引用自 brian9824：

Lol at people who read these and have no clue about computer security. If someone already has access to your computer in order to implement these changes then you have FAARRR bigger worries then them using a potential exploit of steam code to do something.

There are a million far worse things they have already done.

Similar to Intel security shenanigans.

Way too many ♥♥♥♥♥♥♥♥ about it yet theres no trace about it being hacked aside just "Oh its just another security issues being exploited from Hardware" but this time its software.

引用自 brian9824：

Lol at people who read these and have no clue about computer security. If someone already has access to your computer in order to implement these changes then you have FAARRR bigger worries then them using a potential exploit of steam code to do something.

There are a million far worse things they have already done.

Local EoP is pretty much the worst non-remote exploit you can find—it's literally "owning the box"—so I don't really understand what "far worse things" you're talking about.

Steam enables this EoP and they refuse to acknowledge it, that tells me that they're not particularly serious about security—at least not as long as it only affects their users.

引用自 Satoru：

Note its not a privilege escalation

In order to do this supposed escalation, you need to already be an admin to edi tthe registry to do that. Functionally thus, you have to already own the entire system to do this 'exploit'

Steam has already administrator privilege, even if the user hasn't it. And this is granted by Steam to all Steam games by a service Steam install in the system.

So a malicious update to a game can use Steam privilege to install everything in the system, even if the user don't have administration privileges.

引用自 Tharon：

So a malicious update to a game can use Steam privilege to install everything in the system, even if the user don't have administration privileges.

That can happen anytime, but not just Steam either. Someone with a malicious attempt can do a update to the game on any of the game platforms and you wouldn't know it.

引用自 Dr.Shadowds 🐉：

引用自 Tharon：

So a malicious update to a game can use Steam privilege to install everything in the system, even if the user don't have administration privileges.

That can happen anytime, but not just Steam either. Someone with a malicious attempt can do a update to the game on any of the game platforms and you wouldn't know it.

No, because the games don't have admin privilege. So if a game try to do something malicious (writing in the registry, or in some protected area) the system will block and/or notify it.

As reported, Steam service give to each games administrator privileges, so they can do what they want without being blocked or raise an alert. This is done in order to avoid asking administration rights each time a game is installed, but it's really a security hole.

But you are right about platforms : other clients (GOG Galaxy and Origin) install a service in the system for the same purpose, so they suffer from the same security hole. But GOG and Origin are both curated stores, Steam isn't. So a malicious update to a game can always slip unnoticed.

In my opinion the only solution is an option (but in those days companies hate to give options) to enable or disable this behaviour.

A game not being curated does not mean it is not checked for strange behavior.

引用自 Cathulhu：

A game not being curated does not mean it is not checked for strange behavior.

Steam games are checked only before they are published. Updates aren't checked.

This is GREAT for both developers and users, because an update go live as soon as possibile, but at the same time this mean that updates can't be checked by Valve.

Having unchecked updates from third parties with automatic administration privilege is a security hole that can be exploited.

引用自 Cathulhu：

A game not being curated does not mean it is not checked for strange behavior.

Checked by whom? And when?

I mean, there are games on steam that have their own updaters, their updates wouldn't be checked by valve.

Also games aren't exactly known for their security aspects, there's quite a few examples of (network) inputs not being vetted enough ( https://www.unrealengine.com/en-US/blog/epic-games-enlists-revuln-to-augment-security-efforts lists the authors/company of a May 2013 publication about certain such exploits being hired by epic after their discoveries)... I doubt valve checks all games sufficiently for buffer overflows and so on (not that they could or should, it's just the reality of complex software) that lead to (un-privileged at first) arbitrary code execution and could be used before the EoP.

引用自 The_Driver：

Also games aren't exactly known for their security aspects, there's quite a few examples of (network) inputs not being vetted enough ( https://www.unrealengine.com/en-US/blog/epic-games-enlists-revuln-to-augment-security-efforts lists the authors/company of a May 2013 publication about certain such exploits being hired by epic after their discoveries)... I doubt valve checks all games sufficiently for buffer overflows and so on (not that they could or should, it's just the reality of complex software) that lead to (un-privileged at first) arbitrary code execution and could be used before the EoP.

