Steam...

Discussion in 'Frontpage news' started by Arctucas, Aug 8, 2019.

  1. Arctucas

    Arctucas Ancient Guru

    Messages:
    2,066
    Likes Received:
    19
    GPU:
    eVGA RTX2080 FTW3
  2. anticupidon

    anticupidon Ancient Guru

    Messages:
    4,008
    Likes Received:
    777
    GPU:
    integrated
    Well, there is something to think about.
    But it seems that affects the Windows version of the client.
    Not my case, I'm done with Windows.
     
  3. WhiteLightning

    WhiteLightning Don Illuminati Staff Member

    Messages:
    28,045
    Likes Received:
    990
    GPU:
    GTX1070 iChillx4
    maybe if there are enough people complaining they will start to think about fixing it. because thats how it works for steam.
     
    airbud7 likes this.
  4. GSDragoon

    GSDragoon Member Guru

    Messages:
    177
    Likes Received:
    21
    GPU:
    AMD Radeon VII
    The Seam service is doing stupid things. It's not the fault of Windows, unless you want to blame them for allowing bad behavior. There's no good reason games or steam need admin rights in the first place, besides installing pre-reqs which it should prompt for when necessary only.
     

  5. Astyanax

    Astyanax Ancient Guru

    Messages:
    3,628
    Likes Received:
    973
    GPU:
    GTX 1080ti
    its not a serious issue.
     
  6. anticupidon

    anticupidon Ancient Guru

    Messages:
    4,008
    Likes Received:
    777
    GPU:
    integrated
    Let's see : I don't blame, I was just stating that the Steam client has a vulnerability that manifests in Windows environment, giving administration rights to start another services.
    The small detail: during the demonstration of the vulnerability, UAC wasn't triggered. Windows should trigger UAC when a key registry is edited or modified, or I just forgot how this works?
    As for me not using Windows, doesn't affect me.
    Moreover, there is no 100% secure system, just levels of trust/security and paranoia.
    As in for solution, well, Steam can easily release a patch and call it a day.
     
  7. Astyanax

    Astyanax Ancient Guru

    Messages:
    3,628
    Likes Received:
    973
    GPU:
    GTX 1080ti
    uac shouldn't be triggered at all when user sub registry keys are modified.

    a standard user cannot modify system level registry keys at all with unelevated regedit, and no it will not prompt you to restart that way.
     
    PrMinisterGR likes this.
  8. sykozis

    sykozis Ancient Guru

    Messages:
    21,050
    Likes Received:
    668
    GPU:
    MSI RX5700
    This "HackerOne" deal seems like a bad joke to me. Any security vulnerability needs to be patched, whether it requires a file to be placed somewhere on the user's system or not. Also, unless this particular researcher works for "HackerOne", they have no right nor authority to "forbid disclosure". Users have a right to know when a piece of software poses a threat to the security of their system. All it would take for a "hacker" to take advantage of this, is to modify game files and let Steam push the modified files as an update to a game.

    This can become a serious issue....
     
  9. sverek

    sverek Ancient Guru

    Messages:
    5,357
    Likes Received:
    2,247
    GPU:
    NOVIDIA -0.5GB
    Might not be related to this issue, but I hate when other apps like Origin or Discord just grabs all my steam data and suggest me what games I should play next or what friends I should add.

    On Android or iOS application has to get permission to access other applications or data on the system. On Windows, if application gets installed, it can do whatever the hell it wants.
     
    airbud7 and fantaskarsef like this.
  10. Astyanax

    Astyanax Ancient Guru

    Messages:
    3,628
    Likes Received:
    973
    GPU:
    GTX 1080ti
    and its fixed.

    [​IMG]
     

  11. anticupidon

    anticupidon Ancient Guru

    Messages:
    4,008
    Likes Received:
    777
    GPU:
    integrated
    Very good, Steam team.
    Gaben is still Gaben
     
  12. Rich_Guy

    Rich_Guy Ancient Guru

    Messages:
    12,277
    Likes Received:
    444
    GPU:
    MSI 2070S X-Trio
    Im sure i got this through over the weekend, when i got Steam on my new rig.
     
    Keitosha likes this.
  13. Nicked_Wicked

    Nicked_Wicked Member

    Messages:
    21
    Likes Received:
    14
    GPU:
    5700XT Red Devil
    Took them long enough to fix it, just another example of what exposure can do, a publication on a website, and a Reddit post. Suddenly they can fix it within a few days.
     
  14. RealNC

    RealNC Ancient Guru

    Messages:
    3,106
    Likes Received:
    1,336
    GPU:
    EVGA GTX 980 Ti FTW
    In fairness, I think when you install Steam on Windows, a system dialog pops up that tells you that you are giving admin privileges to Steam. You said "yes", so all bets are off after that.

    On Linux, if you run something with "sudo", you can't complain that Linux is insecure.

    If there is blame to be placed here, is that Valve requires admin privileges for Steam. It should be possible to install Steam with just user privileges, just like on Linux.

    Edit:
    Also, every goddamn application now installs services. What the hell is up with that? Virtually NONE of the applications I install on Linux require services. I run the app, it loads whatever it needs. I exit it, nothing is kept running in the background. Same with macOS AFAICT. What is it with Windows versions of applications and services? Stop it already.
     
    Last edited: Aug 10, 2019
    HandR likes this.
  15. anticupidon

    anticupidon Ancient Guru

    Messages:
    4,008
    Likes Received:
    777
    GPU:
    integrated
    Why would someone run Steam as root?
     

  16. RealNC

    RealNC Ancient Guru

    Messages:
    3,106
    Likes Received:
    1,336
    GPU:
    EVGA GTX 980 Ti FTW
    Nobody. But apparently the Windows version of Steam requires (the Windows equivalent of) root because Valve prefers having complete control over your machine.

    Remember how many years ago some users would start their desktop session as root because "it makes things easier, like on MS-DOS and Windows 95" and people would shake their head when hearing this? That seems to be Valve on Windows.
     
    HandR likes this.
  17. Astyanax

    Astyanax Ancient Guru

    Messages:
    3,628
    Likes Received:
    973
    GPU:
    GTX 1080ti
    Yes and no.

    the steam services allow it to auto update and crap, but they have never allowed a standard user account to do things like install the dependencies that new game installs run through.
     
    fantaskarsef likes this.
  18. HeavyHemi

    HeavyHemi Ancient Guru

    Messages:
    6,277
    Likes Received:
    601
    GPU:
    GTX1080Ti
    You mean run Windows as a single user Admin? That's the only way I run Windows, single Admin account. UAC disabled. I am the only person who has physical access to the PC.
     
    fantaskarsef and Aura89 like this.
  19. Alessio1989

    Alessio1989 Maha Guru

    Messages:
    1,397
    Likes Received:
    232
    GPU:
    .
    You do not need to run it as root if you completly disable UAC.
    And maybe running a scam anti-shìt software just to not having a single pop-up to click when you install something. If yes, that's a terrible performance exchange.
     
  20. PrMinisterGR

    PrMinisterGR Ancient Guru

    Messages:
    7,004
    Likes Received:
    137
    GPU:
    Sapphire 7970 Quadrobake
    This doesn't mean that anything is ok. Killing UAC is one of the most terrible things you can do for the security of a Windows system. The best exploits require almost zero user interaction, opening a page that can work as your user, no UAC, rip. The even better ones just work over the network.
     

Share This Page