所有讨论 > Steam 论坛 > Steam Discussions > 主题详情
HMFOG 22 小时以前
What does, "...when an exploit attempt is detected.", mean exactly?!!
"Added mitigations for Unity CVE-2025-59489, blocking a game launch through the Steam Client when an exploit attempt is detected."

Steam released a client update that appears to indicate they are addressing this issue, but I have to ask Steam, what does this do exactly?

How is a "exploit attempt" actually detected? The use of, "when" is also subjective, unless clarity is provided as to whether Steam is actually capable of detecting the "when" and to what degree of success.

I have a very large library of Steam games, and as of the time of this posting, only 26 have been updated to address this issue. That means that single digit percentages of my library's dev teams have so far addressed this issue, and most of the publishers made no indication what the update addressed. The only bearing I have is that almost all the updates were roughly the same size.

That is all VERY concerning. First, game creators and publishers should be required to indicate what is in their updates, and if addressing a security vulnerability, how they did so.

Now that the exploit has been made public, bad actors will be coming from every corner of the dark web to exploit it. So, I, and ALL other Steam library owners should be getting much more from Steam than a one sentence statement with no additional clarity on how this issue is truly being addressed and what risks remain, if any, for older titles that are not being patched. Do we now lose the ability to use those titles?

Respectfully, we need and deserve better answers, and a show of thoughtfully delivered statements for security related concerns when these issues exist.

What say you Steam?!
最后由 HMFOG 编辑于; 22 小时以前
< >
正在显示第 1 - 14 条,共 14 条留言
cSg|mc-Hotsauce 22 小时以前 
引用自 HMFOG
What does, "...when an exploit attempt is detected.", mean exactly?!!

"Added mitigations for Unity CVE-2025-59489, blocking a game launch through the Steam Client when an exploit attempt is detected."

Steam released a client update that appears to indicate they are addressing this issue, but I have to ask Steam, what does this do exactly?

How is a "exploit attempt" actually detected? The use of, "when" is also subjective, unless clarity is provided as to whether Steam is actually capable of detecting the "when" and to what degree of success.

I have a very large library of Steam games, and as of the time of this posting, only 26 have been updated to address this issue. That means that single digit percentages of my library's dev teams have so far addressed this issue, and most of the publishers made no indication what the update addressed. The only bearing I have is that almost all the updates were roughly the same since.

That is all VERY concerning. First, game creators and publishers should be required to indicate what is in their updates, and if addressing a security vulnerability, how they did so.

Now that the exploit has been made public, bad actors will be coming from every corner of the dark web to exploit it. So, I, and ALL other Steam library owners should be getting much more from Steam than a one sentence statement with no additional clarity on how this issue is truly being addressed and what risks remain, if any, for older titles that are not being patched. Do we now lose the ability to use those titles?

Respectfully, we need and deserve better answers, and a show of thoughtfully delivered statements for security related concerns when these issues exist.

What say you Steam?!

https://psteamcommunity.yuanyoumao.com/groups/steamworks/announcements/detail/524229329545071275

:nkCool:
#1
DarkCrystalMethod 22 小时以前 
If you're not using an exploit then it doesn't and shouldn't mean anything to you specifically.
You could go to the cve website and look up that spec, but the finer details are only revealed to security professionals.
#2
HMFOG 22 小时以前 
引用自 DarkCrystalMethod
If you're not using an exploit then it doesn't and shouldn't mean anything to you specifically.
You could go to the cve website and look up that spec, but the finer details are only revealed to security professionals.
Thank you for weighing in but I'm not sure how that is helpful. No one would be intentionally or knowingly "using" an exploit for bad actor intentions on their own machine. So it does matter to everyone with a steam library with Unity games. I don't need to do the research to know that a one line statement to address a potentially major security issue is not a clear disclosure of patched security, and certainly not so without a risk(s) statement also being included.
#3
Mr. Smiles 21 小时以前 
It matters most to developers since they have to download and update their games with the patched editor version, then redeploy.

