Steam vulnerable to malicious code

[KCB]

http://arstechnica.com/security/2012/10/steam-vulnerability-can-lead-to-remote-insertion-of-malicious-code/

[Dimensional Traveler]

On 10/22/2012 4:55 PM, KCB wrote:
> http://arstechnica.com/security/2012/10/steam-vulnerability-can-lead-to-remote-insertion-of-malicious-code/
>
This is supposed to be news?

--
The 'Enterprise' crew in the 2009 Star Trek are adrenaline addicted,
hyper-active teenagers with ADD whose Ritalin got replaced with
methamphetamine, displaying a level of discipline that a Somali pirate
wouldn't tolerate.

[KCB]

"Dimensional Traveler" <dtr...@sonic.net> wrote in message
news:5085ea94$0$71160$742e...@news.sonic.net...

> On 10/22/2012 4:55 PM, KCB wrote:
>> http://arstechnica.com/security/2012/10/steam-vulnerability-can-lead-to-remote-insertion-of-malicious-code/
>>
> This is supposed to be news?

Sorry, has this been posted already? I know the article is five days old,
but I just read it today, and with the number of Steam users in the groups,
it seems pertinent.

[Mike S.]

On Mon, 22 Oct 2012 17:53:32 -0700, Dimensional Traveler
<dtr...@sonic.net> wrote:

>On 10/22/2012 4:55 PM, KCB wrote:
>> http://arstechnica.com/security/2012/10/steam-vulnerability-can-lead-to-remote-insertion-of-malicious-code/
>>
>This is supposed to be news?

I agree. One of the magazines lists software *every* month with
security vulnerabilities. From what I read there, I would be more
concerned with my web browser then anything related to Steam.

[Ross Ridge]

Mike S. <Mik...@nowhere.com> wrote:
>I agree. One of the magazines lists software *every* month with
>security vulnerabilities. From what I read there, I would be more
>concerned with my web browser then anything related to Steam.

The problem is that the reported Steam vulnerablilities are big wide
open holes that are relatively easy to find and exploit. All the easy
exploits in browsers have been fixed long ago. I periodically go through
all the individual updates made by Windows Update and I find that for
most of the vulnerabilities reported and fixed, my PC was never actually
vulnerable to. Even in cases where my PC was theoretically vulnerable,
virtually all of them would require I do something that I've never
actually done on my PC.

Add in the lack of concern over security the average PC user has for
Steam, and it could easily become a major vector for the next big botnet.

Ross Ridge

--
l/ // Ross Ridge -- The Great HTMU
[oo][oo] rri...@csclub.uwaterloo.ca
-()-/()/ http://www.csclub.uwaterloo.ca/~rridge/
db //

[!@#$%&*(The Shyftyng Nym)*&%$#@!]

On 10/23/2012 12:24 PM, Ross Ridge wrote:

> Add in the lack of concern over security the average PC user has for
> Steam, and it could easily become a major vector for the next big botnet.
>
> Ross Ridge

When did you conduct your survey to find out how concerned the average
PC user is over Steam security? How many people were in your study? Is
Steam rushing to issue a fix?

//
--
Did I kill?
Some of your people, Mirneaux?
Did I kill? Did I kill?
I can't remember.

[Mike S.]

On Tue, 23 Oct 2012 14:24:29 -0400, Ross Ridge
<rri...@csclub.uwaterloo.ca> wrote:

>The problem is that the reported Steam vulnerablilities are big wide
>open holes that are relatively easy to find and exploit.

Good then. It shouldn't take long for someone to exploit those big
wide open holes. Then we might get something truly interesting to
read.

[Andrew Rybenkov]

On Wed, 24 Oct 2012 02:49:37 +0400, Zaghadka <zagh...@hotmail.com> wrote:

> Did I just bungle my install somehow?

Yup. By installing Steam in C:\Program Files ;)

(I have installed it in its own separate folder on a non-system partition.
And yes, it let anyone to access its folder.)

--
Andrew Rybenkov

There are trash, there are junk, and there are Bioware

Furthermore I think Bioware must be destroyed.

[Dimensional Traveler]

My comment was more along the lines of how could anyone have ever
thought it _wasn't_ a big security risk for the user. The only news is
that its taken this long for anyone, in this case arstechnica, to report
it as news.

[Ross Ridge]

Ross Ridge <rri...@csclub.uwaterloo.ca> wrote:
>The problem is that the reported Steam vulnerablilities are big wide
>open holes that are relatively easy to find and exploit.

