Prez wrote on Oct 17, 2012, 21:40:I'm not a fan of EA at all, but I hate the hypocrisy and blind bias I see around here and on other PC game forums. That is why I defended EA over its recent give away of free games. It's amazing the level of denial some of you EA haters will go to deal with the horrific notion that EA actually did something right or generous. EA even posted a notice on the previous survey link that new coupon codes would be sent out to those that didn't get one for the previous survey because it had to be closed. Now, that's good customer service for any company including EA.
Well it's no secret he's not a fan of Steam (but a big fan of Amazon and EA)
that doesn't necessarily make him wrong.He has to attack the messenger because he doesn't like the message and can't handle the truth.
Sepharo wrote on Oct 17, 2012, 21:09:Well Chrome has a "remember my choice" box on that launch dialog box, so if you ever press "yes" and click the box, you won't be prompted again for Steam URL's. Other browsers probably do too. So if you go to the Steam website, install a game or demo using the Steam URL link when prompted, and click the box, you could be exploited later without knowing it because there would be no prompt. That is why relying on a prompt is not a real fix for this type of problem. It's good advice, but not foolproof.
I would hope that anyone here receiving a message about a website wanting to launch Steam would click No, especially if that wasn't their intent when clicking the link.
pacbowl wrote on Oct 17, 2012, 20:51:Anything that will block the browser from running/handling "steam://" will stop this attack vector. It won't fix the exploits in Steam or the games, but it will keep the browser from being used as a means to deliver an attack.
How about running No Script? It blocks auto-redirects too.
Sepharo wrote on Oct 17, 2012, 20:43:At the default settings other browsers will warn to various degrees of specificity. The problems are that not everyone uses the default security settings, and second users tend to click yes on popups because if they don't, things don't work.
Only on Safari.
Mashiki Amiketo wrote on Oct 17, 2012, 20:30:No, it isn't. You simply don't understand what you read.
That's two completely different things than what you've said in the last 4 posts.
A page running something is not the URL itself being a script.No kidding, nor did I say it was. With redirection the browser will automatically execute/go to Steam URL, which will automatically run Steam, which will automatically run/handle the URL to execute the attack. PC owned shortly thereafter. Learn to read.
And yes you're fearmongering, when there is a solution right there.I am not fear mongering when this is a very real fear of exploit since the exploit works and it is public. Second, that solution is one which I already mentioned below, but it isn't permanent unless Valve removes the functionality from Steam because Steam automatically restores itself when it is run if a part is deleted, etc.
hb3d wrote on Oct 17, 2012, 19:41:It's not fear mongering. It is the truth. This exploit can allow remote code execution, and since it can, there is virtually no limit to what it can do.
Glad to see you're good on the fear mongering 101 though.
Steam url's aren't scripted.They can be. A website can script the URL's to execute in the browser without clicking on anything, i.e. redirection.
Even someone from h-online figured that one out. "disabling the steam:// handler will disable or severely limit this vulnerability."I said the same thing below. The problem is that Steam will restore that functionality when it launches or automatically updates.
Prez wrote on Oct 17, 2012, 19:58:If you can prevent the entire Steam client from running using something like that, then yes, that would mitigate your exposure. But, so long as Steam is running you are vulnerable.
Dammit! What if I blocked the Steam service in a program like Process Explorer until I'm ready to use it?
Prez wrote on Oct 17, 2012, 19:51:That won't help because the browser will launch Steam to execute these URL's if it is not already running. That is the whole idea of having these Steam-specific URL's in the first place.
I'll do the next best thing and turn the client off until I actually am going to use it. Normally I leave it running as long as my PC is on. I already use Chrome as my browser.
In order to make this exploit work, you need to be able to cause something to create the file, in order to be able to execute it.As I wrote before, if a Source engine game is installed, it can be made to do that with this exploit.
If you don't know what's installed, you have no attack vector.You simply guess. Sure it won't affect people who don't have a Source game installed, but so many Steam users do, and so many use the default location for Steam that it isn't hard to find a vulnerable target. It was the exact same thing with the Uplay exploit. The specified path to the executable to run in that exploit was simply a guess on the target's directory structure and installed programs. Windows also still has a %path% variable that will execute anything in that path without knowing the full path.
Even their unreal engine exploit requires a upk file to exist already, in order to cause it to crash(integer overflow).It already exists in the Sanctum game. That is why they chose that game over the dozens of other Unreal engine games on Steam.
But in the latter case, you need to know "what" you're running into to make it do something.As I wrote before, you simply guess and target the most likely spots. Hackers have been doing that forever, and guess what? It works.
Mashiki Amiketo wrote on Oct 17, 2012, 18:49:That is NOT worst case. The exploits show hackers could execute anything on your PC with this exploit. That source engine exploit will run anything specified in the batch file at startup. So, delete all your files, steal your account credentials, etc. Once you can remotely execute code as you can here, the sky is really the limit.
Worst case? Remote code execution with them being able to transverse directories.
Just don't click on any random steam url's and you'll be fine.No, that won't do it because if the Steam url's are scripted, you don't have to click on a thing. And, if your browser doesn't prompt on the URL's as Safari doesn't at all and others won't if set that way, you won't even know if your browser executed these URL's.
Prez wrote on Oct 17, 2012, 17:23:Doom 3's gameplay was a victim of the PC technology of the time. Recreating the Doom/Doom II experience with all of those enemies and items on the screen at once simply wasn't possible with the hardware available at the time of Doom 3's development since Carmack was pushing the game to have leading edge visuals. Sure, he could have made the game less demanding like Serious Sam and recreated the original experience, but that is not what he and id wanted. It also wouldn't have sold a lot of hardware upgrades like Doom 3 did which is what hardware vendors wanted.