Wait....Games vulnerabilities are responsability by developers, and not Valve.

But if Steam distribution method has vulnerabilities or security holes, then this is Valve responsability.

引用自 Tharon：

Wait....Games vulnerabilities are responsability by developers, and not Valve.

But if Steam distribution method has vulnerabilities or security holes, then this is Valve responsability.

Sure they're not.

But claiming games are checked for strange behavior when they're allowed to load their own data from elsewhere is kind of a ... how do I put it nicely... limited scope?

引用自 The_Driver：

引用自 Tharon：

Wait....Games vulnerabilities are responsability by developers, and not Valve.

But if Steam distribution method has vulnerabilities or security holes, then this is Valve responsability.

Sure they're not.

But claiming games are checked for strange behavior when they're allowed to load their own data from elsewhere is kind of a ... how do I put it nicely... limited scope?

Agreed.

引用自 Satoru：

Note its not a privilege escalation

In order to do this supposed escalation, you need to already be an admin to edi tthe registry to do that. Functionally thus, you have to already own the entire system to do this 'exploit'

That is demonstrably false. There are examples/PoC presented here: https://arstechnica.com/gaming/2019/08/severe-local-0-day-escalation-exploit-found-in-steam-client-services/

引用自 Tharon：

引用自 Dr.Shadowds 🐉：

That can happen anytime, but not just Steam either. Someone with a malicious attempt can do a update to the game on any of the game platforms and you wouldn't know it.

No, because the games don't have admin privilege. So if a game try to do something malicious (writing in the registry, or in some protected area) the system will block and/or notify it.

As reported, Steam service give to each games administrator privileges, so they can do what they want without being blocked or raise an alert. This is done in order to avoid asking administration rights each time a game is installed, but it's really a security hole.

But you are right about platforms : other clients (GOG Galaxy and Origin) install a service in the system for the same purpose, so they suffer from the same security hole. But GOG and Origin are both curated stores, Steam isn't. So a malicious update to a game can always slip unnoticed.

In my opinion the only solution is an option (but in those days companies hate to give options) to enable or disable this behaviour.

There are other ways to exploit security features on the OS's, and this vary for everyone, it can be by older version of VLC, or whatever software, could be by older version of your OS, pretty much a lot of things can be used in a loop, not just Steam alone, when it comes to local issues they don't raise huge enough threat when compare to over the network that you can be attack at any moment from anywhere, the world attack vs your local home attack, not saying it's not a threat, but the scale bewteen them is worldly apart, also not saying Steam shouldn't be looking into it either just to be clear. Bring curated doesn't exempt it from happening either. Also like I said, it can happen anytime with these updates on any platform, doesn't even need to do this explot to infect your system with a virus, or etc, everything is base on trust on all these platforms, and in hope someone wouldn't have a real malicious intentions to ruin people systems, but the only thing has been as of late for over 10 years has been ransomware, or hidden bitcoin miners, which is pretty rare either way on these game platforms.

Maybe I'm misunderstanding the prob but the issue is that an apoplication run through steam (like a game) can use steam to write to registry files that it shouldn't be able to...

If that is thecase I can see why its low prio. If someone already has their malicious software on your system...that is able to call the steam clienty to do this.... then, well they're literally already running on your system so they can already do their sneaky tricks without the registry tweaking.

Translation any malicious person exploiting this already has high-level access to your opc and resources...so they wouldn't need to do this.


And as for a game.. yeah uit would take a monumentallty stupid developer to pull such a stunt.

引用自 Start_Running：

Maybe I'm misunderstanding the prob but the issue is that an apoplication run through steam (like a game) can use steam to write to registry files that it shouldn't be able to...

If that is thecase I can see why its low prio. If someone already has their malicious software on your system...that is able to call the steam clienty to do this.... then, well they're literally already running on your system so they can already do their sneaky tricks without the registry tweaking.

Translation any malicious person exploiting this already has high-level access to your opc and resources...so they wouldn't need to do this.


And as for a game.. yeah uit would take a monumentallty stupid developer to pull such a stunt.

Yep, it requires your system already be infected.

Now if a game developer did it, then it would be very short lived and those involved would be going to jail. Not to mention that there are other ways those same dev's can already run a variety of things on your computer.