Valve will only remove a game without the developer's permission if it violates their rules.

引用自 legit：

Treyarch and Activision are well aware of the whole issue. There have been plenty of posts on twitter, reddit and their official sites, but nothing ever happened. Since they didn't bother fixing anything, steam should act to protect their customers, something needs to happen. I believe that the vast majority doesn't even know such exploits exist.

So, it's basically the Dark Souls RCE all over again:
Company is notified the problem exists. Doesn't do anything for years on end.
Knowingly puts users at risk for years on end.
And in DS's case: only got their rear in gear once an RCE was demo-ed live on stream to a substantially large audience that it had the momentum to go viral.

Many such cases, probably - that the public aren't aware of.

引用自 Dr.Shadowds 🐉：

引用自 Tyjerr：

1. But I've never said that steam was activision, steam is the one deciding what they sell on the store no? So why couldn't they remove it from the store?

1. They can remove any game, but they don't have to, nor listen to anyone demand/request, as well this would cause negative impact on partnership with the game Dev as well. Only reason a game get pushed off the Steam is if the game Dev was breaking ToS, or done something really dumb to get him/her self kicked off the platform.

The correct answer there is; it depends.
Laws are different in different places of the world.

In the member states of the EU the law is such that the trader - i.e. Steam in this particular example - bears responsibility for non-conformance with contract, and the law explicitly stipulates as objective requirements for conformance that software be safe and secure to use. There the trader is also legally responsible to ensure the consumer is supplied with updates, including security updates, which keep it that way. Basically; in the EU it's the trader's job to pressure their supplier - i.e. the game developer/publisher - to ensure a patch is produced to fix the problem. If not, then for something as serious as a remote code execution exploit, consumers might be within their rights to terminate the contract and be due a full refund. And in any case, the trader would be liable for any damages as well.

This hasn't been tested in a court of law yet though. Mainly because generally speaking, people won't sue over pennies in the EU. (Cultural difference with the US, I suppose?)
Also doesn't help that the legislation itself used to be a quagmire of vague interpretations, because digital content was something of an unspecified third-wheel. It wasn't really clarified that the above applies as it does, until revised legislation came into force Jan 2022. Some of the EU member states even dragged their feet on implementing it, well into the year. E.g. The Netherlands implemented it in June or July, iirc.

Either way; the theory of the thing says a trader knowingly continuing to sell such a product with a supplier knowingly not producing an update to resolve such RCE vulnerability, would be opening themselves up to some hurt. Especially if you start considering other legislation which makes it illegal to knowingly sell products that are unfit for purpose or harmful/dangerous.

At that point it becomes a corporate risk-reward game.

引用自 Dr.Shadowds 🐉：

引用自 Tyjerr：

2. I'm not sure if I understood this correctly, but you're saying that any games can get exploited the same way? That is not true, old Call of duty multiplayers allow for remote code execution, I've never heard of anything like that in another popular game sold on steam. But maybe there are a lot of games at risk like this, in which case the situation is worse than I thought. But then I would understand why you think that these Call of duty old games being on the store is not an issue.

2. Any game can be at risk, never said it be same method, or same risk. CoD isn't only games that had RCE issues, that why it's up to end user to keep their systems updated, using a good anti virus, and being vigilant what they do online, as most companies won't hold hands for others.

An anti-virus won't protect you against an RCE exploit in the general sense. RCEs can also execute arbitrary code from inside another process by using legit facilities that exist in those processes to execute downloaded code (e.g. 'hot patches'); to issue shell commands; etc. simply because the original programmer didn't secure those facilities correctly against use by unsanctioned third parties.

(Actually; this is probably the bulk of how RCEs work nowadays. Heap- or stack-corruption aiming to inject new code directly into the running process itself, have been made largely impossible or extremely difficult thanks to mitigations at both the OS and CPU level.)

An anti-virus may protect you against the actual payload of the RCE, if it's something it recognizes. But also that is uncertain. Take for instance an RCE that is used to issue a shell command that starts a remotely accessible Powershell session, using purely Windows' own executables.

Steam actually shouldn't remove any games, because some of the gamers want to experience the campaign, but I agree that multiplayer is a big risk.

引用自 RiO：

引用自 Dr.Shadowds 🐉：

1. They can remove any game, but they don't have to, nor listen to anyone demand/request, as well this would cause negative impact on partnership with the game Dev as well. Only reason a game get pushed off the Steam is if the game Dev was breaking ToS, or done something really dumb to get him/her self kicked off the platform.

The correct answer there is; it depends.
Laws are different in different places of the world.

