researcher publishes second steam 0 day, valve doesn't care

[spartaman64]

Quote

A Russian security researcher has published details about a zero-day in the Steam gaming client. This is the second Steam zero-day the researcher has made public in the past two weeks.

However, while the security researcher reported the first one to Valve and tried to have it fixed before public disclosure, he said he couldn't do the same with the second because the company banned him from submitting further bug reports via its public bug bounty program on the HackerOne platform.

Quote

Security researchers and regular Steam users alike are mad because Valve refused to acknowledge the reported issue as a security flaw, and declined to patch it.

When the security researcher -- named Vasily Kravets-- wanted to publicly disclose the vulnerability, a HackerOne staff member forbade him from doing so, even if Valve had no intention of fixing the issue -- effectively trying to prevent the researcher from letting users know there was a problem with the Steam client at all.

Kravets did eventually publish details about the Steam zero-day, which was an elevation of privilege (also known as a local privilege escalation) bug that allowed other apps or malware on a user's computer to abuse the Steam client to run code with admin rights.

Quote

Valve did eventually ship a fix, more as a reaction to all the bad press the company was getting.

The patch was almost immediatelly proved to be insufficient, and another security researcher found an easy way to go around it almost right away.

Quote

Today, Kravets published details about a second Valve zero-day, which is another EoP/LPE in the Steam client, allowing malicious apps to gain admin rights through Valve's Steam app. Demos of the second Steam zero-day are embedded below, and a technical write-up is available on Kravets' site.

https://amonitoring.ru/article/onemore_steam_eop_0day/

Quote

All of Valve's problems seem to come from the fact that the company has placed EoP/LPE vulnerabilities as "out-of-scope" for its HackerOne platform, meaning the company doesn't view them as security issues.

Nelson, a security researcher who has made a name for himself for finding a slew of interesting bugs in Microsoft products, doesn't agree with Valve's decision.

Quote

EoP/LPE vulnerabilities can't allow a threat actor to hack a remote app or computer. They are vulnerabilities abused during post-exploitation, mostly so attackers can take full control over a target by gaining root/admin/system rights.

While Valve doesn't consider these as security flaws, everyone else does. For example, Microsoft patches tens of EoP/LPE flaws each month, and OWASP considers EoP/LPE as the fifth most dangerous security flaw in its infamous Top 10 Vulnerabilities list.

By refusing to patch the first zero-day, Valve inadvertantly sent a message out that it doesn't care about the security of its product, putting the company's 100+ million Windows users in danger just by having the Steam client installed on their computers.

Sure! Valve is right, in its own way. An attacker can't use an EoP/LPE to break into a Steam user's client. That's a fact. But, that's not the point.

source: https://www.zdnet.com/article/researcher-publishes-second-steam-zero-day-after-getting-banned-on-valves-bug-bounty-program/

 

tl;dr: valve doesn't care about security flaws their steam client causes as long as it doesn't help in an initial break in.

This is like saying as long as something can't help in starting a fire its not a fire hazard. Maybe OSHA should go investigate valve's offices if this is how they view things. Combating viruses isn't just about preventing them from getting in but also limiting what they can do when they do get in. Just like fire hazards are not just stuff that can cause a fire to break out but also what might contribute to the fire getting worse or preventing people from escaping the building. It feels like over the years valve is becoming more and more lazy and complacent and I guess that's what happens when you become essentially a monopoly. As much as I don't like some of epic's philosophy this changed my mind about them a little and showed me that we need them to compete with steam. 

[emosun]

wait a minute.... you're saying valve are a bunch self absorbed buttheads that only care about money?

[ThePD]

But I thought Steam Good, Epic games bad!

[Sauron]

3 minutes ago, emosun said:

wait a minute.... you're saying valve are a bunch self absorbed buttheads that only care about money?

Noooooo, Valve good, Epic bad, don't you get it?

2 minutes ago, VegetableStu said:

kinda wonder if they treat this like how they treat steam support ._.

They don't even bother responding to support tickets

[Flying Sausages]

1 minute ago, Sauron said:

They don't even bother responding to support tickets 

They did to me. They unbanned me from this moderator abuse power on me.

[rcmaehl]

https://arstechnica.com/information-technology/2019/08/valve-says-turning-away-researcher-reporting-steam-vulnerability-was-a-mistake/

[spartaman64]

1 minute ago, rcmaehl said:

https://arstechnica.com/information-technology/2019/08/valve-says-turning-away-researcher-reporting-steam-vulnerability-was-a-mistake/

https://nvd.nist.gov/vuln/detail/CVE-2019-14743

their fix can still be bypassed and the researcher is still banned so until valve backs it up with some action its just empty PR speak

[PlayStation 2]

Welcome to modern Valve, where Team Fortress 2 sits without updates for two months or more, where CS:GO hasn't had an Operation in over two years and the Steam client re-do is perpetually stuck in development hell. You know, just like any Valve product.

