back to article Disgruntled bug-hunter drops Steam zero-day to get back at Valve for refusing him a bounty

A security bod angry at Valve's handling of bug reports has disclosed a zero-day vulnerability affecting the games giant's flagship Steam app. Russia-based bug-hunter Vasily Kravets said that he was releasing details of the flaw, an elevation-of-privilege hole, after a series of poor interactions with Valve led to him getting …

  1. Anonymous Coward
    Anonymous Coward

    As if by magic ....

    only yesterday I commented on the shitfest waiting to happen once you turn what should be a paid job -i.e. bug hunting - into a lottery after the Microsoft bug bounty initiative.

    1. Anonymous Coward
      Anonymous Coward

      Re: after the Microsoft bug bounty initiative.

      Sweet! I knew those bastards would be to blame for Valve not paying a bug hunter.

      It's like people have MS Tourettes round here. Doesn't matter who or what is being discussed some AC will moan on about it being MS' fault.

      1. Anonymous Coward
        Anonymous Coward

        Re: after the Microsoft bug bounty initiative.

        Microsoft ate my hamster.

        1. SotarrTheWizard

          Re: after the Microsoft bug bounty initiative.

          Hey! My mother was a hamster, and my father smelled of elderberries !!

          Now, go taunt Microsoft a second time !!1

        2. Zarno
          Coat

          Re: after Microsoft ate my hamster

          But did they microwave it first?

          Mine's the one with the copy of Maniac Mansion in the pocket...

          1. Nolveys

            Re: after Microsoft ate my hamster

            But did they microwave it first?

            It was necessary to microwave it after it was frozen for 200 years.

        3. Kabukiwookie

          Re: after the Microsoft bug bounty initiative.

          My hamster can take care of itself, I always tell it to go for the eyes.

          1. Anonymous Coward
            Anonymous Coward

            Re: after the Microsoft bug bounty initiative.

            > I always tell it to go for the eyes.

            Minsk, is that you?

            1. Ken Shabby
              Childcatcher

              Re: after the Microsoft bug bounty initiative.

              Basil.

              1. Anonymous Coward
                Anonymous Coward

                Re: after the Microsoft bug bounty initiative.

                For reference: https://www.youtube.com/watch?v=X8lLruVR2zQ

      2. Anonymous Coward
        Anonymous Coward

        Re: after the Microsoft bug bounty initiative.

        We'll miss you and your awesome comprehension skills when the schools go back. Good luck in your first year in high school !

      3. Anonymous Coward
        Anonymous Coward

        Re: after the Microsoft bug bounty initiative.

        Doesn't matter who or what is being discussed some AC will moan on about it being MS' fault.

        That's because it usually is. No need to moan either, the bare facts are usually enough.

        1. Anonymous Coward
          Anonymous Coward

          Re: No need to moan either, the bare facts are usually enough.

          Seriously, you're prepared to argue that Valve not paying this bounty is because of MS?

          Go on then, "bare facts" me up!

          1. Anonymous Coward
            Anonymous Coward

            Re: No need to moan either, the bare facts are usually enough.

            No. They argued the *trend* not MS. The *trend* of not paying for work is a problem, not MS.

            Though they may have been wrong in their other posts, this one was ok. A broken clock, twice a day, and all that.

            1. Anonymous Coward
              Anonymous Coward

              Re: No. They argued the *trend* not MS

              No, they claimed that ms was responsible for the trend, blaming MS for valve's behaviour.

              1. Anonymous Coward
                Anonymous Coward

                Re: No. They argued the *trend* not MS

                Sounds like blaming Valve for Windows' behaviour...

          2. Anonymous Coward
            Anonymous Coward

            Re: No need to moan either, the bare facts are usually enough.

            Note the word "usually".

            Also, I think that may have been tongue in cheek - your statement is likely to draw those with a sense of dark humour to prod a bit. I would not get too excited - just prod right back :)

          3. Anonymous Coward
            Anonymous Coward

            Re: No need to moan either, the bare facts are usually enough.

            Seriously, you're prepared to argue that Valve not paying this bounty is because of MS?

            Go on then, "bare facts" me up!

            Grin, it's just too easy to get some people excited these days. I need another 111 downvotes to hit the 10k, though, so expect more :).