In the member states of the EU the law is such that the trader - i.e. Steam in this particular example - bears responsibility for non-conformance with contract, and the law explicitly stipulates as objective requirements for conformance that software be safe and secure to use. There the trader is also legally responsible to ensure the consumer is supplied with updates, including security updates, which keep it that way. Basically; in the EU it's the trader's job to pressure their supplier - i.e. the game developer/publisher - to ensure a patch is produced to fix the problem. If not, then for something as serious as a remote code execution exploit, consumers might be within their rights to terminate the contract and be due a full refund. And in any case, the trader would be liable for any damages as well.

This hasn't been tested in a court of law yet though. Mainly because generally speaking, people won't sue over pennies in the EU. (Cultural difference with the US, I suppose?)
Also doesn't help that the legislation itself used to be a quagmire of vague interpretations, because digital content was something of an unspecified third-wheel. It wasn't really clarified that the above applies as it does, until revised legislation came into force Jan 2022. Some of the EU member states even dragged their feet on implementing it, well into the year. E.g. The Netherlands implemented it in June or July, iirc.

Either way; the theory of the thing says a trader knowingly continuing to sell such a product with a supplier knowingly not producing an update to resolve such RCE vulnerability, would be opening themselves up to some hurt. Especially if you start considering other legislation which makes it illegal to knowingly sell products that are unfit for purpose or harmful/dangerous.

At that point it becomes a corporate risk-reward game.

This comes down to what could happen is put both game Dev/publisher, and platform/store into a nightmare loop as not only they have to ensure every day there no such exploits that harmful, but also drive cost to an all time high if have to keep security updates pumping at alerting rate just to stop risks from happening at all, always playing cat and mouse a never ending cycle, and only answer is drop sale / deactivate multiplayer function of said game for first moment a risk appear basically causing said game to get delist very quickly in favor of developtheir next game, or wanting break from it, and not supporting their dropped games they no longer wish to keep updating.

Imagine having store with 30k+ games that had mulitplayer only, and dropped to only few thousands, or several hundreds in favor of not doing a life time of updates, sound extreme but that sounds logical because people don't plan to give life time updates that isn't paying enough to keep the lights on. Not only that but people would be upset missing chances getting the game they want, or update they're losing access to multiplayer they paid for that the other problem, which also might lead to piracy just to play the game because Dev didn't want to update. Sound crazy but if that how life goes that a small chance how things might turn out. In some cases it might be good to push updates, but not good if it meant losing things you want to keep, or wanted to get.

引用自 RiO：

引用自 Dr.Shadowds 🐉：

2. Any game can be at risk, never said it be same method, or same risk. CoD isn't only games that had RCE issues, that why it's up to end user to keep their systems updated, using a good anti virus, and being vigilant what they do online, as most companies won't hold hands for others.

An anti-virus won't protect you against an RCE exploit in the general sense. RCEs can also execute arbitrary code from inside another process by using legit facilities that exist in those processes to execute downloaded code (e.g. 'hot patches'); to issue shell commands; etc. simply because the original programmer didn't secure those facilities correctly against use by unsanctioned third parties.

(Actually; this is probably the bulk of how RCEs work nowadays. Heap- or stack-corruption aiming to inject new code directly into the running process itself, have been made largely impossible or extremely difficult thanks to mitigations at both the OS and CPU level.)

An anti-virus may protect you against the actual payload of the RCE, if it's something it recognizes. But also that is uncertain. Take for instance an RCE that is used to issue a shell command that starts a remotely accessible Powershell session, using purely Windows' own executables.

You're not wrong it may protect you, but that best you're going to get, and there no way to predict when RCE could happen, or what game for that matter as it requires skilled people to figure out how to exploit games network functions to attack, a common exploit is sometimes often lan method, or peer to peer giving direct route to target.

So in sense best can do to have some kind of protection is keeping OS up to date, Anti virus that can block calls, and other things, as well being aware what you're doing online. It's not full proof by any means, as it's nearly impossible to do it, but at very least you got something.

I think Steam should make it's own call of duty.

引用自 mixas：

Steam actually shouldn't remove any games, because some of the gamers want to experience the campaign, but I agree that multiplayer is a big risk.

Valve doesn't remove any games whatsoever unless they violate the TOS (or whatever it's called). Publishers however can remove their games as they see fit, whenever they want (i think).

引用自 Gädda 3000：

引用自 mixas：

Steam actually shouldn't remove any games, because some of the gamers want to experience the campaign, but I agree that multiplayer is a big risk.

Valve doesn't remove any games whatsoever unless they violate the TOS (or whatever it's called). Publishers however can remove their games as they see fit, whenever they want (i think).

Correction: games are NEVER completely removed (AFAIK). They are just delisted from the store. If you own them you can still download and play them.

