Collaboration with External Security Researchers

By Adrian Stone, Sr. Director, EA Product Security

December 10, 2019

Today an updated version of the Origin client was released to address a previously discovered security vulnerability.  Under specific circumstances, the issue could have allowed a valid user with limited permissions to gain privileged-level access on computers that have Origin installed.

The update is already live within the Origin client, and it can also be downloaded directly here.  Throughout our investigation and development of the update, we did not see any evidence of the vulnerability being used.

This was originally reported to us through our Product Security Vulnerability Submission program. We wish to thank both Vasily Kravetz of AMonitoring and Matt Nelson of for working closely with us throughout our investigation and development of the fix in accordance with Coordinated Vulnerability Disclosure Practices.

We’ve published a Security Advisory with additional details on the vulnerability and a help article that describes the update in greater detail.

This is a very specific issue, and one that we’ve seen affecting other parts of the gaming industry.  As such, we thought it would be worth sharing some additional background on how it came to be.

With many of our PC players on Origin building gaming PCs and using high-end gaming laptops, the Origin client was built in a way that assumed all users would run as high-powered users, with users wanting full administrative control of their system at all times.  Since then, the industry standard has started to shift. More people, including some players, use their computer as a ‘limited’ standard user.  And a few will create accounts for other limited users to share a system with more than one person. This practice, called ‘least privilege’ in security circles, helps limit the security impact of potential security issues if they were to happen. Operating system vendors have recently begun to recognize this shift and have made changes in their operating system to account for the changing landscape.

If an attacker were to attempt to exploit this vulnerability, they would have needed to log in to the computer with a valid non-Administrator user account. They would then need to install a specially crafted program or execute code that modifies part of the software to obtain elevated access level.

The vast majority of our current Origin users already have Administrator-level access and are the only user account on the machine (the number of users without Administrator-level access is less than 5% of our total Origin user base). This makes using the vulnerability unlikely across most users as it would not result in any further access or privileges.

While the issue would have only been present for a small number of players with the Origin client installed, the safety and security of each user is very important to us, so we’re happy to have addressed this issue with today’s update with the introduction of Restricted Access Mode.  We are also committed to improving our approach to principles of least privilege for Origin and Restricted Access Mode in future versions based on the insights we’ve gained. Positive interactions like this between the security research community and game publishers are raising the security bar for everyone.