It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Community
General discussion0-day found in the Galaxy Client, news is spreading on the web.(99 posts)(99 posts)
(99 posts)
Pages:
1
2
3
4
5
6
7
This is my favourite topic
Posted August 19, 2020
they just updated the client today

"Security issue fix
- [Windows] Added checks that ensure the loaded .DLLs are genuine"
Post edited August 19, 2020 by Bustacap
Posted August 20, 2020
Another client, another security flaw.
Posted August 20, 2020
avatar
Bustacap: they just updated the client today

"Security issue fix
- [Windows] Added checks that ensure the loaded .DLLs are genuine"
But how can I update Galaxy? When I opened Galaxy, there was a changelog but it pointed to a change on the 20th of July with a new official Epic integration.

I deinstalled Galaxy, I didn't use it anyway.
Posted August 20, 2020
avatar
Bustacap: they just updated the client today

"Security issue fix
- [Windows] Added checks that ensure the loaded .DLLs are genuine"
avatar
DubConqueror: But how can I update Galaxy? When I opened Galaxy, there was a changelog but it pointed to a change on the 20th of July with a new official Epic integration.

I deinstalled Galaxy, I didn't use it anyway.
you just need to wait until the update prompt pops up, can take a few minutes
Posted August 21, 2020
avatar
Anothername: Putting it on the back burner makes absolutely no sense; doubling down on fixing the more popular this become and an honest (aka no cynical praying monk silliness) statement would.
Clearly they had other priorities or it would have been fixed in time.
So logic says they would be more concerned about not letting the cat get out of the bag in the first place.
Now that it has, the damage is done. But what damage is that exactly?
From what I have read above, it is not that much to be concerned about for most people.
So they could well have gone back to fixing it when they come to it ... so not changed its priority ... who knows.
So that is what I meant by back burner, i.e. not fixing it immediately.
If it was a really serious bug, it would be a different matter, and I imagine the cat would never have gotten out, because they would have fixed it on time.

Anyway, it seems they may have fixed the issue now.
Posted August 21, 2020
avatar
Anothername: Putting it on the back burner makes absolutely no sense; doubling down on fixing the more popular this become and an honest (aka no cynical praying monk silliness) statement would.
avatar
Timboli: Clearly they had other priorities or it would have been fixed in time.
So logic says they would be more concerned about not letting the cat get out of the bag in the first place.
Now that it has, the damage is done. But what damage is that exactly?
From what I have read above, it is not that much to be concerned about for most people.
So they could well have gone back to fixing it when they come to it ... so not changed its priority ... who knows.
So that is what I meant by back burner, i.e. not fixing it immediately.
If it was a really serious bug, it would be a different matter, and I imagine the cat would never have gotten out, because they would have fixed it on time.

Anyway, it seems they may have fixed the issue now.
I got that; it just made no sense. Its not like an election where if 40% of people that dislike the result still have to live with it. They wont; they press uninstall and voice their displeasure.

But as you said, fix is probably out and that is the most important thing here.
Posted August 25, 2020
avatar
Starkrun: https://www.positronsecurity.com/blog/2020-08-13-gog-galaxy_client-local-privilege-escalation_deuce/

That above story is spreading life fire talking about a 0-day inside of the GOG Galaxy Client:

ELI5: local access is needed or a way for a bad guy to run a script. Once done they have access. There are a varied many ways for someone to get a script to run on a system.
So what's the status of this, Starkrun? Is the 0-day still there?
Posted August 25, 2020
Any thoughts on this take on it?
Posted August 25, 2020
Is this why my Galaxy client will not run? I launch it, it survives a few seconds, and then it quits saying something about Galaxy Communication Services have stopped. This after downloading a MS Defender security update. Maybe Microsoft is forcing their service off until this is resolved?
Posted August 25, 2020
avatar
brucek2: Is this why my Galaxy client will not run? I launch it, it survives a few seconds, and then it quits saying something about Galaxy Communication Services have stopped. This after downloading a MS Defender security update. Maybe Microsoft is forcing their service off until this is resolved?
Gog probably doesn't even exist on MS' radar.. just reinstall it if it's broken.
Post edited August 25, 2020 by phaolo
Posted August 26, 2020
avatar
mrkgnao: So what's the status of this, Starkrun? Is the 0-day still there?
The latest patch (2.0.20) from Aug 19th says: added checks that ensure the loaded .DLLs are genuine.

So that looks like the fix to keep us safe.
Posted August 26, 2020
avatar
mrkgnao: So what's the status of this, Starkrun? Is the 0-day still there?
avatar
Starkrun: The latest patch (2.0.20) from Aug 19th says: added checks that ensure the loaded .DLLs are genuine.

So that looks like the fix to keep us safe.
Thanks.
Posted October 06, 2020
avatar
mrkgnao: So what's the status of this, Starkrun? Is the 0-day still there?
avatar
Starkrun: The latest patch (2.0.20) from Aug 19th says: added checks that ensure the loaded .DLLs are genuine.

So that looks like the fix to keep us safe.
No. The original article at https://www.positronsecurity.com/blog/2020-08-13-gog-galaxy_client-local-privilege-escalation_deuce/ has been updated. And patch 2.0.20 does not fix this issue.
Posted October 06, 2020
avatar
nessingen: No. The original article at https://www.positronsecurity.com/blog/2020-08-13-gog-galaxy_client-local-privilege-escalation_deuce/ has been updated. And patch 2.0.20 does not fix this issue.
GOG are such clowns. The guy informs them every step of the way and they still don't act.
Posted October 06, 2020
I don't even have the energy to curse about this anymore....
Pages:
1
2
3
4
5
6
7
This is my favourite topic
Community
General discussion0-day found in the Galaxy Client, news is spreading on the web.(99 posts)(99 posts)
(99 posts)