How to use the CVE-2017-12939 and CVE-2019-9197 mitigation tool
The Unity Editor Mitigation Tool is a temporary workaround for the CVE-2017-12939 and CVE-2019-9197 security issues and should not be considered a complete or long term fix of the identified vulnerabilities. The tool will disable the vulnerable Unity Editor features, but since we cannot control whether the affected functionality becomes re-enabled at some point after applying the workaround (reinstallations, etc.), we strongly recommend updating to a fixed version of the Unity Editor.
You will no longer be able to use the Open in Unity functionality in the web browser version of the Asset Store, shown below, after applying the workaround.
As part of your remediation plan, review and prepare for updating to one of the fixed versions of the Unity Editor as available at CVE-2017-12939 and CVE-2019-9197.
Using the Mitigation Tool
This tool will modify Windows to mitigate the identified vulnerability. The change is only related to the Unity Editor and will not affect any other software, including games made with Unity.
Note that reinstalling a vulnerable version of the Unity Editor will undo the changes applied by this tool, so you will have to execute it again to ensure a successful and persistent mitigation.
- Download the mitigation tool here.
- Save or Run directly.
- The tool will request user privilege elevation. If you have User Account Control (UAC) enabled (on by default in Windows), you should see the application request access for privilege elevation and the following prompt:
Otherwise, press No or Cancel to stop the execution and make sure you are downloading the tool from the Unity official site: https://unity.com/security/mitigation
- Once the execution has started, follow the prompts as shown below:
If you have already applied the mitigation, or for some reason your machine was not vulnerable, the following prompt will be shown:
Once the mitigation tool execution is completed just press the “OK” button and proceed to use the Unity Editor as you normally would.
This mitigation will remove the ability to open Asset Store assets from a web browser. To download these assets, you will have to navigate in the Asset Store window from within the Unity Editor.
To start the Asset Store window in the Unity Editor click on the File menu Window -> Asset Store or use the keyboard shortcut Ctrl+9 as shown below:
Finally, we would like to remind you that the recommended action is to install the latest patched version of your Unity Editor (available at CVE-2017-12939 and CVE-2019-9197) to ensure you have the full functionality of the Editor and are protected through reinstalls.