huh can you explain that in english for us noobs

basically, everything in windows has "permissions" - ie what people can do.

If set up correctly there are NORMAL users, ADMINS and the COMPUTER
normal users are called "users"
Admins are "administrators"
the computer is "System"

In a correctly set computer (eg one in a big enterprise) most people only ever get user rights. theres possibly 10 or so people in a fleet of 50,000 devices that would have administrator rights.
System is reserved for jsut the computer.
(there is finer control beyond that).

Now what that means is taht anything that is run by a user is run as a "user" account, which should allow them to run all their applications, their vr games and get to the magical land of the interwebs.

Anything that can possibly screw things up (install of new software, drivers, allow a virus or trojan or some attack to comprimise the system) needs an Administrator or System.

So a good system will have things in place to make sure nobody gets around that.

The thing with steam is, to avoid all those annoying UAC "are you an admin" prompt they've gone and dropped the security for secure part of the systems, allowing USERS to breach that wall and run stuff as system. More importantly, you goto a webpage, get some safe app or word document on your pc, and run it and then it takes over your PC as an entry way.



A few things to keep in mind are:
Most home PCs are setup crap. One user account (or maybe a couple) who all have admin rights
A way to test this is to do:
Start -> Run -> cmd (right click, run as administrator)
It SHOULD popup a UAC prompt (if it does not, it fails badly)
It should ALSO ask you for a password and user name, if it does not. fail

So if you are setup like this, you were pretty much screwed anyways. If you didn't even get that UAC prompt then your system is already way way worse than the steam vulnerability :) or pretty much any vulnerability that gets published.

For healthy devices (which should include all large businesses) the permission issue where you can create a symbolic link or replace files is bad. It can be locked down and there is software that monitors dodgy behaviour as well out there (Microsoft ATP, FireEye, McAffee ATP, CrowdStrike, Sophos UTM) which will stop/shut these attacks down, but generally the root cause should be fixed.

As for what a symbolic link is, it's basically like a shortcut, except the system will generally see it as a real file.
Or a portal, or like a rebadged car. You look at file or regkey that says "Chevrolet SS or Pontiac G8" but secretly, it's pointing at "friendly Holden family car" underneath.

Most users of steam will be home users, and many (especially anybody who is not on Windows 10 x64 - and I hope nobody is on XP) won't be secure as they run as administrator rights, but some enterprises and educational institutions use Steam as it makes managing SteamVR easier (eg HTC Vive/VivePro and Index)

There are work arounds by reconfiguring the service and just changing the permissinos manually on the folders, but Valve appears to be doing that so it'll probably get fixed soon. hopefully before I get back to work tomorrow.

I still think this exploit is overhyped as media are always scrounging after "bad news is making clicks and money".

As Veldrik very eloquently said, this all is more or less a moot point because most people use the default user on their Windows installs and this one already has admin privileges and many people do install Steam in the default "C:\Program Files (x86)\Steam" location, which is per default a protected folder and problematic for games which most of them expect their own application folder be writable. This is also the reason why Valve made these permission changes.

Therefore it is a bit silly to cry Sodom and Gomorrah if the logged in user mostly already has administrative privileges in most cases.

This all wouldn't be an issue if Microsoft would make the normal user account a standard user and - for good measure - crank up the UAC up to the max. The latter was originally so, but many people saw that as an insult whenever this came up....

autor says it's still not fixed. vulnerable files doesn't changed.
so, somebody lies to us again?)

{リンクが削除されました}https://habr.com/ru/company/pm/blog/462479/

@Tristis:
You know, this is really a moot point to fix, if you are already have admin privileges on your account which I guess about 90% of the Windows users are because they did not care to make a proper user account for themselves.

@Tristis Oris
Thats correct. You can always symlink something aslong as a) the target/source exist and b) you have permissions.
The steam bug is driven by permissions, and those permissions are currently incorrect. Until they change the hklm path Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Valve\Steam to have user set to read Read=Allow;Full Control=Deny, the symlink will exist.
The other vulnerability (similar problem, different CVE) is that Steam folder also has incorrect permissions (default: C:\Program Files (x86)\Steam)

@shakeyourbunny
Regarding shakeyourbunny"'s comment, his comment is spot on (in that it makes the bug irrelevant to most people as they are already in a worse state):
"This all wouldn't be an issue if Microsoft would make the normal user account a standard user and - for good measure - crank up the UAC up to the max. The latter was originally so, but many people saw that as an insult whenever this came up...."

The vulnerability really only exists for people who have "secure" devices.

i don't care about this vulnerability, but the statements diverge from the actual facts.

They do. Two of the updates (beta client though) state the same thing that they fixed it, but it's still there. It's only beta though and it's not an easy fix as it changes functionality.

They could just make new installs default per user (license of games is per user account anyways) and put it in %appdata% and HKCU.

Maybe it would be %USERPROFILE%\.steam better, as such in Linux it's exactly stored there.

Only downside is that some sort of enforced migration is necessary if it was installed under %PROGRAMFILES%, though this would just be a single move command (and fast).

Explanation why moving from %PROGRAMFILES% to %USERPROFILE%\.steam (dot steam..) or %APPDATA(LOCAL)% would be fast: usually the user profile is stored on the system drive as well as the program folder. So, if you are moving something, you do not really copy and remove the contents of the folder(s) or file(s), the operating system just removes the pointer to the Steam directory and creates a new folder in the users' folder which is pointing to the old data.

Main downsides of this scenario with the current state of the steam client:
- all downloaded games must be redownloaded for every user on the system. This may fill up the hard drive quickly.
- only one user can launch Steam, because the configuration of the client (and the application files including service executables) are pointing in the user's home directory.

If you wanna support multiple users with the steam client, you will have to get rid of the Steam Service.