A SECURITY BOFFIN claims to have uncovered a "severe" zero-day vulnerability in the Windows client of the Steam gaming service.
The vulnerability lies within the Steam Client Service and could enable any user to run arbitrary code with LocalSystem privileges by using only a few commands.
Vasily Kravets, the researcher who first noticed the flaw, says it can be easily exploited by unprivileged users to start/stop the Steam Client Service.
Because the service automatically sets permissions on different registry keys, a malicious user can 'symlink' one of those keys to that belonging to another service. That will make the user able to start/stop that service as well.
According to Kravets, he first reported the flaw to Valve Software, Steam developer, on 15 June via HackerOne, providing a "text description and a proof-of-concept as an executable file".
The next day, Kravets got a message that the vulnerability reported by him was rejected as out-of-scope due to the reason that "attacks that require the ability to drop files in arbitrary locations on the user's filesystem".
Kravets says he argued his case with HackerOne's security staff, wrote some more comments in his report, and then a second HackerOne member tried to reproduce the exploit.
He confirmed the issue and sent it to the security team at Valve Software.
But on 30 July, Kravets received another message from a third HackerOne employee stating that the vulnerability reported by him was out-of-scope.
This time, the reasons given for rejection were "attacks that require the ability to drop files in arbitrary locations on the user's filesystem" and "attacks that require physical access to the user's device".
After a second rejection, Vasily decided to disclose the vulnerability publicly. He notified HackerOne about it and warned that he'd disclose the flaw after 30 July.
On 2nd August, he received a message from another HackerOne employee, who forbade Vasily from disclosing the vulnerability.
Nevertheless, Vasily finally went public on 7 August, with the hope that it "will bring Steam developers to make some security improvements".
Vasily said that he is very disappointed to see that a big firm like Valve Software talk big about security, but in reality do very little until forced to do so.
It is worth noting that earlier this year, security researchers reported a vulnerability on the Steam platform that made it possible for threat actors to take over user accounts, steal confidential data, and infect the victim's systems with malware. µ
Putting the 'mate' in 'climate change denial'
And it has already claimed a celebrity scalp
Dyson with death
Monitor the over-heads