[Tristerin]

1 hour ago, ThePD said:

But I thought Steam Good, Epic games bad!

With Epic (10 cent) we are knowingly allowing ourselves to be monitored at a Admin level. 

[Derangel]

4 hours ago, Dan Castellaneta said:

Welcome to modern Valve, where Team Fortress 2 sits without updates for two months or more, where CS:GO hasn't had an Operation in over two years and the Steam client re-do is perpetually stuck in development hell. You know, just like any Valve product.

Its because Valve doesn't have traditional team orginization or managers or anyone that actually tells employees what to do. I can't find it right now, but there was an article not too long where a reporter for a DOTA-based site got to tour Valve and they had all of five people running the entirety of Steam. Any, or all, of those five people were free to take their desk and go join another team the moment they stopped being interested in working on Steam.

 

4 hours ago, Tristerin said:

With Epic (10 cent) we are knowingly allowing ourselves to be monitored at a Admin level. 

Going to need some proof to back that statement up. As much as people cry "spy program" with EGS there is very little actual data to back it up. And don't give me the "but China" excuse. Tencent has a minority share in Epic, they do not own the company. If Tencent were in charge of everything I'd imagine EGS would actually be a half-way decent application by this point since at least Tencent has people that actually know what they're doing.

[Guest]

6 hours ago, emosun said:

wait a minute.... you're saying valve are a bunch self absorbed buttheads that only care about money?

 

Thats an EPIC statement. 

[Tristerin]

27 minutes ago, Derangel said:

Its because Valve doesn't have traditional team orginization or managers or anyone that actually tells employees what to do. I can't find it right now, but there was an article not too long where a reporter for a DOTA-based site got to tour Valve and they had all of five people running the entirety of Steam. Any, or all, of those five people were free to take their desk and go join another team the moment they stopped being interested in working on Steam.

 

Going to need some proof to back that statement up. As much as people cry "spy program" with EGS there is very little actual data to back it up. And don't give me the "but China" excuse. Tencent has a minority share in Epic, they do not own the company. If Tencent were in charge of everything I'd imagine EGS would actually be a half-way decent application by this point since at least Tencent has people that actually know what they're doing.

They scrape the shit out of my system for information.  You too have the internet, go, research.  People a lot smarter than I watched the web traffic, root scrapes, etc and have all linked the information and its available for you too - if you want to know about it.  

 

But as I already said - Im cool with it cause free games, and secure banking /shrug

[dalekphalm]

1 minute ago, Tristerin said:

They scrape the shit out of my system for information.  You too have the internet, go, research.  People a lot smarter than I watched the web traffic, root scrapes, etc and have all linked the information and its available for you too - if you want to know about it.  

C'mon dude, you should know how this works - no one is asking you to do the packet sniffing or traffic captures yourself. But if you're aware of the situation, you should be able to fairly easily grab a source that did go through the research that confirms what you're saying.

 

You're effectively saying "do your own research". You made a claim, you back it up.

 

For the record, I wouldn't be surprised if you're right. But post a source that confirms it, or else it's just something some guy said on the internet.

 

[Tristerin]

Just now, dalekphalm said:

C'mon dude, you should know how this works - no one is asking you to do the packet sniffing or traffic captures yourself. But if you're aware of the situation, you should be able to fairly easily grab a source that did go through the research that confirms what you're saying.

 

You're effectively saying "do your own research". You made a claim, you back it up.

 

For the record, I wouldn't be surprised if you're right. But post a source that confirms it, or else it's just something some guy said on the internet.

 

Just as easy for them to use Google and the vast wealth of information available to them at their fingertips, Im doing other stuff that are more important to me than debating the logs and hashes from individuals on the internet and trying to convince someone to trust these sources.  Again, all of its out there especially on reddit - and its my conclusion that its a spyware - and I morally don't care would rather have free games

 

 

 

[Tristerin]

@dalekphalm re-read that and it sounds douche - so wanted to explain - Im back and forth afk with limited time and trying to learn Manjaro with the time I have today (and also kill time between downloads on this forum)

[dalekphalm]

1 minute ago, Tristerin said:

Just as easy for them to use Google and the vast wealth of information available to them at their fingertips, Im doing other stuff that are more important to me than debating the logs and hashes from individuals on the internet and trying to convince someone to trust these sources.  Again, all of its out there especially on reddit - and its my conclusion that its a spyware - and I morally don't care would rather have free games

Again if it's all out there on Reddit, you should find the thread and post it as your source. It's not anyone else's job to do your own research for you but your own, or to confirm what you say is correct.

