Almost twenty years after being created, Counter-Strike has received a patch update for 1.6. CS 1.6 has received infrequent updates since the release of CSGO, since 2013 there has been on average less than one update per year.
It seems odd to bring a patch update to such an old game, especially with CSGO being the front runner for the franchise, but many players still actively play this game. Still, what is a patch like this for if not to fix an obvious bug that could potentially render the game unplayable? Despite the patch notes not saying this specifically, there was in fact a security issue that needed to be addressed. It's theorised that a lot of the other updates that came with it were ready to go, but there was no reason to push it live until now.
Here are the patch notes for this latest update to CS 1.6.
CS 1.6 Patch Update
What Was The Real Reason For This Update?
It has been reported on the HLTV forums that there was an exploit in 1.6, where the malicious server owner made players connected to that server install a trojan to make a botnet.
A developer with an alias of Belonard created malicious servers, that when connected to by a Counter-Strike 1.6 client, would infect the player with the Belonard Trojan.To do this, the Belonard botnet utilized pre-infected clients or remote command execution vulnerabilities in clean clients, which allowed them to install the Trojan simply by a player visiting a malicious server. As the Counter-Strike 1.6 game client is no longer supported, all players of this game are potential victims of this botnet.
Here are some patch notes that were found on the alliedmods forum discussing the recent 1.6 update:
- Fixed buffer overflow when reading the overviews files (BMP);
- Fixed buffer overflow when reading texture files (WAD);
- Fixed buffer overflow when reading the svc_sendextrainfo message;
- Fixed buffer overflow when reading sequence files;
- Fixed buffer overflow when reading some map parameters (BSP);
- Removed the execution of console commands in the svc_director message;
- Added validity check of console commands from DEM files;
- Removed ability to execute console commands via redirect message;
- Removed ability to upload any file to the client, including the DLL that would be loaded by the game;
- The messagemode command has been added to the stufftext filter to eliminate the possibility of filter bypass
Changes and Additions
For public consumption, here's the patch notes that were posted to the steam community page:
- Prevent texgamma and lightgamma and brightness cvars from affecting lighting in multiplayer
- Added support for player avatars in scoreboard for lower display resolutions
- Added scoreboard cvar to show shortened, simple headers for columns: scoreboard_shortheaders, set to 0/1 to disable/enable
- Added scoreboard cvar to enable/disable showing avatars: scoreboard_showavatars, set to 0/1 to disable/enable
- Added new server cvar, mp_infinite_ammo, set to 0 to disable, 1 for infinite ammo in guns, 2 for infinite reload ammo
- Added money and health columns to scoreboard and player/server cvars to control their display
- Player cvars are: scoreboard_showhealth and scoreboard_showmoney, can be set to 0/1 to disable/enable the column from showing
- Server cvars are: mp_scoreboard_showhealth and mp_scoreboard_showmoney, they can be set to the following values:Value
|0||Disable showing health/money altogether|
|1||Show Terrorist health/money to all teams|
|2||Show CT health/money to all teams|
|3 (default||Show CT health/money to teammates only and Terrorist health/money to teammates only|
|4||Show health/money for all players to all other players|
|5||Show CT and T health/money to teammates and to spectators|
- Fixed shotgun shell reload delay when holding +attack while magazine is empty
- Fixed non-translucent crosshair being slightly off-center
- Fixed UMP45 +attack being canceled when +attack2 is pressed
- Fixed setting monitor refresh rates through -freq when used with -nofbo
- Fixed unnecessary texture rescaling with NPOT textures
- Fixed slist command, will now show servers on the local network
- Fixed progress bar for individual files in resource download always showing at 100%
- Added auto-saving of several cvars (HL #2237)
- Fixed missing localizations in spectator UI
- Reordered columns in server browser to prevent game descriptions from being used to fake server player count
- Fixed sv_cheats being settable by players in a multiplayer game (sv_cheats is now controlled by the server)
- Security fixes to console commands
- Security fixes to resource loading
Written ByChris Trout@TheTrout91