I got that email from unity yesterday.
#4
HMFOG 20 小时以前 
I appreciate that response, you being a developer, so thank you for weighing in. My post isn't to call out developers that are actually releasing, or working on releasing patch updates, its on developers that release an update with no description at all, where there's no confirmation the game has been patched.

And for Steam to please provide more clarity on how their patch is actually protecting Steam users, and to what extent.

- What about games that are no longer "shipping", but remain in a users library?
- How do we know if an exploit exists until we unsuccessfully attempt to run it?
- Do we now need to launch every game in our library?
- Should we be taking that risk without clarity that Steam's client patch update can successfully detect when an exploit exists 100%?
- What about games that are no longer supported or being updated by the developer?
- As paying users, do we just lose out on money spent if the game has or is somehow being exploited and no longer being supported by the developer?

These are all legitimate questions that we currently have no clarity about from Steam.
最后由 HMFOG 编辑于; 20 小时以前
#5
Mr. Smiles 18 小时以前 
引用自 HMFOG
I appreciate that response, you being a developer, so thank you for weighing in. My post isn't to call out developers that are actually releasing, or working on releasing patch updates, its on developers that release an update with no description at all, where there's no confirmation the game has been patched.

And for Steam to please provide more clarity on how their patch is actually protecting Steam users, and to what extent.

- What about games that are no longer "shipping", but remain in a users library?
- How do we know if an exploit exists until we unsuccessfully attempt to run it?
- Do we now need to launch every game in our library?
- Should we be taking that risk without clarity that Steam's client patch update can successfully detect when an exploit exists 100%?
- What about games that are no longer supported or being updated by the developer?
- As paying users, do we just lose out on money spent if the game has or is somehow being exploited and no longer being supported by the developer?

These are all legitimate questions that we currently have no clarity about from Steam.
It doesn't answer everything, but this snippet is from the unity email to developers:

Key Facts:

There is no evidence of any exploitation of the vulnerability nor has there been any impact on users or customers.
Unity has worked in close collaboration with our platform partners who have taken further steps to secure their platforms and protect end users.
Released games or applications using Unity 2017.1 or later for Windows, Android, macOS, or Linux may contain this vulnerability.
Unity has released an update for each of the major and minor versions of the Unity Editor starting with Unity 2019.1.
Unity has released a binary patcher to patch already-built applications dating back to 2017.1.
#6
Dendrobates Tinctorius 18 小时以前 
引用自 HMFOG
I appreciate that response, you being a developer, so thank you for weighing in. My post isn't to call out developers that are actually releasing, or working on releasing patch updates, its on developers that release an update with no description at all, where there's no confirmation the game has been patched.

And for Steam to please provide more clarity on how their patch is actually protecting Steam users, and to what extent.

- What about games that are no longer "shipping", but remain in a users library?
- How do we know if an exploit exists until we unsuccessfully attempt to run it?
- Do we now need to launch every game in our library?
- Should we be taking that risk without clarity that Steam's client patch update can successfully detect when an exploit exists 100%?
- What about games that are no longer supported or being updated by the developer?
- As paying users, do we just lose out on money spent if the game has or is somehow being exploited and no longer being supported by the developer?

These are all legitimate questions that we currently have no clarity about from Steam.
did you try reading the link in the very first reply to this thread? there's a lot of clarity there.
#7
Lystent 15 小时以前 
引用自 Dendrobates Tinctorius
引用自 HMFOG
I appreciate that response, you being a developer, so thank you for weighing in. My post isn't to call out developers that are actually releasing, or working on releasing patch updates, its on developers that release an update with no description at all, where there's no confirmation the game has been patched.

And for Steam to please provide more clarity on how their patch is actually protecting Steam users, and to what extent.

- What about games that are no longer "shipping", but remain in a users library?
- How do we know if an exploit exists until we unsuccessfully attempt to run it?
- Do we now need to launch every game in our library?
- Should we be taking that risk without clarity that Steam's client patch update can successfully detect when an exploit exists 100%?
- What about games that are no longer supported or being updated by the developer?
- As paying users, do we just lose out on money spent if the game has or is somehow being exploited and no longer being supported by the developer?

