Steam 0-day vulnerability potentially affects over 100 million users

arstechnica.com/gaming/2019/08/severe-local-0-day-escalation-exploit-found-in-steam-client-services/
>Digital is the future they said

Attached: Steam-730x280.jpg (730x280, 19K)

they already patched it spermatozoacranium.

But they knew about it for much longer and ignored it, which is why the people would found it went public with it.

>potentially
okay but what did it actually do
this is Yea Forums not /g/

Is it related to someone who tried to break into my acct with my username/pass, or is that just from one of the many """reputable""" company breaches years ago?

>big ass cockroach picture in the article

it allowed bad man to become admin on your computer by physically touching your computer and running multiple third party programs

Basically, if an exploit is a way for a criminal to open a locked door to your house, then this one required the criminal to turn the oven on in your kitchen first.

>this thread again

Sorry to post actual video game related news and distract from the 7 weeb jerkoff threads that were on the first page when I made this.

>stealth EGS shill thread

Attached: 1558156241094.jpg (184x184, 11K)

>any bad publicity is Anti-Steam

RENT FREE

I will still use steam because it has a shopping cart and I won't be banned for buying things :)

Name one person who was hacked because of this exploit

Already fixed and the exploited would have needed local access anyways.

Fucking guessing the password on your Windows log-in screen would be a more reliable exploit.

>actual video game related news
? Steam isn't a videogame

Attached: 1542063753257.jpg (645x773, 56K)

im suprised tim isnt all over this like a shark

Attached: tim the dog.jpg (800x404, 101K)

>video game related news
>someone breaking into your house and using your computer is an exploit

>needs physical accees the system to compromise it
>exploit was reported to third party bug bounty company (which also used by government institutions) who didn't even elevate it because it requires physical access
how utterly boring

Wrong analogy.
The Steam Client Service can be enabled by regular users without administrator access rights. And the exploit doesn't grant administrative privileges; it grants local system privileges, which is a good deal more.

A proper analogy here is having your house burgled because the spare key you kept under a loose rock next to your front door was found.


>the exploited would have needed local access anyways
Like a sandbox escape from a browser, or one of the many - many other exploitable holes for remote code execution that can be found in Windows itself; in bundled applications; or in popular third-party applications.

RCE normally isn't very interesting, because you'll be stuck with user-land permissions and need to elevate to admin first. So you need to pair it with permission elevation exploits which require vulnerabilitites that are usually more sparse and patched more quickly. Ofcourse; with the exception of this one in Steam. Which was trivial to exploit and had extremely wide availability due to its huge install base.

I'm the exploit
ask me anything

this

So let me get this straight, Steam makes my computer "a little more vulnerable" if someone steals my entire computer? The fuck kind of vulnerability is that? There are way more problems than "Steam is vulnerable" if someone steals your whole computer.

- needed physical access to use or passing of abusive malware to use it
- could potentially create a vector where by you offer some super cheap game to abuse the exploit, but at that point you could just use a malicious .exe since most people don't give a second glance to a game requiring elevation
- was reported to h1 who as far as we knew never even notified valve since they deemed it unimportant. that doesn't handwave the issue away it means the process of review and communication between h1 and their clients needs to be better
- always fact check sensationalist threads like this one
- if you panicking this was already patched, not like it actually affected anyone though.

I'm pretty sure this is ancient news. I remember the dangers of the steam service being discussed years ago because the main point of the service is to basically undermine the security of your system. It's why you don't get bombarded by UAC prompts while using Steam. They created a "back door" in your OS. Everyone has known about this for ages.

Can I fuck you?

I can fuck you

>finds an exploit
>reports it to to super sekrit hacker clique group
>it gets rejected
>instead of reporting it to Valve, makes it public along with detailed instructions on how to replicate it

Nah, you're getting fucked, wimp

this guy is correct
everyone else is retarded

reporting to valve means going through h1, its what bug bounties are for. everyone from video games to government institutions like the military uses them. the fault lies with h1 not reporting to their client because the exploit needed either physical access or for the user to run something on an already infected system to exploit it so they deemed it not important and nothing was disclosed.

They did report it to Valve before releasing to public. Valve probably won't do anything about it.

not as bad as class-action lawsuit tho

Attached: epic.png (797x843, 153K)

>Valve probably won't do anything about it.
already patched lad

>old article about already fixed exploit
>ebil steem
shilling ebin store chinkroach.

>OMG UPDATE YOUR PC NOW THIS ZERODAY
>"requires physical access to the pc"
yeah alright maybe ring those bells a little less loud jesus

Is my account in danger? I have asked my friends and none of them have noticed anything and we all have 2FA

>the security researchers who discovered the flaw are not satisfied with the solution and warn that the company is ignoring a number of local privilege escalation (LPE) vulnerabilities in the popular Steam gaming service.
The nature of the service itself is a problem. The whole point of it is to silently elevate privileges from user to system. It's shouldn't even exist.