It's unlikely to happen because GOG is an extremely niche store with a very tiny customer base.

Therefore, hackers who write viruses are very unlikely to waste their time & energy trying to target a very small group of potential users who are very unlikely to stumble across the shady websites upon which they upload their viruses.

Unlikely because it's a very convoluted way to get access to a computer for only a very limited potential target audience while much more efficient methods exists. As I said earlier, if you get peoples to run random codes on their PC then you most likely can already have them do it in admin mode.

Here your "target audience" is somebody who knows enough about computer security to not accept a "Do you want to allow this app to make change on this device" when he double click on a setup.exe but who at the same time does download and run random binaries from untrustworthy website and who also happen to use Galaxy... let's just say that it's not really a big niche.

i like profit
but what is the ??? part? ? ?

Since the vulnerability is in GalaxyClientService.exe renaming it to GalaxyClientService.exe-disabled when you don't need GOG Galaxy should suffice.

Sounds like a good idea.

About the whole "running random codes" thing -- not everything you run has a setup.exe. If you're into PC games at all, a lot of them just run directly without an installer.

Also, if other stores clients are vulnerable to this then I'd like to see links to the relevant security disclosure pages on them too please.

Do you REALLY think that the average hacker or virus developer would go to the trouble of designing a game that may not even be accepted by GOG's curation, just to exploit a vulnerability on systems that may or may not even use Galaxy?

To exploit the vulnerability, someone would have to develop a piece of software specifically targeted at that Galaxy vulnerability, find some way to get it out to GOG Galaxy users (which would be absurdly unlikely unless they directly, personally trick you into downloading it) and as has been mentioned prior, if it gets to that point, you have a lot more to worry about than some vulnerability.

I'm not saying GOG shouldn't patch it but the facts above, along with the fact that GOG themselves haven't patched it yet, is more than enough reason to believe that it's practically a nonissue and very unlikely to actually end up exploited. Uninstalling Galaxy over this is pretty silly.

"unlikely to actually end up exploited", also known as "things that JNDI users said until a week ago for 100".

It's not as unlikely as you make it out to be, spear phishing is very popular and very effective. Secondly, targeting Galaxy users specifically is just one vector, another, much more common one, is that exploits for such vulnerabilities do end up in "exploit kits", where they simply become one of many mechanisms that an exploit ships with, ready to be used for escalating privileges when it finds itself on a system with corresponding vulnerable software present.

Ask all the ransomware victims around the world what they think about being casual about privilege escalation vulnerabilities, they'd probably slap you in the face with a wet fish until you beg for forgiveness. It's easily one of the most commonly exploited issues in chained attacks, and in today's day and age must always be considered a severe security issue!

The fact that GOG is taking ages to fix this, is primarily a testament to the flaw of the application's design, and/or GOG's incident response planning.

i think cdpr/gog are way too busy counting money n buttf#cking customers. they just don't have the time to close critical sec issues

I never said that GOG should ignore it and never fix it. All I'm saying is that it's clear that the ACTUAL threat level is incredibly low. Yes, it's POSSIBLE for targeted attacks on Galaxy users but considering how GOG isn't the largest gaming platform and the client is entirely optional, the chances of that are incredibly slim and even so, as has been said before, you'd have much larger issues at that point than worrying about a vulnerability in Galaxy.

Hi JakobFel. I get your points but I second the opinions of onatg.
The bad guys are always looking for the opportunity (does not care much how small it is: Do you have in your nation a motto like we here saying "The opportunity makes the thief"? That summarizes the point)

Granted, security risk flags in the physical world could not be very alarming if the opportunity would apply just to an individual or few doves... but the problem in the digital world is those few doves scale up to a non insignificant number. Cybercrime is a real thing and a very lucrative business: We need to update our nostalgic/Hollywood cliché of a solitary nerd doing his stuff in a garage/basement to the renewed idea of criminal organizations with large budgets/tools/experts.

Me thinking to drill a hole on a steel door might be unrealistic, but that's a trivial task to a business with industrial tools/equipment, just to compare.

Anyway, my personal inexpert cyber security opinions aside, 3 things to keep on the table:

-The National Vulnerability Database is a U.S. government repository. It is not an amateur but a professional thing

-Each entry in the NVD, is scored by the experts using the Common Vulnerability Scoring System (CVSS) which is based on a set of equations using metrics such as access complexity and availability of a remedy.
Those elements you have been posting, are included into the mix. I invite you to review the details in case you are curious.

-The CVSS Base Score for this specific GOG Galaxy issue: 7.8 of 10 (HIGH)

Me being a cyber security inexpert, I choose to believe the experts. But that's only my personal choice.

Thank you guys for joining the thread and keep back and forth sharing your opinions.
The more public a cyber-security issue is, the more pressure for the software owners to fix it instead of underestimate/postpone/ignore it.
And along the way that also creates public awareness. So simply talking about this topic and specific CVE, somehow we are helping a bit :)

I hope you guys keep health & safe having great Christmas & New Year holidays.
Please receive my best wishes!

References:
en.wikipedia.org/wiki/National_Vulnerability_Database
web.archive.org/web/20131221044001/http://nvd.nist.gov/cvsseq2.htm

There's "not urgent" and then there's "still open over a year later". Yes we get that privilege escalation bugs on their own don't allow anything, but they do allow any security bug to turn into a full compromise. However the time for "not urgent" has passed, it's time to fix it or disable the vulnerable component.

There's a code execution bug and people say "not a huge deal cause it only gets to run code as a limited user account".
There's a privilege escalation bug and people say "not a huge deal cause someone has to get code to run first".

Sure these bugs are discovered all the time, but here's the important thing: They get fixed, so attackers have a limited time window between when the exploit is known and when it starts being patched out.

As for galaxy being "specifically targeted", attackers don't have to put all their eggs in one basket. Their payload can automatically try a collection of privilege escalations till one of them works. So probably the install base of galaxy is too low for attackers to be rushing out an exploit, but the longer this stays open the more it starts to look like it's worth adding to your exploit payload as it (seemingly) never gets closed.

This. This is simply embarrassing for CDPR, and shows where their priorities (do not) lie.

I would put money on this being in every exploit kit out there, two years on. Frankly ridiculous.

Is this the right place to mention the various security exploits steam and the other launchers
have as well? Since decades now? No? Too bad?

Just check the CVE lists for the other launchers before starting taking a dump on the galaxy
devs shall we?

PS: Let alone the 0 day explpoits Windows in itself has since uhhhggg forever