Valve's popular PC gaming platform Steam is vulnerable to an extremely damaging zero-day security vulnerability, experts warn.
According to the new findings, an attacker could take over the systems of 72 million Windows users and then install malware, steal data, compromise passwords, and more.
Security researcher Vasily Kravets discovered a privilege escalation vulnerability that would allow an attacker with minimal user permissions to gain the same access levels as the administrator. system.
A threat actor could take advantage of a malware launch by using these elevated privileges, Kravets said explaining:
"Some of the threats will run even without administrator rights." The high rights of malware can greatly increase the risk, programs could disable antivirus, use dark and deep areas to hide and change almost all threats. files of any user, or even steal private data "
Steam customer service
The vulnerability itself affects the Steam client service that starts with full system privileges in Windows. Kravets has discovered a way to modify the system registry so that the Steam service can be used to run another application, but with the same elevated privileges.
Unfortunately, the proof-of-concept code has already been made available by security researcher Matt Nelson, further exacerbating the vulnerability because would-be attackers now know how to exploit it.
Kravets disclosed their findings just 45 days after submitting their report to Valve. Researchers typically wait 90 days to publicly disclose a vulnerability, giving them time to repair vulnerabilities in their software.
The vulnerability has yet to be fixed, as it was initially reported by Kravets with the help of the HackerOne bug removal system. His report was initially rejected by HackerOne, because the attack required "the ability to archive files to arbitrary locations on the user's file system," according to The Register. After Kravets convinced HackerOne that the vulnerability was valid and serious, their report was sent to Valve and rejected again a few weeks later.
Since the validation code has already been published, the vulnerability is likely to be exploited soon.
To avoid becoming a victim of the attack, users are advised to follow standard security protocols, including not using pirated software, not reusing passwords for multiple sites and services, using two-factor authentication, and applying the latest updates and patches from the system, because an attacker would need access to a user's system to exploit the vulnerability in the first place.
Source: Forbes