Originally posted by byuu
There are rumors across the Internet of a ROM that can break out from ZSNES and launch a program on the host computer.
Even more reason to use ZSNES! Just imagine how much more powerful your SMW ROM hacks could be if you harness the power of the host x86 PC! MSU1 can't hold a candle to having a quad-core i7 at your disposal.
We will release the ROM once ZSNES 1.52 is released
So, in other words, never =(
(I kid, but only a little bit ...)
if it's released before that, it'll put all ZSNES users at risk.
Just noting that they're still completely at risk. It's possible black hats have already found this, or will seek this out now.
Infosec set deadline dates to motivate vendors to patch quicker. You should give them 2-4 weeks before releasing this.
And yes, I would say the same thing if this were my software that was exploited here.
Probably there's lot of exploits on ZSNES so even if you stick to v1.52, it's still better to use an accurate emulator instead.
There is absolutely many more exploits like this to be found.
I do want to warn everyone though, other emulators aren't immune to this either.
We're better protected by nature of having cleaner, less dangerous code. But this sort of thing happens to all sandbox software (in a way, an emulator is a sandbox.) It would be foolish of me to act like bsnes is immune.
However, one thing I am working on with bsnes/higan, is to offer **optional** ROM signing. That would ensure this sort of thing wouldn't happen, if you were to stick to signers you trust.
It's currently unknown how many others have known of this exploit or if ROMs exist in the wild yet that make use of it.
I am 90% certain I saw one many years ago that called MessageBoxA. But unfortunately, it was so long ago, I have no idea how to go about finding it. It was probably pre-v1.51 too.
Can you make it FORMAT c:\ ?
Yes, you absolutely can. And much, much worse.
Despite how many people hate it, I'm not switching to Higan nor Snes9x.
Don't worry, pretty soon SMW hacks will silently replace your ZSNES with ZMZ, and you'll be none the wiser ;)
ITS THE X PARASITES FORM METROID FUSION! START ZSNES'S PREPOLUSION SEQUENCE, SET IT'S COURSE FOR THE TRASH BIN PERMA DELETE, AND GET THE HECK OUT OF ZSNES LABS!
Mod edit: Fixed BBCode a bit to make the post slightly less confusing.