- Valve fixed a Steam privilege escalation zero-day that they first deemed as “non-applicable” and “out of scope”.
- The hacker who reported the flaw to them thinks that the fix isn’t really effective, and can be bypassed.
- Gamers are urged to think about the launchers they are using, and run games as unprivileged users.
Security researcher Vasily Kravets has sent an urgent notice to Valve on June 15, detailing a zero-day exploit that plagued the Steam Client Service. The problem with the vulnerability lies in the fact that it allows an attacker to execute a software program with the highest possible admin rights on any Windows 10 machine that has the Steam Client installed. The number of Steam accounts is about a billion, while the number of daily active users is just shy of a hundred million people, so we’re talking about a grave risk with an extensive attack surface.
All that said, Valve completely disregarded the researcher’s report, categorizing the bug as “not applicable” and refusing to pay Kravets any bounty for his finding. Valve initially refused to fix the zero-day, as they believed that the attacker would need to physically access the target machine. However, Kravets objected to this and asked for another HackerOne member to try the proof of concept and report it again to Valve. This second attempt was rejected again, so it looked like Valve wasn’t planning to fix the severe privilege escalation flaw that introduced a risk for so many individuals.
With 45 days having passed, Kravets made the flaw public for all the world to see last week, and Valve was somewhat forced to do something, so they rolled out an update for their Steam Client Services. Valve called the fix “addressing a privilege escalation exploit using symbolic links in the Windows registry”, so the service now checks for registry symlinks by iterating through subkeys under the Steam key, and confirms the key values of “SymbolicLinkValue” by querying them. While the researcher stated that Valve did the right thing, he still believes that the particular fix can be easily bypassed.
It seems we have been heard. Thanks everyone who helped sharing report.
Nice to see right move from Valve.
— Felix aka [xi-tauw] (@PsiDragon) August 10, 2019
With the situation being under active development right now, more relevant fixes on the Steam Client Service are bound to come soon, and malicious actors will surely try to use the disclosed proof of concept to launch successful attacks. What gamers can do in order to stay protected is not to give admin rights to game executables, prevent the disabling of the Windows “User Account Control” (UAE), and avoid installing games that come from small, new, and unknown developers. As the researcher points out, Steam is intrinsically a security risk for your computer, allowing thousands of third-party programs to run on your system with high privileges.