 

And whether you care or not is totally okay and your own choice - each person will have to make their own mind up about whether to trust the software or whether they care about the potential privacy issues.

[dalekphalm]

Just now, Tristerin said:

@dalekphalm re-read that and it sounds douche - so wanted to explain - Im back and forth afk with limited time and trying to learn Manjaro with the time I have today (and also kill time between downloads on this forum)

Oh okay - well, I want to apologize for how my post may come off as well.

 

I get that you're busy, and IRL stuff is frankly more important than LTT. But when you've got some down time, I'm sure we'd all appreciate a link to one of those Reddit posts where someone goes through and shows why the EGS client is spyware.

 

That's definitely good info to know.

[TheKDub]

7 hours ago, ThePD said:

But I thought Steam Good, Epic games bad!

DRM bad!

[WereCatf]

7 hours ago, spartaman64 said:

researcher publishes second steam 0 day, valve doesn't care

Incorrect. Both the vulnerabilities have already been fixed and Valve did address this whole debacle.

 

https://arstechnica.com/information-technology/2019/08/valve-says-turning-away-researcher-reporting-steam-vulnerability-was-a-mistake/

 

EDIT: Oh, I completely missed that others had already posted the same link.

[spartaman64]

35 minutes ago, WereCatf said:

Incorrect. Both the vulnerabilities have already been fixed and Valve did address this whole debacle.

 

https://arstechnica.com/information-technology/2019/08/valve-says-turning-away-researcher-reporting-steam-vulnerability-was-a-mistake/

 

EDIT: Oh, I completely missed that others had already posted the same link.

their fix for the first 0 day was faulty so idk if they revised it or they are still sticking with it and considering it "fixed" and the second one is still untested. also the researcher is still banned so until their fix is tested to make sure they didnt half ass it again and they unban the researcher the statement still stands. ill edit it out when we get confirmation from the researcher saying its resolved to a satisfactory degree. talk is cheap we need proof of action from steam.

 

edit: also why does the national vulnerability database still say that they dispute the significance of the vulnerability

[WereCatf]

1 minute ago, spartaman64 said:

also the researcher is still banned

That's apparently HackerOne's doing, though. At least my understanding is that Valve didn't tell them to ban him. It's a pretty shitty deal, the whole damn thing, and HackerOne ain't making themselves look good at all.

[spartaman64]

Just now, WereCatf said:

That's apparently HackerOne's doing, though. At least my understanding is that Valve didn't tell them to ban him. It's a pretty shitty deal, the whole damn thing, and HackerOne ain't making themselves look good at all.

and they can also tell them to unban him right? they are their customer they can tell them how to run the bug bounty program for steam

[WereCatf]

1 minute ago, spartaman64 said:

and they can also tell them to unban him right? they are their customer they can tell them how to run the bug bounty program for steam

I can't say that I know how much Valve has over banning/unbanning people as a customer since banning/unbanning someone most likely comes from HackerOne's own policies. I mean, Valve is a customer and they make the guidelines on what they want/don't want HackerOne to forward to them, but does Valve have a say in how HackerOne polices their own forums? I doubt it.

[spartaman64]

Just now, WereCatf said:

I can't say that I know how much Valve has over banning/unbanning people as a customer since banning/unbanning someone most likely comes from HackerOne's own policies. I mean, Valve is a customer and they make the guidelines on what they want/don't want HackerOne to forward to them, but does Valve have a say in how HackerOne polices their own forums? I doubt it.

hackerone is running the program for valve and valve is paying them so im pretty sure valve can tell them how to run the program. its like if i pay someone to host a minecraft server for me and i also pay for them to catch and ban cheaters and they ban someone but i tell them its ok the guy is my friend unban him. if they say no ill cancel my subscription and go get another host

[WereCatf]

1 minute ago, spartaman64 said:

hackerone is running the program for valve and valve is paying them so im pretty sure valve can tell them how to run the program. its like if i pay someone to host a minecraft server for me and i also pay for them to catch and ban cheaters and they ban someone but i tell them its ok the guy is my friend unban him. if they say no ill cancel my subscription and go get another host

No, it's not. They banned the researcher from HackerOne's forums, not Valve's forums. Valve isn't paying them to run HackerOne's forums, Valve is paying them to validate reported vulnerabilities. Valve runs Valve's forums, HackerOne runs HackerOne's forums and HackerOne's forums aren't in any way related to Valve -- they're used for all sorts of vulnerabilities in all sorts of products.