Information about vulnerabilities in save data such as 'Fate / stay night' and 'Wizard's night' is registered in JVN.

'There are vulnerabilities in OS command injection in multiple game products provided by TYPE-MOON,' so we provide information related to vulnerabilities such as software used in Japan and countermeasure information. It was registered on November 5th in the vulnerability countermeasure information portal site 'JVN (Japan Vulnerability Notes)', which aims to contribute to information security measures.

JVN # 80144272: OS command injection vulnerabilities in multiple TYPE-MOON game products
http://jvn.jp/jp/JVN80144272/

This information is basically the same as the information originally published on the official website on September 2, 2015 as follows.

Regarding vulnerabilities related to save data of our game titles
http://www.typemoon.com/support/vulnerability150902.html

The target games are the following 4 titles.

・Fate / stay night (CD version, DVD version)

・Fate / hollow ataraxia

・Wizard's night

・Fate / stay night + hollow ataraxia (set version)

Since modification of save data is not prohibited in the above four game titles and can be reused, if the hidden executable file is copied together with the save data, this executable file will be executed by reading the save data. There is a possibility that it will happen.

Therefore, as a workaround, ' Do not read save data provided by an unreliable provider ' and 'Please do not divert save data of others ', and the patch that fixes this vulnerability Regarding the provision, 'It is difficult to solve this problem with a new patch, and the user can divert the save data at his own will or modify the save data by using a vulnerability not related to our game title. Unless it does not occur, we will not provide patches. '

In addition, 'Please note that we cannot respond to inquiries regarding reliable save data providers, whether this save data can be trusted, etc.'