Mike S. <Mik...@nowhere.com> wrote:
>Good then. It shouldn't take long for someone to exploit those big
>wide open holes. Then we might get something truly interesting to
>read.

Most of those vulnerabilities you read about in your magazine every
month haven't yet been exploited either. Why are you wasting your time
reading about all these security holes that you can't possibily think
are interesting?

Last month a Java vulnerability that potentially affected a billion
computer users was a big news story despite that fact it hadn't yet
been turned into an exploit. While these Steam vulnerabilities don't
affect as many people overall, there's probably as much or more people
reading this newsgroup with the Steam client installed on their computer
than have Java installed. If the Java vulnerability was big enough
news for mainstream media outlets to mention it, then I think Steam's
vulnerabilities are big enough news to get mentioned here.

[Mike S.]

On Wed, 24 Oct 2012 16:53:40 -0400, Ross Ridge
<rri...@csclub.uwaterloo.ca> wrote:

>Most of those vulnerabilities you read about in your magazine every
>month haven't yet been exploited either. Why are you wasting your time
>reading about all these security holes that you can't possibily think
>are interesting?

Habit. I always read it. The whole article takes about 1/3 of the page
if even that. I'm at work. What else am I going to read? Usenet posts?
There aren't enough of those between all the gaming groups put
together.

>Last month a Java vulnerability that potentially affected a billion
>computer users was a big news story despite that fact it hadn't yet
>been turned into an exploit. While these Steam vulnerabilities don't
>affect as many people overall, there's probably as much or more people
>reading this newsgroup with the Steam client installed on their computer
>than have Java installed. If the Java vulnerability was big enough
>news for mainstream media outlets to mention it, then I think Steam's
>vulnerabilities are big enough news to get mentioned here.

I still don't think its newsworthy. I also don't give a flying fig
what mainstream media thinks.Just another vulnerability in just
another piece of software. Big freaking deal. YMMV. Let's leave it at
that.

[Ross Ridge]

Ross Ridge <rri...@csclub.uwaterloo.ca> wrote:
>Most of those vulnerabilities you read about in your magazine every
>month haven't yet been exploited either. Why are you wasting your time
>reading about all these security holes that you can't possibily think
>are interesting?

Mike S. <Mik...@nowhere.com> wrote:
>Habit. I always read it. The whole article takes about 1/3 of the page
>if even that. I'm at work. What else am I going to read? Usenet posts?

I dunno, something that you actually find interesting and newsworthy,
maybe? If neither that magazine nor Usenet have anything other
alternatives worth your attention there's whole Internet full of stuff
to read that you might find interesting.

>I still don't think its newsworthy. I also don't give a flying fig
>what mainstream media thinks.Just another vulnerability in just
>another piece of software. Big freaking deal. YMMV. Let's leave it at
>that.

No, sorry. You can't complain about what the media finds newsworthy and
then say you don't care what they think. You can't rebuke someone for
making a post you don't think is newsworthy and then say "YMMV" like
you were only expressing your opinion. If you want to bury your head
in the ground, no one is going to stop you, but no one has to assume
before posting here that everyone wants to be as ignorant as you.

[Jonathan Ellis]

"Ross Ridge" <rri...@csclub.uwaterloo.ca> wrote in message
news:k69q6d$jnt$1...@rumours.uwaterloo.ca...

Personally I wonder how many of these security scares about things that
haven't been exploited yet, are in fact traps?

"Let's publicise this one, keep close tabs on anything that takes the
hint and tries to exploit it, follow it back to source... GOTCHA!" And
down goes another gang of malware writers...

-- Jonathan.

[Mike S.]

On Wed, 24 Oct 2012 18:30:37 -0400, Ross Ridge
<rri...@csclub.uwaterloo.ca> wrote:

>I dunno, something that you actually find interesting and newsworthy,
>maybe? If neither that magazine nor Usenet have anything other
>alternatives worth your attention there's whole Internet full of stuff
>to read that you might find interesting.

Oh I do that as well. My home page at work is google for a reason :-P

>No, sorry. You can't complain about what the media finds newsworthy and
>then say you don't care what they think. You can't rebuke someone for
>making a post you don't think is newsworthy and then say "YMMV" like
>you were only expressing your opinion.

???

My opinion is that the content of this article is of the 'well, duh'
variety. I understand that some will treat this more seriously then I
do though. YMMV.

