A zero-day vulnerability has been disclosed in the popular Unity Web Player browser plugin. The flaw allows an attacker cross domain access to websites and services using the victim s credentials. The vulnerability was made after nearly six months of bug-report submissions from Finnish researcher Jouko Pynnonen to Unity that went unanswered. Unity Technologies today acknowledged the bug reports and is working on a patch and improving its security response. Google’s decision to disable in Chrome 42 the NPAPI, a 90s-era API that is notorious for crashes and poses some security concerns, mitigates this vulnerability to a large extent.
Source: https://threatpost.com/zero-day-disclosed-in-unity-web-player/113124/