            1. Michael Wojcik Silver badge

              Re: No need to moan either, the bare facts are usually enough.

              Ah, yes. "Oh, that was unpopular. Guess I'll pretend I was being deliberately provocative."

              That rhetorical cringe was feeble and tired on Usenet thirty years ago. Grow up.

        2. Azerty

          Re: after the Microsoft bug bounty initiative.

          Seems like lately the microsoft pr army has landed at ElReg. They don't know humor, just downvoting and preaching the religion.

          1. sabroni Silver badge

            Re: the Microsoft pr army, they don't know humour

            Search the forums for "year of the Linux desktop".

            1. Huw D

              Re: the Microsoft pr army, they don't know humour

              Also, "This time next year we'll be millionares, Rodney" ;)

          2. Anonymous Coward
            Anonymous Coward

            @ Seems like lately the microsoft pr army has landed at ElReg

            and now you know where the bug bounty was moved to.

            PR guys loyality can be bought wholesale where bughunters often have annoying quantites of integrity, something that MS never prized.

          3. Anonymous Coward
            Anonymous Coward

            Re: after the Microsoft bug bounty initiative.

            If you think that after more than 30 years, still blaming everything on MS is humour, then boy do I have news for you.

            You probably still use "M$" too.

            1. Anonymous Coward
              Anonymous Coward

              Re: after the Microsoft bug bounty initiative.

              You probably still use "M$" too.

              Nah, that's too easy and boring. Also doesn't quite get any of the antsy reactions.

              Don't worry, it wears off. Once I have the downvotes I was after I'll stop poking fun at Microsoft for a while - I want their PR people feel safe first :).

          4. Anonymous Coward
            Anonymous Coward

            Re: after the Microsoft bug bounty initiative.

            Seems like lately the microsoft pr army has landed at ElReg. They don't know humor, just downvoting and preaching the religion.

            Finally someone who gets it, I had almost given up hope. That's all I have been doing - merely offsetting the Microsoft PR army - but some people have (a) no sense of humour and (b) take this as personal affronts which I frankly find hilarious.

            That said, I don't actually like to troll that much (I'm more for the occasional good natured prod), but Microsofties appear to be so extraordinarily sensitive that its kinda hard to fight the temptation.

            Oh, by the way, please go ahead and downvote. I'm trying to win a bet :).

  2. lglethal Silver badge
    Stop

    From my understanding...

    it takes a hell of a lot to get yourself banned from HackerOne. That implies there's more to this story then is being told. At the very least I have to assume he was extremely abusive to the staff there.

    Bug Bounties are always hit and miss for payouts. What one person considers a critical flaw another considers unimportant. Getting abusive for having your claims denied is unacceptable either way. Releasing the code into the wild after having it denied is also a complete d&ck move. It just shows you dont actually care about the security of your fellow netizens, you're just there for the potential payout...

    1. Evil Harry

      Re: From my understanding...

      Agree with you but would have thought that the small time bug hunters were only there for money in the first place? They have to eat after all :)

      1. lglethal Silver badge
        Go

        Re: From my understanding...

        Of course people are in it for the money. Thats not in question. But releasing the code into the Wild doesnt get you paid either, but it DOES put everyone else in danger. So I reiterate its a d&ck move.

        It also seems pretty dodgy to me, that he found this bug in Steam AFTER he had already been banned from Steam's Bug Bounty Program. If you've already been told they wont pay you for anything you find, why would you spend time hunting for bugs in their program? the only reason I can come up with is malicious intent.

        1. Paul Crawford Silver badge
          Trollface

          Re: From my understanding...

          Why is it a dick move? After all Valve are quite clear it is not a vulnerability that matters.

        2. Donn Bly

          Re: From my understanding...

          People are in danger whether he releases it or not. Would you prefer to be in danger and NOT know about, or be in danger with the knowledge that you are in danger? I would at least prefer to know.

          You also assume that he looked for the bug AFTER he had been banned. It is a far more likely scenario that he found both bugs at the same time, They are, after all, variants on each other.

          Additionally, in a previous post you decried that he was just "into it for the payout" and didn't care about his fellow net citizens. Now, however, you just equated searching for bugs without expectation of payout as "malicious intent".

