Steam, a popular video game platform is vulnerable to privilege escalation attacks. On Windows PCs, Steam creates installation directories with improper permissions.
This can let a user, an attacker, or worse, malware abuse Steam executables to escalate privileges.
This week, Will Dormann, a vulnerability analyst at CERT/CC tweeted “You probably shouldn’t make your install dir world-writable. Unexpected stuff could happen.”
In his tweet, Dormann was referring to how his vulnerability report on the issue was closed by Valve—the company behind Steam.
According to Dormann, the company cited that “file placement” attacks were out of scope and closed his vulnerability report without further action.
The analyst further advised in the same thread, “Don’t run games on systems you care about, folks.”
“My bug was marked duplicate of a bug that was closed a year and a half ago. I don’t get the impression that they’re fixing it.”
On digging deeper, it seems Steam has received similar reports before concerning privilege escalation vulnerabilities either via Windows registry attacks or through file permissions, that were all dismissed.
For example, an advisory for a five-year-old vulnerability, CVE-2015-7985, states that the weak default permissions on Steam installation folders grant Windows users in a group both read and write access.
This means an attacker or a malicious program can modify or replace steam.exe with an arbitrary malicious binary.
Since steam.exe typically launches itself automatically on start, if an administrator was to log onto a shared system, the malicious code (now disguised as steam.exe) would execute with full admin rights, which can wreak havoc on the system and the network it is present on.
Likewise, another user had tweeted last year how Steam’s VDF files could be abused to launch arbitrary executables and gain persistence.
It does not appear the company plans on fixing these trivially fixable, yet serious flaws anytime soon.
In the meantime, users should refrain from installing Steam on mission critical systems.
Security Report reached out to Valve for comment but we did not hear back.
Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…
Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…
The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…
The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…
One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…
Phishing kit used by multiple hacked sites generates a log in page on the fly…
This website uses cookies.