A Security Vulnerability in Steam's Windows Client Puts Gamers at Risk

Many people who aren't entirely aware of how software works would be ready to start pulling their hair out if they hear that a major online gaming platform with millions of users suffers from a severe security vulnerability. Those who know the industry well will tell you, however, that this is neither uncommon nor particularly scary. When they hear that the developer of the said platform is not keen on quickly fixing the issue, however, they will tell you that things are not looking good.

As many of you might have guessed already, we're talking about Steam. A white hat hacker by the name of Vasily Kravets discovered that cybercriminals can abuse Steam to run malicious code with administrative rights on Windows machines. According to Kravets, the vulnerability is easy to find and, more worryingly, easy to exploit.

Steam's Windows platform has a severe escalation-of-privilege vulnerability

Kravets found the hole while playing with Steam Client Service, a component of Steam's Windows version. He found out that after startup, Steam enumerates the subkeys under HKLM\Software\Wow6432Node\Valve\Steam\Apps and creates security descriptors for all of them. The descriptors allow all users to control those keys, regardless of whether or not they have administrative rights.

Kravets realized that a new subkey that contains a symbolic link to Windows' Installer service can give an attacker the chance to execute arbitrary files without administrative rights. What's more, because Windows Installer runs as Local System, it doesn't trigger a User Account Control (UAC) prompt which lets you choose whether or not apps will be allowed to make changes to your computer.

Put simply, the vulnerability lets non-admin users run files with administrative privileges. This means that they can install all sorts of malware, including ransomware, password stealers, and banking trojans. Kravets tested and successfully exploited the vulnerability on several different Windows machines running various versions of Microsoft's operating system. Even if you use the latest Windows 10 build with all the security updates installed, you can be attacked.

Since Windows is the operating system of choice for most gamers, the vast majority of Steam's 90 million monthly active users are affected. This makes Steam's reaction all the stranger.

The vulnerability has yet to be patched

Immediately after discovering the flaw, Kravets used Steam's bug bounty program to try and responsibly disclose the vulnerability and help with the fix. HackerOne runs the said program which means that its employees handle the bug reports before deciding whether or not to forward them to Valve, Steam's developer. One of the employees thought that the vulnerability discovered by Kravets is beyond the scope of the bug bounty program and will, therefore, remain undisclosed. Kravets pressed on and managed to get his report reviewed again, and this time, it was forwarded to Valve. Unfortunately, shortly after, the developer of the world's most popular game distribution platform also said that it's not going to process the report further. Once again, the argument was that vulnerabilities which require physical access and arbitrary file placement on the victim's device are not covered by the bug bounty program. As a result, even though the flaw was first reported through HackerOne on June 15, right now, close to two months later, it's still not fixed in Steam's official Windows client.

Although Valve opted not to act on Kravets' report, HackerOne tried to stop him from publicly disclosing his findings. The hacker, however, decided that the world needs to learn about the bug, and last week, his report went public. Another security researcher by the name of Matt Nelson has apparently worked on the same bug as well, and he too seems unhappy with the way Valve is handling the issue. On August 7, mere hours after Kravets published his report, Nelson uploaded Proof-of-Concept code to GitHub which can be used to exploit the vulnerability. In other words, anyone with a browser can now learn how your Steam client can be abused.

Apparently, this was enough for Valve to finally spring into action. On Saturday, Steam's beta client was updated, and the release notes claim that the new version also comes with a patch for Kravets' vulnerability. Hopefully, the fix will soon be available on the official version as well. This, mind you, will do nothing to change the fact that Valve didn't treat the problem with the respect it deserved.