Oprindeligt skrevet af bidulless:

suggestion - valve please remove the use of your client as a browser

hello

if valve can't update it cef at the same speed as cve are discovered/exploited on the wild and so patched , it can be a good solution to just remove the possibility to use it trought the overlay or at least ,popup a windows that explain the risk using it as a browser ....

The overlay browser isn't going anywhere.

I do wish it was updated a lot quicker though.

Oprindeligt skrevet af bidulless:

hello

if valve can't update it cef at the same speed as cve are discovered/exploited on the wild and so patched , it can be a good solution to just remove the possibility to use it trought the overlay or at least ,popup a windows that explain the risk using it as a browser because it's outdated ( cef 126)
....
remove the button to call it from overlay or make a popup telling people the risk to use it

If you can perform a PoC on the built-in browser, look to https://www.valvesoftware.com/en/security/ for info to contact Valve.

Oprindeligt skrevet af Crashed:

Oprindeligt skrevet af bidulless:

hello

if valve can't update it cef at the same speed as cve are discovered/exploited on the wild and so patched , it can be a good solution to just remove the possibility to use it trought the overlay or at least ,popup a windows that explain the risk using it as a browser because it's outdated ( cef 126)
....
remove the button to call it from overlay or make a popup telling people the risk to use it

If you can perform a PoC on the built-in browser, look to https://www.valvesoftware.com/en/security/ for info to contact Valve.

hello
there is no poc to have, it just that using the client as a browser is an absolute stupidity

Oprindeligt skrevet af bidulless:

Oprindeligt skrevet af Crashed:

If you can perform a PoC on the built-in browser, look to https://www.valvesoftware.com/en/security/ for info to contact Valve.

hello
there is no poc to have, it just that using the client as a browser is an absolute stupidity

Don't zero-day exploits genreally have a PoC to test?

Oprindeligt skrevet af Crashed:

Oprindeligt skrevet af bidulless:

hello
there is no poc to have, it just that using the client as a browser is an absolute stupidity

Don't zero-day exploits genreally have a PoC to test?

hello

seems you do not understand ...
it's not the client itself but the use of it as a browser for surfing the web ....
because it's totally safe inside the steam/valve ecosystem but surely not outside unless you do not understand what a browser is ...

While the version might be outdated, it might still get merges that fix whatever CVEs have come out. I've not looked into deeply enough to know but it's a common practice for stable distributions to backport security fixes to older versions to maintain stability and introduce new security measures.

Oprindeligt skrevet af rawWwRrr:

While the version might be outdated, it might still get merges that fix whatever CVEs have come out. I've not looked into deeply enough to know but it's a common practice for stable distributions to backport security fixes to older versions to maintain stability and introduce new security measures.

Valve would be on their own because the major version they are on is EOL.

Oprindeligt skrevet af bidulless:

Oprindeligt skrevet af Crashed:

Don't zero-day exploits genreally have a PoC to test?

hello

seems you do not understand ...
it's not the client itself but the use of it as a browser for surfing the web ....

It's intended to be used for client purposes.
No one really ever recommendeds opening a tab version and using it to browse the internet since dedicated browsers are favored by users mostly for their Extensions like adblockers.

This seems like a non-issue and an overly specific situation that's unlikely to result in problems.

hello

i do not use it as a browser so why do i need to care ?
so please go use it as a your current browser xd

Oprindeligt skrevet af rawWwRrr:

While the version might be outdated, it might still get merges that fix whatever CVEs have come out. I've not looked into deeply enough to know but it's a common practice for stable distributions to backport security fixes to older versions to maintain stability and introduce new security measures.

hello

please do it and come back with your discovery xd

and anyway if the white knight are not agree about that, may be they can be agree about the use of a popup just after clicking on it trought the overlay

Oprindeligt skrevet af bidulless:

hello

i do not use it as a browser so why do i need to care ?
so please go use it as a your current browser xd

Oprindeligt skrevet af bidulless:

Oprindeligt skrevet af rawWwRrr:

While the version might be outdated, it might still get merges that fix whatever CVEs have come out. I've not looked into deeply enough to know but it's a common practice for stable distributions to backport security fixes to older versions to maintain stability and introduce new security measures.

hello

please do it and come back with your discovery xd

and anyway if the white knight are not agree about that, may be they can be agree about the use of a popup just after clicking on it trought the overlay

Like everyone I prefer a dedicated browser that is intended to be used as a browser, fully-functional, non-limited, with extensions. If you believe there's security issues with using-not-as-intended, you can contact valve directly;

Oprindeligt skrevet af Crashed:

https://www.valvesoftware.com/en/security/ for info to contact Valve.

