JakobFel: I never said that GOG should ignore it and never fix it. [...]
onatg: I did not claim that you did. The problem is that you're downplaying the issue, perhaps because of a wrong understanding of the security implications, but whatever the reason, it's not helpful.
JakobFel: [...] All I'm saying is that it's clear that the ACTUAL threat level is incredibly low. Yes, it's POSSIBLE for targeted attacks on Galaxy users but considering how GOG isn't the largest gaming platform and the client is entirely optional, the chances of that are incredibly slim and even so, as has been said before, you'd have much larger issues at that point than worrying about a vulnerability in Galaxy.
onatg: See, it's exactly the other way around, you have
a problem at that point, and with a privilege escalation vulnerability present, you have
a far worse problem.
If I get a hold of your front door key, that's one thing, I'll steal your TV and poop in your aquarium, which sucks, but if I get access to your safe with all your personal documents and stuff, then you have a far worse problem, as I'm going to steal your identity, empty your bank account, take up credits and file tax returns in your name, etc, basically just completely f up your life. At that point you'd be really happy if all you had to worry about were a 300 dollar TV and goldfish poop-soup.
And again, it doesn't even have to be an attack targeted at _specifically_ Galaxy users, many malwares look for all sorts of software, eg if it doesn't find Acrobat on your system, but Galaxy, then it will use Galaxy to gain privileges.
Hi
JakobFel. I get your points but I second the opinions of
onatg.
The bad guys are always looking for the opportunity (does not care much how small it is: Do you have in your nation a motto like we here saying "The opportunity makes the thief"? That summarizes the point)
Granted, security risk flags in the physical world could not be very alarming if the opportunity would apply just to an individual or few doves... but the problem in the digital world is those few doves scale up to a non insignificant number. Cybercrime is a real thing and a very lucrative business: We need to update our nostalgic/Hollywood cliché of a solitary nerd doing his stuff in a garage/basement to the renewed idea of criminal organizations with large budgets/tools/experts.
Me thinking to drill a hole on a steel door might be unrealistic, but that's a trivial task to a business with industrial tools/equipment, just to compare.
Anyway, my personal inexpert cyber security opinions aside, 3 things to keep on the table:
-The National Vulnerability Database is a U.S. government repository. It is not an amateur but a professional thing
-Each entry in the NVD, is scored by the experts using the Common Vulnerability Scoring System (CVSS) which is based on a set of equations using metrics such as access complexity and availability of a remedy.
Those elements you have been posting, are included into the mix. I invite you to review the details in case you are curious.
-The CVSS Base Score for this specific GOG Galaxy issue: 7.8 of 10 (HIGH)
Me being a cyber security inexpert, I choose to believe the experts. But that's only my personal choice.
Thank you guys for joining the thread and keep back and forth sharing your opinions.
The more public a cyber-security issue is, the more pressure for the software owners to fix it instead of underestimate/postpone/ignore it.
And along the way that also creates public awareness. So simply talking about this topic and specific CVE, somehow we are helping a bit :)
I hope you guys keep health & safe having great Christmas & New Year holidays.
Please receive my best wishes!
References:
en.wikipedia.org/wiki/National_Vulnerability_Database
web.archive.org/web/20131221044001/
http://nvd.nist.gov/cvsseq2.htm
