
A Remote Code Execution Vulnerability in the Steam Client - lainon
https://www.contextis.com/blog/frag-grenade-a-remote-code-execution-vulnerability-in-the-steam-client
======
yread
Steam Client is so incredibly bloated - I wish they released a Lite version
without Steam Link, Achievements, Trading cards/Inventory, Browser, Community,
Workshop, Hub, ... It could also update less frequently if it had fewer
features and updates would be faster.

Just the list of games I have and the DRM required to play them.

~~~
nmbr213
> Achievements, Trading cards/Inventory, Browser, Community, Workshop

Doesn't all of that work through embedded web-browser?

~~~
maze-le
I think the embedded browser is where the most bloat is located. Although this
particular vulnerability is not tied to it.

------
zawerf
I just realized I only think about security vulnerabilities for code I deploy,
not software I use. So what are some examples of RCE vulnerabilities that were
actively exploited in consumer software in the past?

Just curious how it would've played out if a blackhat had discovered this
instead.

~~~
lytedev
I think your browser, the various MS office applications, and Acrobat reader
are some of the big ones that spring to mind, but there have quite a few!

------
Something1234
Why do people write their own memory allocators and put them in production
software for modern desktop applications? It's not like you can eek that much
more performance out, and the steam client is already fairly buggy. Switching
the views is slow, and doesn't always work.

~~~
mastax
Valve is a games company. They probably already had a stable of allocators and
were used to that kind of programming. Also the Windows malloc was much slower
in 2003 IIRC.

~~~
tejasmanohar
I'm guessing it's more this. I can't imagine the Steam app demands that high
performance.

~~~
kbenson
Well, since steam is in the background during all the games launched from it,
often allows a special video overlay to browse community features while the
game is running, supports chat, has an embedded browser, and can be used as an
operating system overlay so you don't even have to use the OS for most things
(big picture mode, for dedicated use and control with a game controller), I
can imagine they probably want to make sure whatever allocator and reclamation
scheme they are using has very low and predictable latency.

The last thing they want to have to deal with is people reporting how running
the game through steam costs a non-negligible amount of performance, or causes
weird occasional lags/stalls while playing. In that respect, it's an extremely
high performance application, in that it needs to be nigh unnoticeable to the
type of people that overclock systems, push their graphics cards to their
limits, and play games with FPS counters always showing in the corner.

In that respect, it may be a textbook case of an application where you want a
very specific memory allocation scheme that falls within very strict
performance guidelines.

~~~
Something1234
It already has a large number of performance issues. The store is slow to
open, and it's slow to switch to my library. Even slower to view my inventory.

------
fowl2
They also* change the ACLs on their executable directory to world writeable,
despite having a system service.

I say despite because: a. With a system service you wouldn't need to change
the ACLs b. now anyone everyone has a system service, yay!

* well, I haven't checked this week

------
munin
I remember reading that Valve is all self-organized and perf/bonuses are based
on shipping. In that environment, is there any incentive for an IC to own
something like software assurance / quality / fuzzing?

------
pro_zac
"The video below demonstrates an attacker remotely launching the Windows
calculator app on a fully patched version of Windows 10." So devious!

~~~
viraptor
Launching the calculator is basically a "hello world" of exploitation. It
proves there's an issue in an obvious way and became a bit of a meme in
security.