>If you want to bury your head
>in the ground, no one is going to stop you, but no one has to assume
>before posting here that everyone wants to be as ignorant as you.
>
> Ross Ridge

I understand enough to not need an article like this to know that a
piece of software on my machine, *especially* one tied to an account
with personal info, might just be vulnerable to attack. I just assume
the worst in all cases, and do what I can on my end to secure my PC.

[Ross Ridge]

Mike S. <Mik...@nowhere.com> wrote:
>My opinion is that the content of this article is of the 'well, duh'
>variety. I understand that some will treat this more seriously then I
>do though. YMMV.

By saying it's not news, that it isn't newsworthy, you're not just
stating you personally find it uninteresting, you're saying the original
article shouldn't been published and the original poster shouldn't have
mentioned it here. You were arguing that it wasnt serious enough to be
of interest to anyone here. You can't now say "YMMV" like you thought
it was a matter of personal preference all along.

[Rin Stowleigh]

On Wed, 24 Oct 2012 22:27:41 -0400, Mike S. <Mik...@nowhere.com>
wrote:

Mike, don't waste your time with Ross, he's a netkook.

Anyone is free to say whatever the hell they want, including following
up with YMMV if that's what they want to say.

Ross has delusions of net enforcement, tell him to fuck straight off.

[Mike S.]

On Thu, 25 Oct 2012 12:43:04 -0400, Ross Ridge
<rri...@csclub.uwaterloo.ca> wrote:

>By saying it's not news, that it isn't newsworthy, you're not just
>stating you personally find it uninteresting, you're saying the original
>article shouldn't been published and the original poster shouldn't have
>mentioned it here.

My comment definitely means that I find it uninteresting. The rest you
inferred incorrectly. The media can publish whatever they want. The
original poster can *certainly* post whatever he wants. My comments
were directed at the content of the article, not at what the poster
should or should not post. I'd like to think I'm not a netcop. :)

I'm glad we cleared that up.

>You were arguing that it wasnt serious enough to be
>of interest to anyone here. You can't now say "YMMV" like you thought
>it was a matter of personal preference all along.
>
> Ross Ridge

I did? How the hell can I make an argument that something isn't of
interest to someone else? How do you go about doing that exactly?

*I* don't find it of interest. Me. Myself. I. Mike S. I'm sorry you
think otherwise, but it was personal preference all along. The YMMV
was added for your benefit and yours alone you dope.

Glad to clear that up as well.

[Mike S.]

On Thu, 25 Oct 2012 13:26:59 -0400, Rin Stowleigh
<rstow...@gmail.com> wrote:

>Mike, don't waste your time with Ross, he's a netkook.

Thanks for the tip but I already decided that my last post to him in
this thread would be my last.

[Ross Ridge]

Jonathan Ellis <jle3...@gmail.com> wrote:
>Personally I wonder how many of these security scares about things that
>haven't been exploited yet, are in fact traps?
>
>"Let's publicise this one, keep close tabs on anything that takes the
>hint and tries to exploit it, follow it back to source... GOTCHA!" And
>down goes another gang of malware writers...

To a certain extent this is always going on. They set up honeypots to
catch new exploits and track them back their control servers, if not
the actual people behind them.

There was a more obvious ulterior motive in this case however.
The company that announced the vulnerabilities is new and was also
seeking to promote themselves.

[Ross Ridge]

Ross Ridge <rri...@csclub.uwaterloo.ca> wrote:
>By saying it's not news, that it isn't newsworthy, you're not just
>stating you personally find it uninteresting, you're saying the original
>article shouldn't been published and the original poster shouldn't have
>mentioned it here.

Mike S. <Mik...@nowhere.com> wrote:
>My comment definitely means that I find it uninteresting. The rest you
>inferred incorrectly. The media can publish whatever they want. The
>original poster can *certainly* post whatever he wants. My comments
>were directed at the content of the article, not at what the poster
>should or should not post. I'd like to think I'm not a netcop. :)

You may like to think you're a netcop, but your sarcastic and
condensending posts in this thread are not those of someone mearly trying
to express his personal opinion. You were objecting the fact that that
original poster considered this news.

>*I* don't find it of interest. Me. Myself. I. Mike S. I'm sorry you
>think otherwise, but it was personal preference all along. The YMMV
>was added for your benefit and yours alone you dope.

Unfortunately this isn't true. What you actually said is this:

Good then. It shouldn't take long for someone to exploit those
big wide open holes. Then we might get something truly interesting
to read.

