Landed on my radar recently- thought I’d post it here
This is a pretty big deal and should be patched, but it’s not the worst case scenario. The worst case scenario would be if an attacker could do this remotely through your game.
Basically, if someone has the ability to change the shortcut on an end machine to specify additional arguments, your game could be used to run malicious code on that machine under the guise of your game, making detection harder.
The benefit is that modifying a shortcutis not an easy thing to do without tricking the user, or using an already established remote control of the endpoint.
However, this is still a vulnerability and one that should have a minimal impact if it were patched. You should install this patch if you make games with Unity.
i_am_not_a_robot@discuss.tchncs.de 2 days ago
Some Unity games may be launched with a parameter that causes them to execute arbitrary code. It seems like it only makes sense on Android. Windows and Linux games can normally only be launched by a process with the same or greater privileges than the process being created, but on Android you can elevate privileges by invoking another app. In practical terms, another app can access the save data of your mobile games.
There was also something about games that register to be launchable directly from a webpage, which would allow web sites to escape the browser sandbox, but it didn’t sound likely.