Posted December 12, 2021
DISCLAIMER: I know nothing about programming and such, so forgive me if I fail to understand fundamental stuff here.
Just stumbled upon a bunch of articles claiming a serious exploit has been found with a logging utility called Log4j which presumably allows attackers to freely execute code on your computer. Here's a link to one article:
https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/
Most articles I've read have mentioned that this Log4j tool is part of loads of programs - Minecraft and Steam are explicitly mentioned in most articles, though I've seen Valve staff say that Steam should be safe.
Now, since I have zero programming knowledge, I'm wondering if we could get any official comment by GOG staff on whether GOG Galaxy is safe to use right now (I have no idea if Galaxy even uses Log4j, though).
Looking into this thing, I've seen some articles on the web referring to previous instances where GOG were informed of exploints and reacted insufficiently, both in terms of fixing the exploits and communicating with the people who brought those exploits to GOG's attention (see https://www.positronsecurity.com/blog/2020-08-13-gog-galaxy_client-local-privilege-escalation_deuce/ ). So I'm kinda worried now that Galaxy might be open to this exploit and we'll never know because GOG is terrible at communicating. Perhaps in lieu of an official responst, some tech-savvy GOG user could look into this, even if it's just to warn other users?
Just stumbled upon a bunch of articles claiming a serious exploit has been found with a logging utility called Log4j which presumably allows attackers to freely execute code on your computer. Here's a link to one article:
https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/
Most articles I've read have mentioned that this Log4j tool is part of loads of programs - Minecraft and Steam are explicitly mentioned in most articles, though I've seen Valve staff say that Steam should be safe.
Now, since I have zero programming knowledge, I'm wondering if we could get any official comment by GOG staff on whether GOG Galaxy is safe to use right now (I have no idea if Galaxy even uses Log4j, though).
Looking into this thing, I've seen some articles on the web referring to previous instances where GOG were informed of exploints and reacted insufficiently, both in terms of fixing the exploits and communicating with the people who brought those exploits to GOG's attention (see https://www.positronsecurity.com/blog/2020-08-13-gog-galaxy_client-local-privilege-escalation_deuce/ ). So I'm kinda worried now that Galaxy might be open to this exploit and we'll never know because GOG is terrible at communicating. Perhaps in lieu of an official responst, some tech-savvy GOG user could look into this, even if it's just to warn other users?