You said "we" not "I". You were arguing that it wasn't news because
it wasn't of interest to anyone. You weren't arrogant enough to argue
that it wasn't newsworthy because you alone didn't find it interesting.

Do yourself a favour and don't follow Rin's example and getting in the
habit of lying about what you've posted previously. You're just not
as good as him at it. Rin would've never have been caught in such an
obvious and blatent lie.

[Ross Ridge]

Zaghadka <zagh...@hotmail.com> wrote:
>I noted that, in my install, Steam's installer immediately busted the ACL
>for the Program Files (x86) directory in Win 7 and added the "Users"
>group full control over the directory. So any executable in Steam is
>subject to being overwritten with a virus *without* privilege escalation.

Privilege escalation isn't all that important to malware writers.
What they want to do is build a botnet that can make them money by
attacking servers on the Internet, and they don't special privileges to
do that. Privilege escalation can allow malicious code to hide itself
and make it difficult to remove, but these guys are largly relying on
people being amblivilent to malware on their machines.

>Given this discussion, I have to ask, did something go awry with my
>install, or is it really Steam's install policy to break the Program
>Files standard ACL for the Steam root directory?

Sorry, I don't know. I don't install Steam there. I used to have it
installed on a exFAT paritition that doesn't even support ACLs.

>I wasn't happy about it, to be sure. Has anyone tried removing the
>"Users" full access (switch it to the standard ACL) from the Steam root
>directory?

I think this is done for two reasons. One is that it's done so that
Steam can update itself and its databases regardless of the user who's
using it, and because a lot of old games expect to be able to write
all sort of things to their install directories. While Windows tries
to provide backwards compatibily for applications installed to Program
Files by redirecting the written files to another directory, I wouldn't
be suprised if Valve has found that this doesn't always work.

It's not too hard to reinstall Steam. Just move or copy the steamapps
directory somewhere else and then put it back after you reinstall Steam.
(If you want more detail instructions I've got 3 or 4 varations on how
do this provided by Steam support when I tried to report a bug.)

You might be better off installing Steam somewhere if you do this.
If I recall correcly, certain applications like keyboard macros, and thus
keyloggers, need to be installed in Program Files, so you'd probably be a
tiny bit safer with it installed somewhere else. It would also probably
cause less problems if you want to muck about with the permissions of
the Steam directory.

[Mike S.]

On Thu, 25 Oct 2012 15:45:35 -0400, Ross Ridge
<rri...@csclub.uwaterloo.ca> wrote:

>You said "we" not "I". You were arguing that it wasn't news because
>it wasn't of interest to anyone. You weren't arrogant enough to argue
>that it wasn't newsworthy because you alone didn't find it interesting.

Well I guess you caught me red handed then. I said we when I should
have said I. My master plan to convert everyone to my way of thinking
is exposed. I'm guilty as sin.

>Do yourself a favour and don't follow Rin's example and getting in the
>habit of lying about what you've posted previously. You're just not
>as good as him at it. Rin would've never have been caught in such an
>obvious and blatent lie.

I've had a disagreement or two with Rin, but I'm inclined to agree
with him here. I really should have just told you to fuck off.

This is truly my very last post to you. Not just in this thread, but
forever. You are now killfiled. Goodbye.

[Ross Ridge]

Ross Ridge <rri...@csclub.uwaterloo.ca> wrote:
>Do yourself a favour and don't follow Rin's example and getting in the
>habit of lying about what you've posted previously. You're just not
>as good as him at it. Rin would've never have been caught in such an
>obvious and blatent lie.

Mike S. <Mik...@nowhere.com> wrote:
> I've had a disagreement or two with Rin, but I'm inclined to agree
>with him here. I really should have just told you to fuck off.
>
>This is truly my very last post to you. Not just in this thread, but
>forever. You are now killfiled. Goodbye.

Yah, that's something else Rin likes to do I can only hope that unlike
Rin you're not lying about this too.

[Rin Stowleigh]

On Thu, 25 Oct 2012 18:45:43 -0400, Ross Ridge
<rri...@csclub.uwaterloo.ca> wrote:

>Ross Ridge <rri...@csclub.uwaterloo.ca> wrote:
>>Do yourself a favour and don't follow Rin's example and getting in the
>>habit of lying about what you've posted previously. You're just not
>>as good as him at it. Rin would've never have been caught in such an
>>obvious and blatent lie.
>
>Mike S. <Mik...@nowhere.com> wrote:
>> I've had a disagreement or two with Rin, but I'm inclined to agree
>>with him here. I really should have just told you to fuck off.
>>
>>This is truly my very last post to you. Not just in this thread, but
>>forever. You are now killfiled. Goodbye.
>
>Yah, that's something else Rin likes to do I can only hope that unlike
>Rin you're not lying about this too.

