your PC to modify files in 3DMark folder and start 3DMark)

And just to clarify; This vulnerability is not the fabled Log4J issue that everyone made noises about earlier - that is different CVE. And 3DMark (or PCMark 10 or VRMark) are not vulnerable as they use older log4j (prior to 2.0 that introduced the exploit) - and even then, same issues for practical usefulness exist as 3DMark is not exactly a server that listens to the internet for random input.

Anyway, passed this on to the developers to look at after the holidays. If updating the logback library doesn't affect anything else, might be that they'll do it anyway. But this is frankly not a meaningful issue at this time.

Yea I was going to say what UL_Jarnis has said. The only way that could be exploited is if the attacker already has access to your machine. In which case, that file would be the least of your worries.

If you understood ITSec you'd understand that the Log4J vulnerability is a huge problem for REMOTE services (IE a remote attacker can leverage it to bypass authentication and escalate their privileges to that of the service they are exploiting). A vulnerable file just sitting on your machine doing nothing is harmless.

In the case of 3DMark, you are not running this remotely nor are you offering up elements of it externally. If you were doing the latter, then that would be on you anyway as this wouldn't be regarded as a standard feature which is advertised or offered.

And important, this is *not* a Log4J issue. This is somewhat similar but separate and far less critical issue in a component called Logback. 3DMark does not contain vulnerable Log4J.

We will look into updating this piece in a future update just to make sure nobody is alarmed from a similar scan, but this really is not in any way important issue.