JeremyEastham
commented
8 months ago Two days ago, the final release of ViGEmBus was posted on the archived repository here. The automatic updater has been completely removed in preparation for the end of life of the driver. It is unclear if the ini file edit described above still must be done prior to updating to the final version of the driver.
A Critical Security Update Has Been Released for ViGEmBus
Summary
ViGEmBus has lost the copyright to "ViGEm". The repository's owner has changed their name from ViGEm to Nefarious. ViGEmBus has reached end of life and a successor is being developed, but is currently unreleased. Right now, the drivers included with BetterJoy will work until the end of 2023. After that, Nefarious will lose access to vigem.org and the server that the ViGEmBus automatic updater pulls from. It is imperative that the drivers in this repository are updated to point to the new updater domain, or there will be a possibility of IP addresses being leaked or even possibly remote code execution vulnerabilities if a malicious payload is downloaded by the updater from the old domain.
What's Next?
At a minimum, the drivers in the .\BetterJoyForCemu\Drivers folder need to be updated. It is unclear if the latest release on the now-archived ViGEmBus repository is still vulnerable. Even if this is done, this will only take care of new users. For current users of BetterJoy, they either need to follow the instructions in the automatic updater prompt (which frankly don't appear super legitimate at first glance), or BetterJoy will need to edit the
.inifile for the installed driver as shown below:C:\Program Files\Nefarius Software Solutions\ViGEm Bus Driver\ViGEmBus_Updater.iniThis edit requires Administrator privileges and must be done by the end of 2023 to eliminate the security risks associated with the updater domain changing owners.
More Information