I've never lied about killfiling anyone. You haven't been killfiled
yet because of lack of intentional douchebaggery and I've never even
needed to warn you for that. This is the scenario that usually leads
to killfiling, and I almost always warn the person first.

There is a lesser form of shitcanning I use that is a sort of "virtual
killfiling", where I just stop reading the perp's post, but leave them
unkill-filed for one reason or another (usually because they often
chat with others who I'd still like to read their posts and they will
just end up getting quoted a lot anyway), then if they continue to
annoy I go ahead and full-on killfile them.

As I said, you've not yet qualified for either. You're a kook but you
have not yet been enough of an offender to qualify. As I said a few
weeks back, I do accept volunteers and anytime you'd LIKE to be
shitcanned, there is always room for more fecal matter, you just need
to volunteer.

When I told you that before, you did not reply so I assumed you're not
yet mentally prepared to be sentenced to a life in the sewers.

If that has changed, please do let me know. I'm a big fan of making
my life more effecient by putting turds where they belong.

[David Lamb]

On 26/10/2012 7:15 AM, Rin Stowleigh wrote:
> As I said a few
> weeks back, I do accept volunteers and anytime you'd LIKE to be
> shitcanned, there is always room for more fecal matter, you just need
> to volunteer.

Now THAT's an intersting notion. Instead of "Rin doesn't want to read
somebody's posts" you also support "somebody doesn't want Rin to read
his/her posts."

[Rin Stowleigh]

On Fri, 26 Oct 2012 09:01:42 -0400, David Lamb <dal...@cs.queensu.ca>
wrote:

An ancilliary benefit, not something I directly support, but the net
effect is the same :)

[unibalm]

On Fri, 26 Oct 2012 09:01:42 -0400, David Lamb <dal...@cs.queensu.ca>
wrote:

Rin likes to get the last word in, thinking that means she wins. My
first discussion with her, since I didn't agree with some absurdity
she was spouting she got abusive and I started responding "zzzzz", to
which I got increasingly frantic and insane replies. She quickly
expended her entire vocabulary - demonstrating that she's a
coprophiliac with associated identity problems. Maybe I should've
been a bit sympathetic, but it was fun. OK, maybe "fun" is the wrong
word. It was a kind of thing like a typical 7 yr old sadistical kid
salting a slug.

On the other hand, my only crime was re-re-posting "zzzzz".

Rin never forgave me. Not even close. So after saying she
"shitcanned" and "killfiled" me too many times to count, I started
laughing at how she responded to every post. That's when she invented
the "virtual killfile" concept to explain it, a bit like "square
circle" but wierder.

Oh yah - and Rin totally sux at internet stalking.

[Tim O]

On Fri, 26 Oct 2012 18:58:14 -0700, unibalm <uni...@csipga.zzzz>
wrote:

>Rin likes to get the last word in, thinking that means she wins. My
>first discussion with her, since I didn't agree with some absurdity
>she was spouting she got abusive and I started responding "zzzzz", to
>which I got increasingly frantic and insane replies. She quickly
>expended her entire vocabulary - demonstrating that she's a
>coprophiliac with associated identity problems. Maybe I should've
>been a bit sympathetic, but it was fun. OK, maybe "fun" is the wrong
>word. It was a kind of thing like a typical 7 yr old sadistical kid
>salting a slug.
>
>On the other hand, my only crime was re-re-posting "zzzzz".
>
>Rin never forgave me. Not even close. So after saying she
>"shitcanned" and "killfiled" me too many times to count, I started
>laughing at how she responded to every post. That's when she invented
>the "virtual killfile" concept to explain it, a bit like "square
>circle" but wierder.
>
>Oh yah - and Rin totally sux at internet stalking.

Rin insisted for days that I was a bald guy with glasses based on some
random google image of a person reflected in an arcade game bezel (I
collect old arcade games). That fact that he found that guy with bad
eyes also seemed to convince him that he won the argument, because
there is no way that a bald person with glasses could ever be smart
enough to have a valid opinion... Poor Stephen Hawking would be
devastated.

