as a player with thousands of hours in csgo, here's my take:
right from the get go, the authors made it clear that each of the rce requires a user to connect to a malicious server. the only scenario this is possible is if the user connects to one of the community servers.
while community servers have been the backbone of previous cs titles, it is far from the main place the majority of players connect to to play the game. the only major exception being third-party matchmaking systems such as faceit and esea, where the connection is handled directly by each service.
so the scope of exploit in the vast majority of the cases would be for a very minor set of playerbase or unless exploiters hack faceit/esea servers.
at the same time, the community servers have had a shady relationship with valve, where some of them allow you to try any skin in the game from server-side. i believe things like that played a part in why valve did not bother much with supporting them with the current game, especially with the ui for connecting to them barely updated since cs 1.6 two decades ago.
moreover, the exploits listed are not by themselves enough to inject a payload to victims's computer. the game itself runs in user mode and the client-sided commands are usually game specific.
overall, while i support the efforts made, the potential impact have been overblown in interpretation. i can see why valve took so long to fix these.
right from the get go, the authors made it clear that each of the rce requires a user to connect to a malicious server. the only scenario this is possible is if the user connects to one of the community servers.
while community servers have been the backbone of previous cs titles, it is far from the main place the majority of players connect to to play the game. the only major exception being third-party matchmaking systems such as faceit and esea, where the connection is handled directly by each service.
so the scope of exploit in the vast majority of the cases would be for a very minor set of playerbase or unless exploiters hack faceit/esea servers.
at the same time, the community servers have had a shady relationship with valve, where some of them allow you to try any skin in the game from server-side. i believe things like that played a part in why valve did not bother much with supporting them with the current game, especially with the ui for connecting to them barely updated since cs 1.6 two decades ago.
moreover, the exploits listed are not by themselves enough to inject a payload to victims's computer. the game itself runs in user mode and the client-sided commands are usually game specific.
overall, while i support the efforts made, the potential impact have been overblown in interpretation. i can see why valve took so long to fix these.