          If hunting for bugs with expectation of payout is bad, and hunting for bugs without expectation of payout is bad, then by your definitions ALL bug hunting is bad.

          He tried responsible disclosure first -- they told him that they were not interested and banned him.

          1. Mark 85

            Re: From my understanding...

            People are in danger whether he releases it or not.

            I'm not so sure about this particular bug. If someone has physical access to your PC/laptop, then maybe. However, if you walk into where your computer is located and there's a guy wearing a hoodie with a bunch of 1's and 0's floating around him, then yes, you have a real problem.

            1. CrazyOldCatMan Silver badge

              Re: From my understanding...

              If someone has physical access to your PC/laptop, then maybe

              Or (as the guy says) some malicious person/company/state releases a 'free' game that uses these exploits to root your windows box..

              1. chuBb.

                Re: From my understanding...

                Or a lan party...

                Physical access usually means in this context connected to same switch/subnet/lan, has no need to transit a firewall, or c$ is open and accessable , not physical access is required as the device is air gapped, accessible only through 5 vault doors and 100m under ground

            2. Mephistro
              Angel

              Re: From my understanding...

              "if you walk into where your computer is located and there's a guy wearing a hoodie with a bunch of 1's and 0's floating around him..."

              He should quit LSD asap, or at least share!!1!

        3. Anonymous Coward
          Anonymous Coward

          Re: From my understanding...

          If people just walked away silently when valve reject valid bugs, then they'll continue to reject them..

          blackmail? maybe, but if valve says it's not an issue, then surely they won't mind?

    2. tcmonkey

      Re: From my understanding...

      Maybe true, but he wasn’t banned from HackerOne, just from Valve’s part of it. That’s not quite the same thing, and may well have been the result of someone at Valve thinking he was irritating.

      Unrelated note, what is it that Valve actually DO these days, other than sitting on a vast pile of money made off of other people’s hard work?

      1. Dan 55 Silver badge

        Re: From my understanding...

        Or, since they've removed all semblance of quality controls, not hard work (asset flipping).

      2. ArrZarr Silver badge
        Coat

        Re: From my understanding...

        They probably occasionally go swimming in their giant money pool.

        Hell, I wouldn't be surprised if they got into the rocketry business. Maybe they could do something about the components that failed on the pad launch abort test for Dragon 2.

        1. Ochib

          Re: From my understanding...

          If Kerbal has taught me anything, it aways needs more struts

          1. Crisp
            Boffin

            Re: more struts

            And moar boosters.

        2. amanfromMars 1 Silver badge

          Re: From my understanding...

          They probably occasionally go swimming in their giant money pool. .... ArrZarr

          They always go Deep See Diving for giant grant money pools, ArrZarr.

          Titans such as develop and maintain this type of Internetional Security Program ........ Leading AI with JEDI Projects in Overall Remote Command and Total Virtualised Control.

          A Veritable King Solomon's Mines of a Bonanza to Value According to Practical Ethereal Worth.

        3. chuBb.

          Re: From my understanding...

          Perhaps they could get into the rocket test site business, call it rocket arena....

      3. Kabukiwookie

        Re: From my understanding...

        what is it that Valve actually DO these days

        HL episode 3 should be coming out any day now.

      4. Graham Dawson Silver badge

        Re: From my understanding...

        >what is it that Valve actually DO these days

        They make hats.

        1. Richard 12 Silver badge
          Angel

          Re: From my understanding...

          But not real ones

      5. Zoopy

        Re: From my understanding...

        > Unrelated note, what is it that Valve actually DO these days, other than sitting on a vast pile of money made off of other people’s hard work?

        They develop Proton, which is tremendously valuable to me.

    3. Donn Bly

      Re: From my understanding...

      Releasing the code into the wild after having it denied is also a complete d&ck move.

      Perhaps, but in context I would disagree.

      If I found a bug in your product, report it, and you deny it - what should the next step be?

      I see three options for the hunter:

      1) Do nothing. Let the bug remain and leave everyone using it still open.

      2) Release it to the wild like he did. At least people know now about it.

      3) Sell it on the black market making sure that the bad guys know first.

      If I release it into the wild then maybe next time someone will listen if I try to report bugs.