引用自 FOXDUDE69：

I think Steam should make it's own call of duty.

I think STEAM should concentrate on fixing and improving the forums and the UI.

I have several categories for my games.

I right click on the game, select "move to [insert category]". STEAM adds the game to the selected category, but does not remove it ftom the one I moved it out of, so i now have to right click the game and select "remove from"....seriously, what f-ing moron built that system?

引用自 FOXDUDE69：

I think Steam should make it's own call of duty.

You mean counter strike?

引用自 Dr.Shadowds 🐉：

引用自 FOXDUDE69：

I think Steam should make it's own call of duty.

You mean counter strike? :mafia:

You think they play the same?

引用自 FOXDUDE69：

引用自 Dr.Shadowds 🐉：

You mean counter strike?

You think they play the same?

No, but if they rework movement adding sprint, drop their recoil to copy cod bad recoil logic, and add care package for kill streaks, then yes.

But I rather not use Cod recoil logic, where just pushes aim continuously upwards when shooting.

引用自 Gädda 3000：

引用自 Gädda 3000：

Valve doesn't remove any games whatsoever unless they violate the TOS (or whatever it's called). Publishers however can remove their games as they see fit, whenever they want (i think).

Correction: games are NEVER completely removed (AFAIK). They are just delisted from the store. If you own them you can still download and play them.

No. Some actually are completely removed. But it happens exceptionally rarely.

引用自 Dr.Shadowds 🐉：

This comes down to what could happen is put both game Dev/publisher, and platform/store into a nightmare loop as not only they have to ensure every day there no such exploits that harmful, but also drive cost to an all time high if have to keep security updates pumping at alerting rate just to stop risks from happening at all, always playing cat and mouse a never ending cycle, and only answer is drop sale / deactivate multiplayer function of said game for first moment a risk appear basically causing said game to get delist very quickly in favor of developtheir next game, or wanting break from it, and not supporting their dropped games they no longer wish to keep updating.

No. It doesn't mean a trader would have to keep 24/7 watch and have to pro-actively monitor.
For some high-profile multiplayer titles the supplier maybe actually would be doing that, in the category of active monitoring for anti-cheat; sniffing out any irregularities in network traffic -- but there's no onus on the trader to go that far.

The only thing a trader is responsible for under that legislation is to act responsibly when a consumer contacts them with information that the software product they are selling is known to have a vulnerability. I.e. the trader has to contact the supplier; sort out the details and verify the story; and if it's true, ensure a patch is made available by the supplier.

Where it becomes tricky is when it becomes known that the product is defective and dangerous. Because with security issues in software products it's not a case of a single one-off instance that is defective, as would be the case with physical goods. It puts at risk all consumers that bought the product. Basically; you're looking at the digital equivalent of e.g. a car manufacturer issuing a recall and replacement of a certain part in the suspension of car model XYZ, because it is prone to catastrophic breakage due to metal fatigue problems with certain production batches.

引用自 Dr.Shadowds 🐉：

Imagine having store with 30k+ games that had mulitplayer only, and dropped to only few thousands, or several hundreds in favor of not doing a life time of updates

You're forgetting; stopping to sell the title only solves half the problem. You still have a lot of people that bought it, who are left with something that would violate contract. And for the most part, it's probably cheaper to patch an exploit, than it is to refund people their purchases where the applicable law says they're entitled to one.

But altogether the most likely solution we'd land on in the future, will be statements that explicitly limit the lifetime of security updates. Pretty much the same thing as happened with security updates for mobile devices in several EU member states, where there is now legislation which requires a minimum number of years of support for security updates that traders and suppliers must offer; and requires traders to mention at point of sale how many years a consumer is actually being offered by the supplier.

I.e. level of support becoming a selling feature.

...
And yes; I dread the scenario where that backfires on consumers into continued / extended support and updates being offered to them at a premium, like MS did with decommissioned versions of Windows for businesses. Because it would be so damn easy for developers / publishers to sell it as DLC.
(... I should really not be giving them ideas, should I?)

Thanks for replying with constructive ideas and feedback guys, unlike some of the first replies here that didn't actually read my post and only came to pick on me and be aggressive. Love to see real discussions and arguments with grown-ups here

引用自 Satoru：

Note a game using peer to peer networking is not inherently more insecure. Stop spreading FUD because you read a 3 year old thread on Reddit for things that have already been fixed in BO2

I'm not spreading FUD, nothing has been fixed :)

引用自 Dr.Shadowds 🐉：

引用自 FOXDUDE69：

You think they play the same?

No, but if they rework movement adding sprint, drop their recoil to copy cod bad recoil logic, and add care package for kill streaks, then yes.

In other words, if you change almost everything about CSGO, then it's just like COD!