According to the latest rumors, the Steam gaming platform is facing a zero-day vulnerability that could put up to 72 million Windows users at risk. If this vulnerability is successfully exploited, attackers could gain access to users' systems and install malicious software, steal data, compromise passwords, and more.
A security researcher named Vasily Kravets discovered this vulnerability only 45 days after submitting his report to Valve, the developer and owner of Steam. Typically, researchers wait 90 days before making a vulnerability public to give software developers a time frame to fix the problem.
The vulnerability identified by Kravets is a potential privilege escalation that allows an attacker with limited user rights to gain the same privileges as a system administrator. This poses a real threat because attackers can use these elevated privileges to run malware and perform other malicious activities. Kravets highlighted the severity of this vulnerability, stating:
“Even without administrator rights, some threats remain active. With elevated privileges, malware can significantly increase risk by disabling antivirus, hiding in the system, and altering or stealing personal data.”
The vulnerability affects the Steam client service, which runs with full privileges on the Windows operating system. Kravets found a way to change the system registry so that the Steam service can be used to run other applications with the same privilege level.
Unfortunately, the concept code has already been made available to a security researcher named Matt Nelson, which makes this vulnerability even more severe as attackers are now
know how to use it.
The reason this vulnerability has not yet been fixed is because Kravets originally reported it through the HackerOne bounty program. His report was rejected because it required "the ability to drag and drop files to arbitrary locations on the user's file system", which violated the rules of the program. After being convinced by Kravets that the vulnerability was serious, his report was submitted to Valve, but ultimately rejected a few weeks later.
Now that the concept code has been published, there is a real threat of this vulnerability being exploited by attackers in the near future.
To prevent exposure to risk, users are advised to follow standard security measures, such as using licensed software, unique passwords for different services, using two-factor authentication, and installing the latest updates and patches for the Windows operating system. These measures will help reduce the chance of this vulnerability being exploited because attackers need access to the system in order to exploit it.