The biggest thing I think was that it was pretty jarring for Doom fans that the series went from visceral run and gun to survival horror.
Flatline wrote on Oct 17, 2012, 18:22:but with a $30 pricetag instead of $5 or $10
This is a bargain-bin release.
hb3d wrote on Oct 17, 2012, 17:07:I went back and read the Uplay researcher's original post again and I see that the plug-in didn't use ActiveX. The title of the post was "Re: AxMan ActiveX fuzzing" but that was a misleading title since it was actually a thread about a different exploit and the researcher just mentioned his new find in that same thread.
That Uplay exploit effected everyone too, and everyone that had the game plugin installed, not just IE.
You still need to be able to have knowledge of what's where, to be able to execute this exploit.No, you don't because Windows environment variables will tell you that. Plus most users use default installation locations for Windows and Steam.
And before that you need to be able to have access to something to be able to create the batch file,Well as stated in the article the Source engine will do that for the attacker if a Source engine game is installed. But, hardly anyone plays Source engine games, right?
Prez wrote on Oct 17, 2012, 17:47:No because the exploit can be scripted with Javascript so that you don't have to click on a thing.
Is it simply a matter of avoiding clicking on external Steam links?
Kosumo wrote on Oct 17, 2012, 16:10:This from the Computerworld article says it all on that: "Valve did not immediately return a request for comment." Even Computerworld didn't get some type of reply from Valve to a very serious security issue. Not even a "We're now aware of the issues and looking into them." Ubisoft both responded and fixed its exploit the same day. See this.
Anyone else to back up that Valve are any more difficult to contact than any other large game/software studio?
Mashiki Amiketo wrote on Oct 17, 2012, 13:24:You missed a lot. Read the whole article (slowly for you) on Computerworld. This goes way beyond being a browser exploit. The browser is just used an attack vector into the Steam client itself and Source engine games. See "The researchers released a video in which they demonstrate how steam:// URLs can be used to remotely exploit some vulnerabilities they found in the Steam client and popular games." Valve's wonderful security triumphs again. I wonder if we will see Half-Life 3 source code soon.
Looking at this a bit more, it appears that unless you've been able to compromise the machine before hand and lay a batch file(and know what games are installed). This is pretty much useless, so if someone has already compromised the machine that far. You've got other things to worry about than steam urls.
Though I might have missed something.
In a different example, a steam:// URL can be used to execute legitimate commands found in Valve's Source game engine in order to write a .bat file with attacker-controlled content inside of Windows Startup folder. Files located in the Windows Startup directory are automatically executed when users log in.That is really, really bad. As bad or worse than that Uplay exploit everyone bashed Ubisoft over (but not the researcher who found the exploit, hypocrites), but was fixed in a day or less. At least that exploit only affected users with the installed plug-in. This attack affects all browsers and Steam client users and since it can be scripted with Javascript, it is relatively easy to implement and get past the user especially on some browsers and settings.
Badboyquake wrote on Oct 17, 2012, 01:18:Thanks for the tip. "Seta" doesn't work with this game though so you either always have to use the command-line option to enable the console or put it into a autoexec.cfg file which works. Enabling the console also disables achievements (not that I personally care).
Console is disabled by default in the game, but you can access it by using the following command line in the launch option: +seta com_allowconsole 1
change fov with g_fov XX or +set g_fov XXThat's a nice tip, but the Lost levels are so cramped that a wider view isn't really needed. The default setting is 80.
some people like the lost missions.What people? All of the slow, unchallenging, brain-dead zombies you find in those levels? Standard Doom 3 at least has some story, cutscenes, and you feel like you are part of something bigger. These Lost levels feel like something Bethesda interns made. They have all of the worst aspects of Doom 3 in abundance with none of the charms.
dont forget the doom II addon from nerve "No Rest for the Living". first time for pc, xbox360 players know it.That's just nine Doom II maps. I haven't played them, but given how many thousands of Doom II maps have been made, I don't see that these nine are worth $30.
deqer wrote on Oct 17, 2012, 01:11:Since you previously stated your dislike for Steam, to add to your list of reasons not to buy the game, this version also requires Steam and its multiplayer uses Steam's wonderful consolized P2P matchmaking instead of better available options on Steam. There is also no LAN multiplayer. The patched original release of Doom 3 has dedicated servers and LAN multiplayer.
You can take your rehashed product--with it's new file format and no modding capabilities--and kindly shove it up your ***. Good day.
Kitkoan wrote on Oct 17, 2012, 00:17:There's just no reason for a serious PC gamer to buy this version. If for some reason you don't already have the original release of Doom 3 and the RoE add-on, buy that instead and download some of the great mods for that version like the classic Doom mod and the co-op mods. The Doom 3 source code is now open source too, so if you are serious about mod creation, the sky is the limit.
If I can't mod it or anything, kinda kills a lot of it for me
The Half Elf wrote on Oct 16, 2012, 22:54:I've always played games exclusively on the PC including the original releases of all of the Doom games, and having tried this "improved" version of the game I can now say that I know what it feels like to own an XBOX360 or a Playstation 3. The paucity of the settings screens should make any PC gamer cry. This new version doesn't even support mods or existing third-party maps because Bethesda/id changed the archive file format for the game. There is no command console either (without command-line CVAR setting).
Is this the edition that nobody asked for or wanted?
Or does it include duct tape?Yes, in that you can turn on the flashlight at any time while still holding your weapon although there is no visible flashlight model.
And if you already own DOOM 3 on Steam, between now and November 13th you can save $10 on your purchase.This needs to be changed to "And if you already own DOOM 3 on Steam, play that version and save your money." The only thing you're missing out on besides the consolitis are the "Lost" levels, and from what I have played so far, they should have stayed lost.