These are all legitimate questions that we currently have no clarity about from Steam.
did you try reading the link in the very first reply to this thread? there's a lot of clarity there.
It's more of an instructional from Valve to devs who publish on Steam. To me, it looks as though it might help a player mod their local copy to be more secure, but IDK if it is something a player should even try or not.

Nonetheless, it looks to me like business as usual for titles that have no active devs what-so-ever: what's there now is what you will have later. (Isn't there a similar issue with early CoD games on PC?)
最后由 Lystent 编辑于; 15 小时以前
#8
Dendrobates Tinctorius 13 小时以前 
引用自 Lystent
引用自 Dendrobates Tinctorius
did you try reading the link in the very first reply to this thread? there's a lot of clarity there.
It's more of an instructional from Valve to devs who publish on Steam. To me, it looks as though it might help a player mod their local copy to be more secure, but IDK if it is something a player should even try or not.

Nonetheless, it looks to me like business as usual for titles that have no active devs what-so-ever: what's there now is what you will have later. (Isn't there a similar issue with early CoD games on PC?)
As the link explains, basically the way the exploit works is you can give unity games a command line argument listing a library to load.

So a way you'd exploit this through steam would be something like:
1. Get the target to put your malicious code somewhere predictable, like e.g. tricking them into downloading virus.dll into their download folder
2. Give them a steam:// link that runs a vulnerable unity game with the arguments, so something like:
"steam://run/[vulnerableunitygameid]//-maliciousarg path/to/virus.dll"
3. When they launch the game through that link, the game will run your code.

Steam now looks for urls containing a (potentially) malicious argument and just doesn't launch the game.

Some games might need to update more than others if e.g. they rely on adding ways to launch the game outside steam, but yes, a lot of games won't get patched, which is why the steam update should help a bit.
#9
Ben Lubar 11 小时以前 
引用自 DarkCrystalMethod
If you're not using an exploit then it doesn't and shouldn't mean anything to you specifically.
You could go to the cve website and look up that spec, but the finer details are only revealed to security professionals.
Using this exploit on your own computer would be pointless because it's a privilege escalation/arbitrary code execution exploit and on a computer you have full control of you could just run whatever you wanted to run directly.

The exploit is that there are certain command lines you can pass to a Unity game that will load a DLL from anywhere on your system, for example your downloads folder.

Steam already warns you if you try to start a game with a custom command line via the steam://run protocol. In addition to that, it now completely blocks any attempt to start a game with any of the four broken commands in unpatched Unity games.

You're not in danger at all unless you give someone the ability to both put files on your computer and start games on your computer with custom command lines. On Android, it's more dangerous because the equivalent of steam://run is part of the operating system and not specific to one program.
#10
HMFOG 11 小时以前 
Thank you for taking your time to provide added clarity to this Ben Lubar. It would have been very responsible of Steam to have just explained it for all of us so we could better understand the risk, and how what they did to address it actually resolved the issue so we aren't left guessing to what extent we are actually protected. Thanks again.

Simply put, Steam, you can and should do better.
#11
Maksimka12r 9 小时以前 
дякую
#12
Lystent 8 小时以前 
引用自 Dendrobates Tinctorius
...
Ahh, I see. Thanks for the clarification. Granted, Last I knew, folks were already getting phished into putting malware onto their machines for some time now. However, I think the only cases relevant to Steam I'm aware of are more related to market place for CS2 (formerly CS:GO), primarily to hijack accounts for some over-monetized in-game loot.
最后由 Lystent 编辑于; 8 小时以前
#13
Floid 2 小时以前 
So this only blocks a desktop shortcut if it contains one of the four command line parameters - so all our existing regular steam shortcuts should still work then ? ? ?
(eg : steam://rungameid/xxxxxxx)
#14
< >
正在显示第 1 - 14 条,共 14 条留言
每页显示数: 1530 50

所有讨论 > Steam 论坛 > Steam Discussions > 主题详情
发帖日期: 10 月 4 日 上午 9:34
回复数: 14
发起新讨论

讨论规则及指引