He wanted to get to me so bad he then started trying to find info on
my kids. If that isn't the mark of an asshole of the highest order, I
don't know what is.

My suggestion is to just ignore him, even game related posts, because
even most legit threads wind up in a 150 post Road To Nowhere.

[Rin Stowleigh]

On Sat, 27 Oct 2012 07:53:36 -0400, Tim O <timo56...@hotmail.com>
wrote:

Is that unitard guy still here? I think you're the only one that ever
responds to him so for the most part I don't have to see that
particular variant of fecal matter spatter on the walls. Maybe I will
just killfile you as well so I don't have to deal with it.

The "random image" I saw was you, which you exposed accidentally when
you uploaded a video to youtube of your home arcade. Are you now
trying to claim that you do not own the domain vortexarcade.com as
well as the youtube account by the same name?

Also if you didn't want people to know where you live and that you
have a daughter, perhaps you should think twice about posting that
information publically on the Internet?

Oh, and the fact that you not only look dorky but are also an idiot
are purely an unfortunate coincidence. I never drew a correlation
between bald guys with glasses and stupidy, just a correlation with
you and both.

[JAB]

lol .. Rin's now doing his, I'll reply to someone who I said I'm not
going to reply to so I can reply to another person I said I'm not going
to reply to.

[JAB]

> The "random image" I saw was you, which you exposed accidentally when
> you uploaded a video to youtube of your home arcade. Are you now
> trying to claim that you do not own the domain vortexarcade.com as
> well as the youtube account by the same name?
>

You're basically a bit of a fucked up little stalker aren't you Rin.
What sort of arsehole does what you have done - well you obviously.

> Also if you didn't want people to know where you live and that you
> have a daughter, perhaps you should think twice about posting that
> information publically on the Internet?
>

See above ...

[Tim O]

It wasn't me dude. I'd post my pic as proof, but I actually don't want
you knowing anything else about me and my family.

The fact that you took it to such an crazy personal level because I
tore you up over and over in arguments should be all the proof people
need to ignore you.

You went full-on mental over video game arguments and aren't even
ashamed of yourself.

[Rin Stowleigh]

On Sat, 27 Oct 2012 12:57:41 -0400, Tim O <timo56...@hotmail.com>

Honestly anyone that looks like you do owes it to society to stay
hidden as much as possible, so keep doin' what you're doin'.

>The fact that you took it to such an crazy personal level because I
>tore you up over and over in arguments should be all the proof people
>need to ignore you.
>
>You went full-on mental over video game arguments and aren't even
>ashamed of yourself.

Heheh.. your delusions of victory and and also the mental comments
always amuse me the most.

Have you added yourself to your highscore board lately so that you can
spend more time looking at it and impressing yourself? Double up on
the prozac or whatever they've got you on these days and the scores
will seem even more impressive I'm sure. As an added bonus your
feeling of intellectual superiority will be enhanced.

[Lord Infomouse]

On 10/24/2012 2:53 PM, Ross Ridge wrote:
> Ross Ridge <rri...@csclub.uwaterloo.ca> wrote:
>> The problem is that the reported Steam vulnerablilities are big wide
>> open holes that are relatively easy to find and exploit.
>
> Mike S. <Mik...@nowhere.com> wrote:
>> Good then. It shouldn't take long for someone to exploit those big
>> wide open holes. Then we might get something truly interesting to
>> read.
>
> Most of those vulnerabilities you read about in your magazine every
> month haven't yet been exploited either. Why are you wasting your time
> reading about all these security holes that you can't possibily think
> are interesting?
>
> Last month a Java vulnerability that potentially affected a billion
> computer users was a big news story despite that fact it hadn't yet
> been turned into an exploit. While these Steam vulnerabilities don't
> affect as many people overall, there's probably as much or more people
> reading this newsgroup with the Steam client installed on their computer
> than have Java installed. If the Java vulnerability was big enough
> news for mainstream media outlets to mention it, then I think Steam's
> vulnerabilities are big enough news to get mentioned here.
>
> Ross Ridge
>

I think there should be some kind of standard defined which portrays how
easy a vulnerability is to exploit. We get numerous tales of
vulnerabilities, but I bet half of them are so obscure that it would
require months of work to exploit them. That could be the standard, how
many months it would take a five man team to write a meaningful exploit.

--

[Rin Stowleigh]

Identifying low-hanging fruit (telling everyone which ones are easier
to exploit) would, in itself be a security issue.

"You cannot go against nature, because when you do go against nature,
that's part of nature too".