Researcher shut out of bounty program releases
2nd disclosure publicly
Valve recently issued fixes for the
privilege escalation vulnerabilities that were discovered on its Steam client
on their beta channel by security researcher Vasily Kravets.
Kravets released the discovery of the
zero-day exploit after being shut out of Valve’s HackerOne bug bounty program.
The company has now acknowledged its
mistake and revised its rules to explicitly state that these issues are in
scope and should be reported.
This all came about after Vasily Kravets
and colleague previously disclosed another zero-day discovery two weeks ago
that was disputed by Valve.
The flaw, known as CVE-2019-14743,
affects Windows versions of the client and concerns a privilege escalation bug
that makes it possible for other apps and potentially malware on a user’s
computer to run code with system privileges. As a result, a threat actor could
exploit this vulnerability remotely and execute malicious code on the target
device by using Steam’s system rights and elevating its permissions.
maximum privileges can lead to much more disastrous consequences,” Kravets wrote. “For
example, disabling firewall and antivirus, rootkit installation, concealing of process-miner,
theft [of] any PC user’s private data — is just a small portion of what could
The Steam storefront has over 90 million
active monthly users, with Windows users accounting for nearly 97 percent of
all digital PC game downloads.
Although Valve initially declined to
resolve the first vulnerability issue, Kravets’ public disclosure of the
zero-day exploit prompted the company to issue a fix on August 9, 2019. Unfortunately,
the patch issued didn’t solve the problem. Researcher Xiaovin Liu wrote a
detailed write-up explaining how the fix could be bypassed in order to exploit
the flaw again.
The second zero-day exploit that was
found stems from leveraging its admin permissions to make changes to the Steam
installation folder structure and injecting a malicious executable.
Kravets sums up the issue of Valve’s
indifferent attitude to privilege escalation perfectly. “It is rather ironic
that a launcher, which is actually designed to run third-party programs on your
computer, allows them to silently get a maximum of privileges,” Kravets
noted. “Are you sure that a free game made of garbage by an unknown developer
will behave honestly?”
Let’s hope this most recent patch
successfully patches the exploit.
As always, if we can be of help with your network or
computer, give us a call here at RHYNO Networks. (855) 749-6648
RHYNO Networks was designed to meet the needs of the IT marketplace. Specifically, to offer businesses skilled, timely IT services in order for them to focus on their business. We’re dedicated to the principles of Reliability, Innovation and Customer Service.