      After all, if the bug isn't serious enough to be paid for finding it then it follows that releasing it into the wild shouldn't cause any serious problems, right?

      Also, if he was only there for the potential payout he would have just sold it on the dark net. The fact that he didn't shows that he DOES care about the users - just not about the company that rejected him.

      1. Anonymous Coward
        Anonymous Coward

        Re: From my understanding...

        This. I've been involved in bug bounties for the past 7 years on all sorts of platforms including Bugcrowd and HackerOne. The issue that this researcher ran into is quite common, and you're always left in weird limbo land. It basically goes like this:

        a) submit but, and it's classed as 'won't fix' or 'out of scope' or <insert reason>

        b) you ask if you can go into public disclosure - because of various NDA's and t's and c's attached to many 'private' programs you can't...

        So basically you're sitting on something which is a known vulnerability and impactful but for whatever reason they've decided it isn't an issue, but you can't release it. This is where ethics take hold and everyone has a different opinion.

        Personally I've never released vulnerabilities into the wild like this. It also means I know dozens of companies that have vulnerabilities in their products and they know it, and I know it, but that's it. It's now their problem, not mine. Spin that Karmic wheel and watch it goooo!

        1. John Brown (no body) Silver badge

          Re: From my understanding...

          "Personally I've never released vulnerabilities into the wild like this. It also means I know dozens of companies that have vulnerabilities in their products and they know it, and I know it, but that's it. It's now their problem, not mine. Spin that Karmic wheel and watch it goooo!"

          An ethical dilemma? Balancing the risk of loss to possibly millions of people against the legal "fiction" of some likely overly onerous NDA that might not even be a legal document if it's untested in court?

        2. Updraft102

          Re: From my understanding...

          If news about the vulnerability gets released, the company will be forced by customers (who may not "understand" that it doesn't matter) to fix it, but if he just sits on it like Valve wants, the vulnerability remains, and if he discovered it, that means it is discoverable, so eventually someone else will, if they haven't already. Keeping quiet makes sure the people who don't know they are vulnerable remain that way, while speaking out at the very least fixes the "don't know" bit, if not also the "vulnerable" bit.

        3. Alan Brown Silver badge

          Re: From my understanding...

          This is why I usually attach a deadman switch to security vulnerabilities I report.

          Being silent is one thing - I'll disclose in this case anyway, but some outfits go nuclear with the gagging attempts - having the details passed to a couple of 3rd parties in other countries with a countdown timer BEFORE notifying the outfit means they can't prevent it happening.

          I also work on a policy of giving outfits 2 chances at being cooperative, then I don't bother with notification delays anymore.

          Why? Quite simple: I doubt the bad guys don't know about it already - and in the cases where I've tried to go through the "right" paths the bad guys have been observed using the vulnerabilties in the wild before the announcements were released - turning them into zero-day things anyway.

      2. Muscleguy

        Re: From my understanding...

        Agreed, and it will take time for scumbag cheap game co to add an exploit which gives Valve time to patch the app.

        I tried Steam for one game but gave up on it and bought the game as a download instead. Steam was offline when I wanted to play and I realised it meant I couldn’t play on a plane or in a cafe with an unsecured wifi etc.

        After this I think I might uninstall the app if I haven’t already.

        1. lglethal Silver badge

          Re: From my understanding...

          Umm you dont need an internet connection to use steam. To download a game or buy one sure, but once you have it downloaded and installed on your computer. You can absolutely play offline...

          1. Joe Harrison

            Re: From my understanding...

            No you cannot play offline without an internet connection. I moved to a block of flats which was supposed to have communal wi-fi, but didn't. I had to use the internet from my laptop wherever I could find public wi-fi. A couple of weeks later things on my gaming PC stopped working and told me to get online.

            I raised a ticket with Steam and they told me to get lost. They are annoying and useless and I much prefer the days when I used to buy a game on a CD and run it with no further interference. Oh and did I mention all the tedious emails about the security of your steam account and please type in this code. I didn't want a Steam account in the first place, I wanted to play a game.

            1. Anonymous Coward
              Anonymous Coward

              Re: From my understanding...

              Well I've just fired up steam with a disabled network connection and it let me play. I got the option to go into offline mode so take from that what you will.

              1. DavCrav

                Re: From my understanding...

