Discussion in 'Frontpage news' started by Arctucas, Aug 8, 2019.
Well, there is something to think about.
But it seems that affects the Windows version of the client.
Not my case, I'm done with Windows.
maybe if there are enough people complaining they will start to think about fixing it. because thats how it works for steam.
The Seam service is doing stupid things. It's not the fault of Windows, unless you want to blame them for allowing bad behavior. There's no good reason games or steam need admin rights in the first place, besides installing pre-reqs which it should prompt for when necessary only.
its not a serious issue.
Let's see : I don't blame, I was just stating that the Steam client has a vulnerability that manifests in Windows environment, giving administration rights to start another services.
The small detail: during the demonstration of the vulnerability, UAC wasn't triggered. Windows should trigger UAC when a key registry is edited or modified, or I just forgot how this works?
As for me not using Windows, doesn't affect me.
Moreover, there is no 100% secure system, just levels of trust/security and paranoia.
As in for solution, well, Steam can easily release a patch and call it a day.
uac shouldn't be triggered at all when user sub registry keys are modified.
a standard user cannot modify system level registry keys at all with unelevated regedit, and no it will not prompt you to restart that way.
This "HackerOne" deal seems like a bad joke to me. Any security vulnerability needs to be patched, whether it requires a file to be placed somewhere on the user's system or not. Also, unless this particular researcher works for "HackerOne", they have no right nor authority to "forbid disclosure". Users have a right to know when a piece of software poses a threat to the security of their system. All it would take for a "hacker" to take advantage of this, is to modify game files and let Steam push the modified files as an update to a game.
This can become a serious issue....
Might not be related to this issue, but I hate when other apps like Origin or Discord just grabs all my steam data and suggest me what games I should play next or what friends I should add.
On Android or iOS application has to get permission to access other applications or data on the system. On Windows, if application gets installed, it can do whatever the hell it wants.
and its fixed.
Very good, Steam team.
Gaben is still Gaben
Im sure i got this through over the weekend, when i got Steam on my new rig.
Took them long enough to fix it, just another example of what exposure can do, a publication on a website, and a Reddit post. Suddenly they can fix it within a few days.
In fairness, I think when you install Steam on Windows, a system dialog pops up that tells you that you are giving admin privileges to Steam. You said "yes", so all bets are off after that.
On Linux, if you run something with "sudo", you can't complain that Linux is insecure.
If there is blame to be placed here, is that Valve requires admin privileges for Steam. It should be possible to install Steam with just user privileges, just like on Linux.
Also, every goddamn application now installs services. What the hell is up with that? Virtually NONE of the applications I install on Linux require services. I run the app, it loads whatever it needs. I exit it, nothing is kept running in the background. Same with macOS AFAICT. What is it with Windows versions of applications and services? Stop it already.
Why would someone run Steam as root?
Nobody. But apparently the Windows version of Steam requires (the Windows equivalent of) root because Valve prefers having complete control over your machine.
Remember how many years ago some users would start their desktop session as root because "it makes things easier, like on MS-DOS and Windows 95" and people would shake their head when hearing this? That seems to be Valve on Windows.
Yes and no.
the steam services allow it to auto update and crap, but they have never allowed a standard user account to do things like install the dependencies that new game installs run through.
You mean run Windows as a single user Admin? That's the only way I run Windows, single Admin account. UAC disabled. I am the only person who has physical access to the PC.
You do not need to run it as root if you completly disable UAC.
And maybe running a scam anti-shìt software just to not having a single pop-up to click when you install something. If yes, that's a terrible performance exchange.
This doesn't mean that anything is ok. Killing UAC is one of the most terrible things you can do for the security of a Windows system. The best exploits require almost zero user interaction, opening a page that can work as your user, no UAC, rip. The even better ones just work over the network.