(the Steam client itself is not running with admin privileges).
The Steam client has Local System privilege which exceeds that of Administrator. And it has (and needs) network access which makes it far easier to exploit remotely than a game (or other program) with Admin privilege and no network access.
UAC is not designed to "annoy programmers and users into storing data outside the Program Files folder." It is designed to separate programs running with user access and full system access.
That was certainly
Microsoft's intention. And if not, then why doesn't UAC allow users to define exceptions for older programs? Why does it alert on trivialities like
creating junctions within Program Files? And why doesn't it alert on common malware techniques like dual-extension files? (still very much in use thanks to Microsoft's default "hide file extensions" setting).
The Steam service has a signed security certificate. If some kind of malware or virus infects it, you will know...
Not if code is injected via an overflow they won't. And if intruders breach Valve's security to the extent of being able to obtain their private key, they can sign any changes they make as if they came from Valve (as happened
with Adobe).
GOG's games aren't signed, and having users run them as admin won't know if they become infected.
Well, Steam's
games are in a similar position. But the main risk is the client software used to access them which is compulsory for Steam and optional for GOG (and just to make things clear, I would
not recommend running GOG's downloader since that requires higher privileges - including loading multiple drivers - than a downloader should in my eyes).
...You standing up for GOG's lack of security concern and setting every program up to run with administrator privileges, while blasting Steam for having a digitally signed service running just shows your bias against Steam.
I'm biased against any service that
requires the use of client software that can be remotely compromised. Steam is clearly the most popular but I don't doubt that similar comments could be made about other services like GameFly, GameTap or GamersGate. Desura requires a client to create an account, but thankfully you can get rid of it thereafter and download most content using a browser.
However D:OS is not available on these services which is why you are only reading comments from me about Steam.