                "Well I've just fired up steam with a disabled network connection and it let me play. I got the option to go into offline mode so take from that what you will."

                I think the point is that it works for a while and then slowly breaks. I don't know for sure, as my Internet has not been down long enough to have to test that theory.

                1. Baldrickk

                  Re: From my understanding...

                  two years of gaming on a loaner laptop without internet access while away from home here... Steam worked fine offline the whole time.

                2. Anonymous Coward
                  Anonymous Coward

                  Re: From my understanding...

                  It works offline until your Steam authorization token expires, then you need to go online to refresh that to allow offline play again.

                  Something I forgot to do before a recent flight and had to twiddle my thumbs the whole 3 hour flight!

            2. tekHedd

              Just wanted to play a game

              HL2 is how we got into this mess in the first place.

              See also "Is this still your email address?" Whatever you do, don't click "Yes" unless you have access to email at your current location!

      3. Anonymous Coward
        Anonymous Coward

        Re: From my understanding...

        Option 4...

        4) Sit on the bug and wait for it to be exploited.

        4a) Send the vendor a message which paraphrases to "I told you so. May I have my money now?"

        4b) If they say "No" then go public with their email from n months ago rejecting your submission.

    4. amanfromMars 1 Silver badge

      Re: From my understanding...

      Releasing the code into the wild after having it denied is also a complete d&ck move. It just shows you dont actually care about the security of your fellow netizens, you're just there for the potential payout... .... Iglethal

      Unrelated note, what is it that Valve[MS/Apple/Google/Amazon etc etc] actually DO these days, other than sitting on a vast pile of money made off of other people’s hard work? .... tcmonkey

      It is popularly known as the American Corporate Way ..... Vaster riches for the few, poisonous scraps for the many.

      But it only continues to work wonderfully well if hardly anyone knows. Nowadays though, that silent dreadnought of arrogant convenience is holed catastrophically below the water line long ago. And there aint no lifeboats available to pick up loaded survivors.

      1. Tom 7

        Re: From my understanding...

        It may take a while. For some reason we got a family spotify acct and I download music to annoy the kids in the car. We dont get a phone signal here so my phone is often off. If I forget to turn it on and load spotify in the house so it can call home it refuses to play stuff I've downloaded!

    5. Jamesit

      Re: From my understanding...

      "I received a lot of feedback. But Valve didn’t say a single word, HackerOne sent a huge letter and, mostly, kept silence," Kravets wrote. "Eventually things escalated with Valve and I got banned by them on HackerOne – I can no longer participate in their vulnerability rejection program (the rest of H1 is still available though)."

      He's not banned from H1, just the Valve bounty programme.

    6. e^iπ+1=0

      banned from HackerOne.

      My reading of the article leads me to believe that the researcher was not banned from h1, just from steam's h1.

    7. John Brown (no body) Silver badge

      Re: From my understanding...

      "Releasing the code into the wild after having it denied is also a complete d&ck move. "

      Yes and no. If Valve say it's not a problem, then neither is releasing the code. If the code being in the wild is a problem, then it's a bug Valve should be dealing with as soon as they are notified of it. After all, they don't know if a blackhat is already exploiting it.

    8. Anonymous Coward
      Anonymous Coward

      Re: From my understanding...

      "What one person considers a critical flaw another considers unimportant."

      Reminds me of the developers of systemd

      Opps, did I say that out loud?

    9. Michael Wojcik Silver badge

      Re: From my understanding...

      it takes a hell of a lot to get yourself banned from HackerOne

      Kravets didn't "get ... banned from HackerOne". He got banned from Valve's Response channel on HackerOne. That's a move by Valve, not by HackerOne.

      From everything I've seen, this whole saga is about Valve fucking up their response. Everyone who's worked in PSIRT knows that being diplomatic with outside researchers and taking their reports seriously is the critical part of the job. Valve failed.

      And, frankly, based on recent disclosures about Steam, I wouldn't trust Valve for a second. PC games nearly always run with elevated privileges; that obligates games vendors to be particularly careful with their software security (though they rarely are). I don't see any sign that Valve is doing well in that area.

  3. karlkarl Silver badge

    "Are you sure that a free game made of garbage by an unknown developer will behave honestly?"