Oprindeligt skrevet af Mad Scientist:

Oprindeligt skrevet af bidulless:

hello

i do not use it as a browser so why do i need to care ?
so please go use it as a your current browser xd

Oprindeligt skrevet af bidulless:

hello

please do it and come back with your discovery xd

and anyway if the white knight are not agree about that, may be they can be agree about the use of a popup just after clicking on it trought the overlay

Like everyone I prefer a dedicated browser that is intended to be used as a browser, fully-functional, non-limited, with extensions. If you believe there's security issues with using-not-as-intended, you can contact valve directly;

Oprindeligt skrevet af Crashed:

https://www.valvesoftware.com/en/security/ for info to contact Valve.

hello

all that are linked to the client not the browser part that can be use outside the steam ecosystem ...

Oprindeligt skrevet af bidulless:

Oprindeligt skrevet af Mad Scientist:

Like everyone I prefer a dedicated browser that is intended to be used as a browser, fully-functional, non-limited, with extensions. If you believe there's security issues with using-not-as-intended, you can contact valve directly;

hello

all that are linked to the client not the browser part that can be use outside the steam ecosystem ...

Again this really seems like a non-issue where people would have to go out of their way to even attempt, let alone be susceptible to vulnerabilities which often comes down to user-error. There's a reason why clicking on many links brings the prompt message about leaving steam.

In a previous thread you compared use of steam ram use to other clients that used significantly more outdated versions of cef, I've have never seen users have vulnerability-related issues on any clients just from that fact since it's meant for internal application use. The chances of people falling for standard scams is significant compared to attempting to browse from a 'new tab' outside of steam. The experience alone using it for such would be quite awful compared to a dedicated browser with extensions. Default is edge which the joke is "only exists to download other browsers", people use chrome & Firefox primarily with Extensions being quite popular especially with non-chrome browsers.

Oprindeligt skrevet af Mad Scientist:

Oprindeligt skrevet af bidulless:

hello

all that are linked to the client not the browser part that can be use outside the steam ecosystem ...

Again this really seems like a non-issue where people would have to go out of their way to even attempt, let alone be susceptible to vulnerabilities which often comes down to user-error. There's a reason why clicking on many links brings the prompt message about leaving steam.

In a previous thread you compared use of steam ram use to other clients that used significantly more outdated versions of cef, I've have never seen users have vulnerability-related issues on any clients just from that fact since it's meant for internal application use. The chances of people falling for standard scams is significant compared to attempting to browse from a 'new tab' outside of steam. The experience alone using it for such would be quite awful compared to a dedicated browser with extensions. Default is edge which the joke is "only exists to download other browsers", people use chrome & Firefox primarily with Extensions being quite popular especially with non-chrome browsers.

hello

sadly none of you can prove that the browser ( cef 126 ) used by the client is immune to all cve discovered since it release ,and i am not talking about the steam ecosystem but internet using the client as an outdated and vulnerable browser while using it like that throught the overlay ...
do i need to remind you that compile log of the steam client are available ( or was ...)
so it's not a rant against valve, just a suggestion that can make valve's customer more secure and aware about their risk using it outside the steam ecosystem

Oprindeligt skrevet af bidulless:

Oprindeligt skrevet af Mad Scientist:

Again this really seems like a non-issue where people would have to go out of their way to even attempt, let alone be susceptible to vulnerabilities which often comes down to user-error. There's a reason why clicking on many links brings the prompt message about leaving steam.

In a previous thread you compared use of steam ram use to other clients that used significantly more outdated versions of cef, I've have never seen users have vulnerability-related issues on any clients just from that fact since it's meant for internal application use. The chances of people falling for standard scams is significant compared to attempting to browse from a 'new tab' outside of steam. The experience alone using it for such would be quite awful compared to a dedicated browser with extensions. Default is edge which the joke is "only exists to download other browsers", people use chrome & Firefox primarily with Extensions being quite popular especially with non-chrome browsers.

hello

sadly none of you can prove that the browser ( cef 126 ) used by the client is immune to all cve discovered since it release ,and i am not talking about the steam ecosystem but internet using the client as an outdated and vulnerable browser while using it like that throught the overlay ...
do i need to remind you that compile log of the steam client are available ( or was ...)
so it's not a rant against valve, just a suggestion that can make valve's customer more secure and aware about their risk using it outside the steam ecosystem

It’s not our job to disprove your theory. You’re the one proposing there are potential security breaches, so the ownness is on you to back up those claims. If it really is that big an issue for you, then as suggested, contact valve directly.