Following the discovery of a security issue in the Unity Web Player plugin that can allow an attacker to use a victim’s credentials to read messages or otherwise abuse their access to online services (thanks to researcher Jouko Pynnonen for pointing this out) we’ve been working hard to get the issue fixed.

With Jouko’s help, we’ve identified all codepaths leading to these vulnerabilities and have developed fixes. Tests for the fixes are going well and we’re working hard to make sure everything is right. We’re looking to be ready to go for Monday afternoon (Central European Time).

We’ll keep you posted on developments if there are any during the weekend.

UPDATE (6/8/2015): 4.6.6f2 update is now live and addresses the security issues. 5.0.3f2 is currently in the final phases of testing and will be released Tuesday. Additionally at that time, the Web Player client will be automatically updated when a user tries to load any Unity Web Player content.

UPDATE (6/9/2015): Both 4.6.6f2 and 5.0.3f2 are now live to address the Web Player security issues. These patches are meant for developers building games for the Web Player with Unity. For end users, the Web Player client will now automatically be updated to the fixed version when a user tries to load Web Player content of any kind. This update is seamless and behind the scenes without any further input needed from users. For those that are interested in downloading the newest version of the Web Player on their own, they can do so by visiting https://unity3d.com/webplayer.