    Is it bad that I kinda trust "unknown developers" more than Valve themselves?

    I *know* Valve has no respect for my digital freedom and are a bunch of DRM masturbating twits but the "unknown developer" might actually turn out to be nice guys.

    1. sabroni Silver badge

      re: I *know* Valve has no respect for my digital freedom

      I *know* Valve want to make me pay for games

      FTFY!

      1. karlkarl Silver badge

        Re: re: I *know* Valve has no respect for my digital freedom

        Naive response. Can you explain to me why even their free stuff has the strict DRM applied?

        1. Anonymous Coward
          Anonymous Coward

          "Can you explain to me why even their free stuff has the strict DRM applied?"

          To avoid someone sells it for money to some naive and gullible users?

        2. sabroni Silver badge
          Happy

          Re: Naive response

          I don't know but my guess would be "We built it to DRM all games. It would cost us and involve a lot of testing to make DRM optional on free to play games. There's no obvious revenue stream in the (relatively) tiny number of users who care about DRM on free games."

          Just my naive response but seems plausible. Why do you think they do it?

          1. ViktorVaughn

            Re: Naive response

            DRM is completely optional on Steam. It's up to the developers themselves.

          2. karlkarl Silver badge

            Re: Naive response

            No, I want you (and other Steam users) to think about. Figure it out for yourself.

            1. Steve Knox

              Re: Naive response

              No, I want you (and other Steam users) to think about. Figure it out for yourself.

              Translation: I don't have a cogent argument and I know it.

  4. Halfmad

    Sort of with Valve on this one..

    If you need local access to pwn, then you could do just about anything on that PC anyway.

    I guess HOW he got access locally may be the question here, did he leverage the Steam client etc? Doesn't sound like it but wierder things have been done via steam chat in the past!

    1. Anonymous Coward
      Anonymous Coward

      Re: Sort of with Valve on this one..

      Is the problem not, that games run on/in/from Steam? So there is your local access. Release a game under fake credentials, pwan a load of gamers.

      1. Baldrickk

        Re: Sort of with Valve on this one..

        If that's your goal, can't you just put forward a game with all the dodgy code you need in it already?

        Fire off a UAC prompt during installation / first run to get privileges, and you're sorted.

        1. FeepingCreature

          Re: Sort of with Valve on this one..

          Sure but now you can do it without a UAC prompt. So with this exploit, UAC is now *completely* toothless, rather than only mostly.

          Gamers may ask, "why does this random game need root?" It may give an opportunity to notice the exploit. Now there is no such opportunity.

          1. Anonymous Coward
            Anonymous Coward

            Re: Sort of with Valve on this one..

            Moreover if you're running as LocalSystem you're even more powerful than someone in the Administrators group - and I wonder why the Steam service requires such privileges.

    2. Anonymous Coward
      Anonymous Coward

      Re: Sort of with Valve on this one..

      There's still the misconception a system is p0wned with a single, frontal assault. While big, wormable RCE vulnerabilities get all the press, many systems are p0Wned using a stack of vulnerabilities, one after another. You may get limited local access to get a file on a system, and nothing else. But if you can then use another vulnerability to run the file with high privileges, you're utterly p0wned. And here also we are talking about a client that actually downloads files and installs them....

    3. tiggity Silver badge

      Re: Sort of with Valve on this one..

      @Halfmad

      "I guess HOW he got access locally may be the question here"

      One of the arguments hacker put forward was a game having exploit added and made available by Steam, Steams own system would download it (and allow the exploit to be a success).

      Steam, by definition, allows stuff to be installed on your machine, and by adding exploit into a game you know that the steam platform is there to exploit that bug.

      .. And of course always a drip drip of new exploits to periodically allow you a new nasty way to get a file on someones system

      1. NetBlackOps

        Re: Sort of with Valve on this one..

        And how many times have we seen a developer get pwned?

  5. adam payne

    Valve declined to recognize and pay out for the bug, which they said required local access and the ability to drop files on the target machine in order to run and was therefore not really a vulnerability.

    Well at least it's not a repeat of the Steam Guard bug that would allow any code to be used.

  6. robined

    A privilege escalation seems to me to be pretty critical

    You say

    "they each require the attacker to already have access to the target machine (if that’s the case you’re already in serious trouble, so what’s another flaw)"

    If you're a normal user and can run things as an administrator (which is what privilege elevation is) then that's a pretty serious flaw. I'm not sure why you're treating it so cavalierly.

    1. diodesign (Written by Reg staff) Silver badge

      Re: A privilege escalation seems to me to be pretty critical

      Sadly I think you've misunderstood. To exploit priv esc bugs, you need to already have access to the machine - the ability to write to the filesystem, in one case. At that point, you can do bad stuff anyway, like execute arbitrary code as the user.

      To be clear, this is priv esc because you can either go from arbitrary file write to code exec, or user-level code exec to admin code exec if Steam is running as admin. If you already have admin code exec access to the box, this vulnerability is irrelevant.

      What we're saying is, it's not as dangerous as an RCE like the RDP bugs. It's not great, it's not terrible.

      C.

  7. SVV

    Is this really a bug though?

    If you have local system access and file write permissions, you can replace any dynamically loaded library installed with an application with a malware riddled one. This has been one of the top Windows attack vectors for decades. It's about as much a "bug" as saying that you'd also be able to replace steam.exe (or whatever it's called) with a malicious application.

    1. FeepingCreature

      Things you can do with root

      Mess with the Windows folder.

      Mess with the MBR.

      Mess with the certificate store.

      Flash BIOS and device firmware.

      Disable the virus scanner.

      Disable Windows Update.

      Install keyloggers on other accounts.

      It's definitely already pretty bad, but it's not necessarily a total loss without a privilege escalation. Without a privilege escalation, the PC may be salvageable. With root, you may as well buy a new computer and restore from backup.

      1. A.P. Veening Silver badge

        Re: Things you can do with root

        With root, you may as well buy a new computer and restore from backup.

        And that is assuming that backup is clean. If it isn't, you have even more problems.

  8. sitta_europea Silver badge

    I thought steam was the stuff that came out of my kettle when it's ready to make my tea.

    1. Ozmosis

      No, that's water vapour. Steam is invisible (all according to the TV programme QI)

      1. Anonymous Coward
        Anonymous Coward

        It's the water vapour that's invisible. If it's visible (like clouds) it's liquid particles.

  9. Anonymous South African Coward Bronze badge

    "Are you sure that a free game made of garbage by an unknown developer will behave honestly?"

    Now we wait for the shoe to drop.

  10. Anonymous Coward
    Anonymous Coward

    iNTEL

    Valve declined to recognize and pay out for the bug, which they said required local access and the ability to drop files on the target machine in order to run and was therefore not really a vulnerability.

    I wish Intel felt the same way as Valve.

    Crippling CPU's because of a vuln that only exists when in front of the device with adm rights is crazy.

    1. Anonymous Coward
      Anonymous Coward

      Re: iNTEL

      Lies, damned lies and intel shills

      "Crippling CPU's because of a vuln that only exists when in front of the device with adm rights is crazy." intel's CPU vulnerability makes it possible to ignore OS security so no need for admin rights.

      If as you suggest, intel CPU are secure then why are they spending money trying to fix it ?

      1. Anonymous Coward
        Anonymous Coward

        Re: iNTEL

        "If as you suggest, intel CPU are secure then why are they spending money trying to fix it ?"

        Just a guess that the OP was complaining that some of the deep CPU vulnerabilities might not need as much fixing (and the accompanying performance hit) as they've been given. I didn't read it as him saying Intel CPUs are "secure".

        1. IGotOut Silver badge

          Re: iNTEL

          It may be over exaggerated for a home PC, but certainly not a business server.

          Think of a server running a dozen virtual machines, say in a shared hosting environment. It is possible (but not easy) to set up an malicious platform, and using the bugs "break" into, or steal the credentials from another VM running on the server, that you should have 0 access to.

          So yes it is a major flaw that needed fixing

  11. dwodmots

    But you're already admin!

    If you have the ability to write to the steam installatio directory (owned by TrustedInstaller), then you alraedy have administrator rights.

    If you aren't admin and want to boot into another OS to write your files there, you could also just blank the password of the Administrator account.

  12. Anonymous Coward
    Anonymous Coward

    All Steamed up

    I'm just happy when Steam doesn't crash.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like